asyncrat | hxxps://download1478[.]mediafire[.]com/1gu2oqfzx0rg_7tBuOj6nWmJWNgo-ATHYTAMPviPD3JG4R3ucmiQEkL54OJQpIM2JzhMgmukQVIRQsH97t1M7NkfASkBz3PbGgzwhbHBsxcVwCLVDmsVhvKbjkA3nR-g4gujoXIkVm_KyCtKRZG5hVdd1QXyEjRY3vjfbg2NM8IvmQ/by9n59rwi4ek33p/Rebel[.]7z

Resubmissions

06/09/2024, 15:44

240906-s6vj7svemg 10

Analysis

max time kernel
172s
max time network
172s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
06/09/2024, 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download1478.mediafire.com/1gu2oqfzx0rg_7tBuOj6nWmJWNgo-ATHYTAMPviPD3JG4R3ucmiQEkL54OJQpIM2JzhMgmukQVIRQsH97t1M7NkfASkBz3PbGgzwhbHBsxcVwCLVDmsVhvKbjkA3nR-g4gujoXIkVm_KyCtKRZG5hVdd1QXyEjRY3vjfbg2NM8IvmQ/by9n59rwi4ek33p/Rebel.7z

Score

10^/10

asyncrat stormkitty default credential_access discovery persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/2596-184-0x0000000000400000-0x0000000000432000-memory.dmp	family_stormkitty

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 25 IoCs

pid	Process
2564	RebelCracked.exe
3408	RuntimeBroker.exe
3664	RebelCracked.exe
2596	RuntimeBroker.exe
5056	RuntimeBroker.exe
3708	RebelCracked.exe
1768	RuntimeBroker.exe
2724	RuntimeBroker.exe
3988	RebelCracked.exe
980	RuntimeBroker.exe
1116	RuntimeBroker.exe
1432	RebelCracked.exe
1140	RuntimeBroker.exe
788	RuntimeBroker.exe
2080	RebelCracked.exe
3412	RuntimeBroker.exe
228	RuntimeBroker.exe
1728	RebelCracked.exe
3668	RuntimeBroker.exe
4228	RuntimeBroker.exe
2848	RebelCracked.exe
1088	RuntimeBroker.exe
4928	RebelCracked.exe
1532	RuntimeBroker.exe
4308	RuntimeBroker.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 35 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\0dc2e9767170cf0916b3334bad14c83d\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\0dc2e9767170cf0916b3334bad14c83d\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\0dc2e9767170cf0916b3334bad14c83d\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\0dc2e9767170cf0916b3334bad14c83d\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\0dc2e9767170cf0916b3334bad14c83d\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\0dc2e9767170cf0916b3334bad14c83d\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\0dc2e9767170cf0916b3334bad14c83d\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\0dc2e9767170cf0916b3334bad14c83d\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\0dc2e9767170cf0916b3334bad14c83d\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\0dc2e9767170cf0916b3334bad14c83d\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\0dc2e9767170cf0916b3334bad14c83d\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\0dc2e9767170cf0916b3334bad14c83d\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\0dc2e9767170cf0916b3334bad14c83d\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\0dc2e9767170cf0916b3334bad14c83d\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
59	pastebin.com
73	pastebin.com
138	pastebin.com
13	pastebin.com
35	pastebin.com
41	pastebin.com
44	pastebin.com
81	pastebin.com
34	pastebin.com
58	pastebin.com
61	pastebin.com
72	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 3408 set thread context of 2596	3408	RuntimeBroker.exe	108
PID 5056 set thread context of 1768	5056	RuntimeBroker.exe	111
PID 2724 set thread context of 980	2724	RuntimeBroker.exe	114
PID 1116 set thread context of 1140	1116	RuntimeBroker.exe	117
PID 788 set thread context of 3412	788	RuntimeBroker.exe	120
PID 228 set thread context of 3668	228	RuntimeBroker.exe	124
PID 4228 set thread context of 1088	4228	RuntimeBroker.exe	131
PID 1532 set thread context of 4308	1532	RuntimeBroker.exe	282

