asyncrat | hxxps://store4[.]gofile[.]io/download/web/961043c8-138a-41c7-b5ba-c5dd4fd0dcea/Rebel[.]7z

Analysis

max time kernel
42s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-09-2024 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://store4.gofile.io/download/web/961043c8-138a-41c7-b5ba-c5dd4fd0dcea/Rebel.7z

Score

10^/10

asyncrat stormkitty default credential_access discovery rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe	family_stormkitty
behavioral1/memory/5820-158-0x0000000000550000-0x0000000000582000-memory.dmp	family_stormkitty

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe	family_asyncrat

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RebelCracked.exeRebelCracked.exeRebelCracked.exeRebelCracked.exeRebelCracked.exeRebelCracked.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	RebelCracked.exe

Executes dropped EXE 13 IoCs

Processes:

RebelCracked.exeRebelCracked.exeRuntimeBroker.exeRebelCracked.exeRuntimeBroker.exeRebelCracked.exeRuntimeBroker.exeRebelCracked.exeRuntimeBroker.exeRebelCracked.exeRuntimeBroker.exeRebelCracked.exeRuntimeBroker.exe

pid	process
5584	RebelCracked.exe
5760	RebelCracked.exe
5820	RuntimeBroker.exe
5936	RebelCracked.exe
5968	RuntimeBroker.exe
6024	RebelCracked.exe
6056	RuntimeBroker.exe
5188	RebelCracked.exe
5208	RuntimeBroker.exe
5608	RebelCracked.exe
3136	RuntimeBroker.exe
5216	RebelCracked.exe
1240	RuntimeBroker.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 15 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\6273da9205fec68c64afc3253dbfc051\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\6273da9205fec68c64afc3253dbfc051\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\c6c193096bef91194577b7d7d520c777\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\c6c193096bef91194577b7d7d520c777\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\c6c193096bef91194577b7d7d520c777\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\6273da9205fec68c64afc3253dbfc051\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\6273da9205fec68c64afc3253dbfc051\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\6273da9205fec68c64afc3253dbfc051\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\6273da9205fec68c64afc3253dbfc051\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\c6c193096bef91194577b7d7d520c777\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\c6c193096bef91194577b7d7d520c777\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\c6c193096bef91194577b7d7d520c777\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\6273da9205fec68c64afc3253dbfc051\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\c6c193096bef91194577b7d7d520c777\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\c6c193096bef91194577b7d7d520c777\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 7 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
discovery

Wi-Fi Discovery
T1016.002

Processes:

cmd.execmd.exenetsh.exenetsh.execmd.exenetsh.execmd.exe

pid process

5720 cmd.exe
5964 cmd.exe
5268 netsh.exe
5160 netsh.exe
364 cmd.exe
5536 netsh.exe
1464 cmd.exe

pid	process
5720	cmd.exe
5964	cmd.exe
5268	netsh.exe
5160	netsh.exe
364	cmd.exe
5536	netsh.exe
1464	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exeRuntimeBroker.exeRuntimeBroker.exe

pid	process
4428	msedge.exe
4428	msedge.exe
4584	msedge.exe
4584	msedge.exe
1372	identity_helper.exe
1372	identity_helper.exe
2760	msedge.exe
2760	msedge.exe
5820	RuntimeBroker.exe
5820	RuntimeBroker.exe
5820	RuntimeBroker.exe
5820	RuntimeBroker.exe
5820	RuntimeBroker.exe
5820	RuntimeBroker.exe
5820	RuntimeBroker.exe
5968	RuntimeBroker.exe
5968	RuntimeBroker.exe
5968	RuntimeBroker.exe
5968	RuntimeBroker.exe
5968	RuntimeBroker.exe
5820	RuntimeBroker.exe
5820	RuntimeBroker.exe
5820	RuntimeBroker.exe
5820	RuntimeBroker.exe
5968	RuntimeBroker.exe
5968	RuntimeBroker.exe
5820	RuntimeBroker.exe
5820	RuntimeBroker.exe
5968	RuntimeBroker.exe
5968	RuntimeBroker.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

4584 msedge.exe
4584 msedge.exe
4584 msedge.exe
4584 msedge.exe
4584 msedge.exe
4584 msedge.exe
4584 msedge.exe
4584 msedge.exe
4584 msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

7zG.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

description	pid	process
Token: SeRestorePrivilege	5336	7zG.exe
Token: 35	5336	7zG.exe
Token: SeSecurityPrivilege	5336	7zG.exe
Token: SeSecurityPrivilege	5336	7zG.exe
Token: SeDebugPrivilege	5820	RuntimeBroker.exe
Token: SeDebugPrivilege	5968	RuntimeBroker.exe
Token: SeDebugPrivilege	6056	RuntimeBroker.exe
Token: SeDebugPrivilege	5208	RuntimeBroker.exe
Token: SeDebugPrivilege	3136	RuntimeBroker.exe
Token: SeDebugPrivilege	1240	RuntimeBroker.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exe7zG.exe

pid	process
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
5336	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4584 wrote to memory of 2448	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2448	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 2984	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4428	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 4428	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1008	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1008	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1008	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1008	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1008	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1008	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1008	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1008	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1008	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1008	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1008	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1008	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1008	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1008	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1008	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1008	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1008	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1008	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1008	4584	msedge.exe	msedge.exe
PID 4584 wrote to memory of 1008	4584	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store4.gofile.io/download/web/961043c8-138a-41c7-b5ba-c5dd4fd0dcea/Rebel.7z
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffff40046f8,0x7ffff4004708,0x7ffff4004718
  2⤵
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,3273436820011966006,15406001671227169357,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,3273436820011966006,15406001671227169357,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,3273436820011966006,15406001671227169357,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
  2⤵
  PID:1008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3273436820011966006,15406001671227169357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3273436820011966006,15406001671227169357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3273436820011966006,15406001671227169357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,3273436820011966006,15406001671227169357,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
  2⤵
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,3273436820011966006,15406001671227169357,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3273436820011966006,15406001671227169357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3273436820011966006,15406001671227169357,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3273436820011966006,15406001671227169357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3273436820011966006,15406001671227169357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3273436820011966006,15406001671227169357,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
  2⤵
  PID:1912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,3273436820011966006,15406001671227169357,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5724 /prefetch:8
  2⤵
  PID:3792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3273436820011966006,15406001671227169357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,3273436820011966006,15406001671227169357,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2980

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4056

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5264

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Rebel\" -spe -an -ai#7zMap26206:70:7zEvent8900
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5336

C:\Users\Admin\Downloads\Rebel\RebelCracked.exe
"C:\Users\Admin\Downloads\Rebel\RebelCracked.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5584
- C:\Users\Admin\Downloads\Rebel\RebelCracked.exe
  "C:\Users\Admin\Downloads\Rebel\RebelCracked.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5760
- - C:\Users\Admin\Downloads\Rebel\RebelCracked.exe
    "C:\Users\Admin\Downloads\Rebel\RebelCracked.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:5936
  - - C:\Users\Admin\Downloads\Rebel\RebelCracked.exe
      "C:\Users\Admin\Downloads\Rebel\RebelCracked.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:6024
    - - C:\Users\Admin\Downloads\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Downloads\Rebel\RebelCracked.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5188
      - C:\Users\Admin\Downloads\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Downloads\Rebel\RebelCracked.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5608
        
        C:\Users\Admin\Downloads\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Downloads\Rebel\RebelCracked.exe"
        7⤵
        Executes dropped EXE
        
        PID:5216
        
        C:\Users\Admin\Downloads\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Downloads\Rebel\RebelCracked.exe"
        8⤵
        
        PID:5780
        
        C:\Users\Admin\Downloads\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Downloads\Rebel\RebelCracked.exe"
        9⤵
        
        PID:5576
        
        C:\Users\Admin\Downloads\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Downloads\Rebel\RebelCracked.exe"
        10⤵
        
        PID:1464
        
        C:\Users\Admin\Downloads\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Downloads\Rebel\RebelCracked.exe"
        11⤵
        
        PID:5432
        
        C:\Users\Admin\Downloads\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Downloads\Rebel\RebelCracked.exe"
        12⤵
        
        PID:5176
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        12⤵
        
        PID:5164
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        11⤵
        
        PID:5576
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        10⤵
        
        PID:5412
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        9⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        8⤵
        
        PID:5924
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
      - C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3136
    - - C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5208
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:5312
  - - C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:6056
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5720
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:5580
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5268
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        6⤵
        
        PID:3964
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        5⤵
        
        PID:444
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:5036
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        6⤵
        
        PID:5436
- - C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5968
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:364
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4272
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5536
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        5⤵
        
        PID:5300
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      4⤵
      PID:2596
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2340
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        
        PID:5844
- C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5820
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:5964
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:3832
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:5160
  - - C:\Windows\SysWOW64\findstr.exe
      findstr All
      4⤵
      PID:5300
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    PID:2604
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:3444
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      PID:3500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1bd60408b912f5870211c0f595cac75d\Admin@UXMRPRRI_en-US\Browsers\Edge\Cookies.txt

Filesize
73B

MD5
224a35c120041b301f5e6ba05366585a

SHA1
29d04483a4c692ab4fd92bb68973f164a0127f16

SHA256
cd58bd95bd4e1f0bcca30ba9049b7e2979022d5b4f269ecec3d3727cdf5da62b

SHA512
7e35782b2e16f4b12574782387201bf77894cfbcbba8327dafdedcc21649736653001c61000ae967a64d68c558bd320c317da1cacc2cb6232fb758adb954ee46

Download Submit
C:\Users\Admin\AppData\Local\1bd60408b912f5870211c0f595cac75d\Admin@UXMRPRRI_en-US\Directories\Desktop.txt

Filesize
552B

MD5
39b9ac0a8a8a7e45a56ede2ee7587fc3

SHA1
22793bd656e7f009f177e6259050d6808f9a59a6

SHA256
3daf27e58d14b362e54b17d90e321e82808fa334e0ae1ccbca84d824f230038d

SHA512
e23a3af0bbfa23b9cdf519c6ae693d883d0686fb0985c5e27bff7b82d677a2358ec314c35356aa93f282c6dd0b233fcbecc7805e8d00308e4ffc31ab0f35deff

Download Submit
C:\Users\Admin\AppData\Local\1bd60408b912f5870211c0f595cac75d\Admin@UXMRPRRI_en-US\Directories\Documents.txt

Filesize
627B

MD5
918a542d9a35c502c55b2e7274572ab1

SHA1
225b458756b7961013c9173663cc86f891e3abae

SHA256
b8daab89e60dfa011b4f91e86be5009f68f775de037956399b58848be73d01d0

SHA512
f15aacd705e84240676f8ff9a493139128ffe2bacbe8f3dd93d79f3291caedb00a33d78c5f171471f87d59279b44907cca8555ab9ab0fa768741704c16592d55

Download Submit
C:\Users\Admin\AppData\Local\1bd60408b912f5870211c0f595cac75d\Admin@UXMRPRRI_en-US\Directories\Downloads.txt

Filesize
937B

MD5
6c3544c2b4737470d99d02a232103b96

SHA1
dad90721ccf51033115fa88b3f6b37c85c4af5ac

SHA256
c1d72057c2d0ec7a143fc4d5066952c3bee14de3b25e81430b8075fa66a802f9

SHA512
237b9e58de6f524025970feb922d72e90e31a90dfe514ab6335dd23fa3e8272767d6acb0fbc10382d4884f564ee63be58c3c89f40ac29656cb90623ce0baeaa4

Download Submit
C:\Users\Admin\AppData\Local\1bd60408b912f5870211c0f595cac75d\Admin@UXMRPRRI_en-US\Directories\OneDrive.txt

Filesize
25B

MD5
966247eb3ee749e21597d73c4176bd52

SHA1
1e9e63c2872cef8f015d4b888eb9f81b00a35c79

SHA256
8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e

SHA512
bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

Download Submit
C:\Users\Admin\AppData\Local\1bd60408b912f5870211c0f595cac75d\Admin@UXMRPRRI_en-US\Directories\Pictures.txt

Filesize
380B

MD5
a39c6e89289d913902141e4c0efbcbb3

SHA1
10a8fbc9d72e0ef397be3323f0b557b2f5475606

SHA256
998706cb857a0b8d43a8ed4288068548b3f240dd7f854b0556671d52082cadf7

SHA512
3747dd4a763d0bf5a98b83b6c9007260e0c2237162770dabb8ffd6f4a12be2732bc35cc04c9ba338d65d0ae3d912b361a8b4c8e687b8c2ef1a581089583e24e9

Download Submit
C:\Users\Admin\AppData\Local\1bd60408b912f5870211c0f595cac75d\Admin@UXMRPRRI_en-US\Directories\Startup.txt

Filesize
24B

MD5
68c93da4981d591704cea7b71cebfb97

SHA1
fd0f8d97463cd33892cc828b4ad04e03fc014fa6

SHA256
889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

SHA512
63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

Download Submit
C:\Users\Admin\AppData\Local\1bd60408b912f5870211c0f595cac75d\Admin@UXMRPRRI_en-US\Directories\Videos.txt

Filesize
23B

MD5
1fddbf1169b6c75898b86e7e24bc7c1f

SHA1
d2091060cb5191ff70eb99c0088c182e80c20f8c

SHA256
a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

SHA512
20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

Download Submit
C:\Users\Admin\AppData\Local\1bd60408b912f5870211c0f595cac75d\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini

Filesize
282B

MD5
9e36cc3537ee9ee1e3b10fa4e761045b

SHA1
7726f55012e1e26cc762c9982e7c6c54ca7bb303

SHA256
4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

SHA512
5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

Download Submit
C:\Users\Admin\AppData\Local\1bd60408b912f5870211c0f595cac75d\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini

Filesize
402B

MD5
ecf88f261853fe08d58e2e903220da14

SHA1
f72807a9e081906654ae196605e681d5938a2e6c

SHA256
cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844

SHA512
82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

Download Submit
C:\Users\Admin\AppData\Local\1bd60408b912f5870211c0f595cac75d\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini

Filesize
282B

MD5
3a37312509712d4e12d27240137ff377

SHA1
30ced927e23b584725cf16351394175a6d2a9577

SHA256
b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3

SHA512
dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

Download Submit
C:\Users\Admin\AppData\Local\1bd60408b912f5870211c0f595cac75d\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini

Filesize
190B

MD5
d48fce44e0f298e5db52fd5894502727

SHA1
fce1e65756138a3ca4eaaf8f7642867205b44897

SHA256
231a08caba1f9ba9f14bd3e46834288f3c351079fcedda15e391b724ac0c7ea8

SHA512
a1c0378db4e6dac9a8638586f6797bad877769d76334b976779cd90324029d755fb466260ef27bd1e7f9fdf97696cd8cd1318377970a1b5bf340efb12a4feb4a

Download Submit
C:\Users\Admin\AppData\Local\1bd60408b912f5870211c0f595cac75d\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini

Filesize
190B

MD5
87a524a2f34307c674dba10708585a5e

SHA1
e0508c3f1496073b9f6f9ecb2fb01cb91f9e8201

SHA256
d01a7ef6233ef4ab3ea7210c0f2837931d334a20ae4d2a05ed03291e59e576c9

SHA512
7cfa6d47190075e1209fb081e36ed7e50e735c9682bfb482dbf5a36746abdad0dccfdb8803ef5042e155e8c1f326770f3c8f7aa32ce66cf3b47cd13781884c38

Download Submit
C:\Users\Admin\AppData\Local\1bd60408b912f5870211c0f595cac75d\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini

Filesize
504B

MD5
29eae335b77f438e05594d86a6ca22ff

SHA1
d62ccc830c249de6b6532381b4c16a5f17f95d89

SHA256
88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4

SHA512
5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

Download Submit
C:\Users\Admin\AppData\Local\1bd60408b912f5870211c0f595cac75d\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
32B

MD5
1915ef9df7912bc355746c2ddd20d9a8

SHA1
d7e3a81ebcfb774f186de0fe4303d7f1405c3dd2

SHA256
95cfdf9c1607c0d75576f71aa900497d92658171b652bfb6907897681705b9b0

SHA512
08881f1b0ae8b21886a01af707c8cde6a62745c492fce4648718e60d1f6234939a3641f49c678da0c6f499d3dce7aaf234bcf71dd3020680cda5aa0075cb66cd

Download Submit
C:\Users\Admin\AppData\Local\1bd60408b912f5870211c0f595cac75d\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
96B

MD5
50c8039b39d0bcc8adec16f7e6017761

SHA1
ffae8cb445f4a0ce413523aedc566362474e7c6c

SHA256
9b27d42142bb93a8a7c5942baec83d9cbe37645c5c9470bdb13cc99393001801

SHA512
35ba488ed25729a981f23897eb63b0187938c03e7d17e3ad36a2930ce07beab38bd8a5f37c5753039e301757f7f4119e1dabe0054ad6438590cf8f8a8c18713a

Download Submit
C:\Users\Admin\AppData\Local\1bd60408b912f5870211c0f595cac75d\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
218B

MD5
d0b0f59f1de4cc5e621bf988875b88ae

SHA1
0eae0f85d9783276ce662d37cd196e00e274bc6d

SHA256
b80e5defeef3b08bd51bd7f2061e6fb491cd4ab9b19bcf9025ee910cfb764705

SHA512
043b98763425251ec43377704687b9af7c1fd8448f3f9648f7a6b5a2896daf4bf102a9b5a21522967f64e219158663b4e562039ece8ce5918d1cce3a838e9686

Download Submit
C:\Users\Admin\AppData\Local\1bd60408b912f5870211c0f595cac75d\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
281B

MD5
ff49e04a9924162cad86d544c984c0d0

SHA1
9bee92032b74b5ed2811667b6aae6c18b56ce99b

SHA256
86ba6a9d82a53fc0aff052070887b4e2ff78d8aee6b55b5314993a28433b1a81

SHA512
86fa5dfd9d70c9042002aa0995e0f99e0e3b5f195828b862e7a0a5f54381dfa361bbc5b943f1471cb0561bca864655bb77e4798bbbdee72acddc251ee4d0fc6d

Download Submit
C:\Users\Admin\AppData\Local\1bd60408b912f5870211c0f595cac75d\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
345B

MD5
f84b3099f64e37aba66feb5dc67ffc40

SHA1
3dfe7769371c07b263225859918de4f66d2969dd

SHA256
c2bbd2f81af29381dc9836093f3efe7abfe5a08937d0350b8f75d5a9f750d431

SHA512
da40d4c0f87d7fea1206d7a523074961eb08b1124ad8d3dc027b38dd4d6d115607e47514ce1f07ff54afac361b0964c8756ba9d772e69053309e0454b402c202

Download Submit
C:\Users\Admin\AppData\Local\1bd60408b912f5870211c0f595cac75d\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
416B

MD5
155db8668f9a15ef87e12cac8b6dc07c

SHA1
bf8a7292308f717e98f624df7a9e2fb314bf5c6a

SHA256
93fa207f2ee6c7ec1f55e708a884cfb57dbbca14cf13b51717c412ea0b22be0d

SHA512
605d8887137dcd20e6c0f017e5e79b74a742abcc0b7eb5e70ae54195aef632d51bd30d6477ff2e3e84d947801b982350c115bf4a6cf63bfe2a23f4ccb9c1a40c

Download Submit
C:\Users\Admin\AppData\Local\1bd60408b912f5870211c0f595cac75d\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
479B

MD5
c2f08d07c51a7f8c882246d546b2f476

SHA1
c944925886d92a0a28fdcd83860cd9689218de1d

SHA256
d929f78f2853f9422aaf39afd97777a4e128d02d6565b1efd75a460c40e48ca5

SHA512
9fafb2369a520be2ca018c7ac9f78578f77b1695cbcca795327871ef2edba11d4d84d13199cf19ac17d528f1f82e52cf3f8fb0203d1d198db6b5f7ca04dd6247

Download Submit
C:\Users\Admin\AppData\Local\5de46853962e8a60beaae2003f059c2d\Admin@UXMRPRRI_en-US\Directories\Temp.txt

Filesize
3KB

MD5
521ad072cdaa79aa777915c381a51d9e

SHA1
0cc13beca0eeea57fc09c9753f1eeb389d4f430f

SHA256
315d5160e3f4720915ce0dc5af875b244e37fbfc21051b164d0097bf6476c3a2

SHA512
f3cf685a1a4a77f7f2ef6de197a8343f0f6595ef0b048dae87a8c7a10b45b77232207245b08add538d87515beb43b550c00d7121fe083e405b336ff3d9eb093b

Download Submit
C:\Users\Admin\AppData\Local\5de46853962e8a60beaae2003f059c2d\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
1KB

MD5
d51eecc224d86b87377832cf6aec6113

SHA1
346a2ff4b7a7cd1410660285d9297ec6d71d6053

SHA256
5573dc0c5db11afb2f5e7e78d3d77891f0406cf7a026eed4c383b8f50b6a8fe2

SHA512
8110fd029a80caeb08915bf2d418c831278694764740ccfe600e92277298e3a67bb6df4fe25542f782f8b3de59945dc4a985f47cfe28a8a444fcfb723f1a09bf

Download Submit
C:\Users\Admin\AppData\Local\5de46853962e8a60beaae2003f059c2d\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
1KB

MD5
c8b7b71e85d65622666db7bd55d85fdd

SHA1
ff6ac8118a787fe5c1e2e65970cc054da2e46659

SHA256
8269aeea58ada86b16e5362dde8c42fee9c786a993d297f84cd090804bd14ad1

SHA512
b4d409e12e3aff464ec53e7c9348944eccf3c68694fcd421858faaacffde7b3aaef59232afd5fdcfdfa2c6061ea8073fc274163c53ccaf8357aa81590abcd6c6

Download Submit
C:\Users\Admin\AppData\Local\5de46853962e8a60beaae2003f059c2d\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
1KB

MD5
9763ceb92ad0a8bff5255494e77d67cb

SHA1
2bb836ee53ed8543d362f1c5022f4f671a60081a

SHA256
18ad5ec9b7aba4019c3cc5bd05abd4de3ed7f260c7616d7f6e5bf68ccbd84cc3

SHA512
b044c402d5d31ad56280a33b86d24ed976d1f6ffb416c43b840822afe50056e8114f49cf1619a76e3dd7fbd2cc51b8577908492a368f8fed56afa65176a67a14

Download Submit
C:\Users\Admin\AppData\Local\5de46853962e8a60beaae2003f059c2d\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
2KB

MD5
3047dfd83520e7899f4ef80b08e04f93

SHA1
b89861e9ffe5ba0f22d136c33dc9c69b768f7602

SHA256
1bd5187885341633d60b513bec5808fa2a3dcded7ff21f3c424b11ad6f163332

SHA512
3a169d3c8752a66dbb83e7c3e9120583fdc56010d59680fde687e99e0ef9113893d2f79f893d8b84710282e7fd9f453ff84e0a2c2bee98c3c7fe956bcf4b7dec

Download Submit
C:\Users\Admin\AppData\Local\5de46853962e8a60beaae2003f059c2d\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
709B

MD5
2d2ac26bbf8679a36f758fc7ec92a30c

SHA1
ba3968a85947d7a1cadb190f9e84c7af551317c1

SHA256
2083f109eed5eaef2b0b124784413ff076cd55fb3df5f9113be8fd4d7b3ea4fb

SHA512
de4b402d4a8ecf4ee1ff9ca9015fb80e3977afc400366d4c174fcd29927b4ca3b4474e8870643277a8eb30919ccec7b204d37cbd5f5f470d494ba2cf6adc6e11

Download Submit
C:\Users\Admin\AppData\Local\5de46853962e8a60beaae2003f059c2d\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
785B

MD5
575679389ba8f5d2d323cf94d0fb41ad

SHA1
f66e6ad4658ce9611788155e7c6f49e35daa6b43

SHA256
fd48d25ec7a8698a569f01327e034a7a6de95732a3b7529cd9a33e9d843adce4

SHA512
75819eb34699a1c61ecf25bedc39337500fcea1e180e18167cf0d0027c66cd28c907a0d85f5871adbffe628aef09133978e9ba62a14bcd5a4e24f3fd1b95d9c6

Download Submit
C:\Users\Admin\AppData\Local\5de46853962e8a60beaae2003f059c2d\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
849B

MD5
483d5aa3091e24d4ad207899c39c573a

SHA1
481bb1b22593ad85079fb3e49db3d07dda8aa497

SHA256
09bb51dfef0ee92b118f072febe70e5f307ce9893b48be2b0183116303fca647

SHA512
9a03d8d504459c7f1bf206eb6fc945adc55232a4b0721a0d365a38ed9a1a024af64ee02207c6a9cb49849cf037a9aae8f3aa41ce00868afab223a8691bf77bc3

Download Submit
C:\Users\Admin\AppData\Local\5de46853962e8a60beaae2003f059c2d\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
913B

MD5
9545c55ded9c77303af4875abdf56be7

SHA1
48919c10b1ee8db2941c7f6c3d7b851c169c628c

SHA256
f85ee70a3cd211432d8af36cde69f2ac6a8b6f717015db424a9baf191d088b14

SHA512
ef1daa31a20068358088c56778ca5c792bdde847084317653d89b4a13b8b1a2e9db3323c71c16a45f0c5a38f95ff16639d81557b9d0f0c2413fa4510fc094df4

Download Submit
C:\Users\Admin\AppData\Local\5de46853962e8a60beaae2003f059c2d\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
976B

MD5
3ec6b55a653cc83e70a2dc3dc2fba787

SHA1
ca5c4f9f1fec58762cc3e1760d0841c00f3ccc5b

SHA256
9fd8ba03b6f9f5ecfa472b2da86caa97d3d642f7d60a4de49e3ba76c4503988a

SHA512
406916e0ff5c7237cb1401bdc3cea9949c796886bfc37821a072dbaca98e4bf2f4cab41662a6fde175ab8930bb7ba167c45d91fba5d5f992d1d0531057ce977f

Download Submit
C:\Users\Admin\AppData\Local\5de46853962e8a60beaae2003f059c2d\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
1KB

MD5
5e403951abfb9e6d04b7ce42e9c72aee

SHA1
63af7e772ad4761d83db1709bb35ee1c4abd29b8

SHA256
365a74bfcc9ff9e9effe61ea37d9fe31928587eade6a74561b2b3ef6fcaf51d2

SHA512
43c69efea52920c4bebafe680efbc2f2f2a47ac447a83ff3695307113c2e3a893085d669f2d1020606cdbdd74e478910ffa5abd8269365d54f2c742bc3f441f1

Download Submit
C:\Users\Admin\AppData\Local\5de46853962e8a60beaae2003f059c2d\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
1KB

MD5
5054c4e164788dbcae3747125bde90ca

SHA1
815c9d8b0bee75b1b70fe41c80c52616acce0bcb

SHA256
4a86c3ddf68540d3f051b9640a4fd1a5418e16d5742566bfc35c4aea5844c492

SHA512
aada96ef87ada9a129e5ad011558a37685a71fdf7dd6fded35e29df5695b72128c0417812562e955520da308f3e2cb37faa58810b0481fcf4aa34f113c71c919

Download Submit
C:\Users\Admin\AppData\Local\5de46853962e8a60beaae2003f059c2d\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
1KB

MD5
773c639d0c579c3896a7787d01cb7b27

SHA1
03569b8de182f146806b029e0ba8554d559a5284

SHA256
3fe9407dd7ad892fce3d4963d46cec77497960f166e614f4d681c72c853adc18

SHA512
cc4aafbfb758060f99e6259ec282090d7790e324eb3c50ba8ef803cfe1296f4957478e73f23e2d5479edc771fa08eb1914e61798c9e015219315519cc57c5e48

Download Submit
C:\Users\Admin\AppData\Local\5de46853962e8a60beaae2003f059c2d\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
4KB

MD5
73a9178d819babaa9d8afaa33b21382a

SHA1
f1cad074778e4789f2b1331a7bc65c34184b8bf7

SHA256
2f8f1b18542fbe6afbd4899965355ecde2a41895bb7f63f09656fe6f7afffeec

SHA512
f5b7d8273103fdf8b9b49419c74c4d57d2c770c0ddc232cae6570b430d23e51ca1f8a1c5c4ae424948c610393f18af4fb95f87c836700497e97a6974474c8e2c

Download Submit
C:\Users\Admin\AppData\Local\6273da9205fec68c64afc3253dbfc051\Admin@UXMRPRRI_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\6273da9205fec68c64afc3253dbfc051\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
4KB

MD5
dd9060e8ab12cd068d7ff437562d1f86

SHA1
b71a0339c99b3c71854def77b083a08e9780d73a

SHA256
db9fdc0a4fd6cf6308327cd320ebec7c8d9cdec9bd40b41724c8320fbe7aa7c2

SHA512
9496e1ddc3f07f3ed3e0992a41e7cb30bcd473f3b31cbad7b30c794c88f4c6c4946520ae4d4c2f3b1af71209a9a90b02b2aa68625a1ad2cea987e4dd73e73aca

Download Submit
C:\Users\Admin\AppData\Local\826a670fbd0646f8913d0e1e50b960d1\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
4KB

MD5
5ef24ebd0023548847d2bd0ebebb639b

SHA1
fd06717e6e6d93153e718bc665513d466d1bbcdc

SHA256
64d8f42c5ba39f1bd2c05450d25ac43c65684baf108ebcc5ade8c38df35bfc1f

SHA512
050f6cd3f9f618e27daa6b27589b1f9a4b12ce2b155fc4b22aa93ec1ed6223ad8e327990dea7543e92fa776bfbf8cc0c61102582997c7841f7d7798f1bf8bd3c

Download Submit
C:\Users\Admin\AppData\Local\826a670fbd0646f8913d0e1e50b960d1\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
645B

MD5
0e9631533f1a7da4bc5b015793b29b68

SHA1
e6cea7356c446449c327be01a152a00881cb4f51

SHA256
5feb24f6ea33631ae99043a15e64f932d200b62eeb45bc8b26738f0b6d5b638a

SHA512
d36b77c7ab941cfa380187e07386b7af31edfa190eb5d9a13f0b943afbba23f691a10bbe8770f4ce744fa1de1f03ff99283731c90f5b7681b55d8bb1a5e42290

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RebelCracked.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
f3dbc6e2101e62fad558b66e0a78c661

SHA1
e8e93e467dd751ee44f150b5b61c4bca7d342f87

SHA256
604f859b256f82359c44438c82885b950d73dbc52fd2df5645a38946ba4ae57f

SHA512
122ae439d205ed362510bb63c4844a5797494f753367e45a50d88a21c20c0af6a7e1a7c1e4c2fa552d1337ed367e8c2571e2d76d7d5005c013bcd77957d7521d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
6c534498b52595cff902113a78c50691

SHA1
5e2b1148cf06dde23e5df8b1ab3c9916159bcce7

SHA256
39fb2289b63b9a920d29122430739b0bad79b33642911750755bdd486dee4265

SHA512
8524b2595feea64d5eae6483b19ac12ae046bda76750696854a06e2ee1a17a91db48f12de78e0ac72ae64a5b4ea1c8d0a70d7be5d33554af9da0aefa7cfd3ce1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
954cf42c994585ccf59cab75109e85ec

SHA1
74a5e152029109cd1fd990f37e3e3bce6ae03f97

SHA256
3f028613f8f24432326a3b0d6113b39ee3ceb37a36448810d4dcbc71b36278af

SHA512
8d568b9d8c19fab34d18fd621056e65f39ba89f9496991052151a27cf3f518f19c9a2b920636bf2a856c0f036e8a568cdc95d849a6b77ad7973bdb743917d187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
49dfe96f7869a78e2b2acb87e803c9d0

SHA1
2488058ce9c2080169c556f4d7bd29e6d2a24eae

SHA256
0992f597dae37891754300d1165b98070b0e80405bee17e0a295e69c096aa903

SHA512
2a53fd2fec650921e149196165d7ba2c966b5482488ffed23e3c3f8d62436ea7efe38c45ea76d767c71462e3d1ae5db7d03667ad7e8dc40494a6971aa46c2d46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f922efbcfbba9df398a7104351f92b3d

SHA1
33a7228526a37fe5d673dc218e89b896467035fe

SHA256
0f819802fcea020523c12c09882c8ba64d68f81d05a5222fe7d95b94c32ac965

SHA512
560eb4ba608c586d3ddd6d08646fa44006e70d1af575ade22e2cae464964194b1962eb0d97fc56477d3dc09d3ec9ff29f815c87154c0fb77a21c398aec3afe11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0803e1e428593060991cff963cc12f9b

SHA1
e69c36514dfde4ef5e44327899eed52cfe9242bb

SHA256
803e041fa978109a08366b93ae71f0fe2511e6841716390943d26fa45802df79

SHA512
a5410cdf63b8dbdd3a4b8a6824048501cfe6eecc96a2840a17bdd02005796674947c046bd0cf29228a748b5bacae54de79dca398d121628872952c3443316780

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a333b6342e37d088779680a312945137

SHA1
469ad8054640cfb259e24db857c5a0fd476dbe4d

SHA256
a5de629c84b1f4196cbbad3db4888ab2c02994de8f5fa10bc54d337a89d9021e

SHA512
cccb01c91cef80fe55a66add9cc08568df922e5dd4af1382b9475d6883f9287e7025164edbf5122cb0a2f78ae4268f33ca652cdeb974161ee0bcdc597ad8cccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe

Filesize
175KB

MD5
59d9f02a7c904f21a175944dbeed3b13

SHA1
aa718c47c9cf57d16b7d3f4d8743a739fc05123b

SHA256
b8d40aee28967859278556d66452e861691ce10f41a4ace97fe87265294f6524

SHA512
1ecb75b6e334d3d0695ac50561eaa1ef9e87e8aeb370e053ded4d17dfff825e4b3d33b17a3728b5bda9008a7b85b33aa48a79821d286c99ae2c767a76908b36e

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
90281dbd5cb1133ade2bf34dd0d390aa

SHA1
10443ff1fea33ab751cffa19d208f63b433296ec

SHA256
ba4b82d026ba3561666eb31cad20732a27d11d9ca844c52ad757bd44d83fed33

SHA512
3d39ac85f4f9c16660c158da693f4e3fe39a477a0f34e5bfaeb766680b41e661d2a4bff165baa06e52f504474c6280d50802b7c4f2e97bf4d1930ed0a52abc91

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1E70.tmp.dat

Filesize
114KB

MD5
503d6b554ee03ef54c8deb8c440f6012

SHA1
e306b2a07bf87e90c63418024c92933bcc3f4d7f

SHA256
4c407af4d5326d1ea43e89945eda0b86c81ad0d12bd5465b327c0fd1df56f7d4

SHA512
3490b51dfe2e8f6efa3cdeee7bc08c03072597861c1a2f88dc830139abb7611c671ddad345c2af97bb1e88927c09467ed92b5feafe6696d7e2b31b3bd3447437

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1E72.tmp.dat

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1E75.tmp.dat

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp276A.tmp.dat

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp277F.tmp.dat

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp27B1.tmp.dat

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\c6c193096bef91194577b7d7d520c777\Admin@UXMRPRRI_en-US\Browsers\Edge\History.txt

Filesize
330B

MD5
0364e8590ab03f212bdf80b2b945ed35

SHA1
133a87f0a166220a19a2703e01a15da80a79f95b

SHA256
b5f48f9dcb1e41cd6533be60a10e04d865ae0bb8c1d75bc36cffd86a0ae74e3d

SHA512
4bef35ec84e08e24f2201168cd7150061ab88e6c2bb27f1ab099eeab165853ea905f41a2602b0bc1e2686dd0f070f100a03a03e7aaf1ecdb93792803b79ad4f0

Download Submit
C:\Users\Admin\AppData\Local\c6c193096bef91194577b7d7d520c777\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
4KB

MD5
53fb96c070b399ec47e6371da497b4d7

SHA1
fd0f972ef12a64c2156bbcc0231ead4024dce1f7

SHA256
6203f3a2d30efc25f1e24022304b97d8db24c66c5d73716595d96c72db4e9b12

SHA512
304d8a3752761b6a7ad77a0abf53c68d6e977c1eefe1d7d50f55d37e19c1bde8834cf410cf9d642ab3f11332a6df4ddb029cbaf174d8731a96e12984fe9584cf

Download Submit
C:\Users\Admin\Downloads\Rebel.7z

Filesize
8.0MB

MD5
06598c035db9cbdfd2577ded793b97a4

SHA1
e2de172829430cecc3dc35b6e37167f13e75b301

SHA256
ebf1f88870aadeb5f22a893b6670c6ac9aaccef37dad26317e000146e3cc8a41

SHA512
502c56f1c45ee81818c119266eb1e782acabd5dfe2bc7c34c7ec4bb1dae2cb4905a19a6a9b86f761a189d02e972b17a156758f3ed7757545353d4480142a0931

Download Submit
C:\Users\Admin\Downloads\Rebel\ReadMe.txt

Filesize
13B

MD5
1c6c20f0c324e98e38272f1245d24e11

SHA1
bbb5dc3a18a532529ec6fa88c86542288dd979f7

SHA256
4ca7414e2aba6d74826403afb6ccbcc1752297a1b61aced8808b75d80d212f2d

SHA512
a30aed5a54580ad73f16ad237f82e2dc99c99d9645d40d1fbdf88a7d6c10c238b6967c011ba46c6084d409e4a37b41983d600146f93cd9250a810b7d784d8246

Download Submit
C:\Users\Admin\Downloads\Rebel\RebelCracked.exe

Filesize
154KB

MD5
76b3ef39824d31fde7ca5d27ae8700fa

SHA1
c03994080a4f1038d4a624499acedcf0fea737f3

SHA256
439096c4077b5a1ad2e2ad232fdaeeece05a72e6a69c16d11a624b665dc428f3

SHA512
3246594017abe3c4e208ce270388feecf23ec3032de73bb380aaebd17030263ff00e8270b2ab901efa993c2e896cd28a091b2b9a49986c98cd974826641f240d

Download Submit
\??\pipe\LOCAL\crashpad_4584_YOHGKZAIQTUSGKPU

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5584-144-0x0000000000200000-0x000000000022C000-memory.dmp

Filesize
176KB

Download
memory/5820-162-0x0000000005670000-0x00000000056D6000-memory.dmp

Filesize
408KB

Download
memory/5820-158-0x0000000000550000-0x0000000000582000-memory.dmp

Filesize
200KB

Download
memory/6056-833-0x0000000006D30000-0x00000000072D4000-memory.dmp

Filesize
5.6MB

Download
memory/6056-827-0x00000000066E0000-0x0000000006772000-memory.dmp

Filesize
584KB

Download