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 62 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
480	netsh.exe
4112	cmd.exe
3620	cmd.exe
3452	cmd.exe
5080	netsh.exe
4380	cmd.exe
5096	cmd.exe
5968	cmd.exe
4116	netsh.exe
4600	cmd.exe
2816	netsh.exe
2484	netsh.exe
5148	netsh.exe
4328	cmd.exe
3028	netsh.exe
4260	netsh.exe
5820	cmd.exe
1216	cmd.exe
3936	cmd.exe
4308	cmd.exe
6068	netsh.exe
2196	netsh.exe
1012	netsh.exe
5560	cmd.exe
6072	cmd.exe
2480	netsh.exe
2536	netsh.exe
5480	cmd.exe
2268	cmd.exe
1756	cmd.exe
6056	netsh.exe
6140	cmd.exe
236	netsh.exe
948	cmd.exe
3544	cmd.exe
5124	netsh.exe
748	netsh.exe
5352	netsh.exe
6028	netsh.exe
5512	cmd.exe
1576	netsh.exe
2288	cmd.exe
4016	netsh.exe
124	netsh.exe
4592	netsh.exe
3988	netsh.exe
5440	netsh.exe
6020	cmd.exe
5920	cmd.exe
5764	netsh.exe
5804	cmd.exe
5104	cmd.exe
2876	cmd.exe
4728	netsh.exe
5780	netsh.exe
5960	cmd.exe
1356	netsh.exe
4328	cmd.exe
4920	netsh.exe
400	cmd.exe
2764	cmd.exe
2168	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Rebel.7z:Zone.Identifier	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4208	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1096	msedge.exe
1096	msedge.exe
996	msedge.exe
996	msedge.exe
4612	identity_helper.exe
4612	identity_helper.exe
3956	msedge.exe
3956	msedge.exe
788	msedge.exe
788	msedge.exe
2596	RuntimeBroker.exe
2596	RuntimeBroker.exe
2596	RuntimeBroker.exe
2596	RuntimeBroker.exe
2596	RuntimeBroker.exe
2596	RuntimeBroker.exe
2596	RuntimeBroker.exe
2596	RuntimeBroker.exe
2596	RuntimeBroker.exe
2596	RuntimeBroker.exe
1768	RuntimeBroker.exe
1768	RuntimeBroker.exe
1768	RuntimeBroker.exe
1768	RuntimeBroker.exe
2596	RuntimeBroker.exe
2596	RuntimeBroker.exe
1768	RuntimeBroker.exe
1768	RuntimeBroker.exe
1768	RuntimeBroker.exe
1768	RuntimeBroker.exe
2596	RuntimeBroker.exe
2596	RuntimeBroker.exe
1768	RuntimeBroker.exe
1768	RuntimeBroker.exe
2596	RuntimeBroker.exe
2596	RuntimeBroker.exe
2596	RuntimeBroker.exe
2596	RuntimeBroker.exe
2596	RuntimeBroker.exe
2596	RuntimeBroker.exe
1768	RuntimeBroker.exe
1768	RuntimeBroker.exe
980	RuntimeBroker.exe
980	RuntimeBroker.exe
980	RuntimeBroker.exe
980	RuntimeBroker.exe
1768	RuntimeBroker.exe
1768	RuntimeBroker.exe
980	RuntimeBroker.exe
980	RuntimeBroker.exe
2596	RuntimeBroker.exe
2596	RuntimeBroker.exe
980	RuntimeBroker.exe
980	RuntimeBroker.exe
1768	RuntimeBroker.exe
1768	RuntimeBroker.exe
1768	RuntimeBroker.exe
1768	RuntimeBroker.exe
2596	RuntimeBroker.exe
980	RuntimeBroker.exe
980	RuntimeBroker.exe
1768	RuntimeBroker.exe
1768	RuntimeBroker.exe
1140	RuntimeBroker.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeRestorePrivilege	4928	7zG.exe
Token: 35	4928	7zG.exe
Token: SeSecurityPrivilege	4928	7zG.exe
Token: SeSecurityPrivilege	4928	7zG.exe
Token: SeDebugPrivilege	2596	RuntimeBroker.exe
Token: SeDebugPrivilege	1768	RuntimeBroker.exe
Token: SeDebugPrivilege	980	RuntimeBroker.exe
Token: SeDebugPrivilege	1140	RuntimeBroker.exe
Token: SeDebugPrivilege	3412	RuntimeBroker.exe
Token: SeDebugPrivilege	3668	RuntimeBroker.exe
Token: SeDebugPrivilege	1088	RuntimeBroker.exe
Token: SeDebugPrivilege	4308	RuntimeBroker.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3028	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 4568	996	msedge.exe	80
PID 996 wrote to memory of 4568	996	msedge.exe	80
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1468	996	msedge.exe	82
PID 996 wrote to memory of 1096	996	msedge.exe	83
PID 996 wrote to memory of 1096	996	msedge.exe	83
PID 996 wrote to memory of 412	996	msedge.exe	84
PID 996 wrote to memory of 412	996	msedge.exe	84
PID 996 wrote to memory of 412	996	msedge.exe	84
PID 996 wrote to memory of 412	996	msedge.exe	84
PID 996 wrote to memory of 412	996	msedge.exe	84
PID 996 wrote to memory of 412	996	msedge.exe	84
PID 996 wrote to memory of 412	996	msedge.exe	84
PID 996 wrote to memory of 412	996	msedge.exe	84
PID 996 wrote to memory of 412	996	msedge.exe	84
PID 996 wrote to memory of 412	996	msedge.exe	84
PID 996 wrote to memory of 412	996	msedge.exe	84
PID 996 wrote to memory of 412	996	msedge.exe	84
PID 996 wrote to memory of 412	996	msedge.exe	84
PID 996 wrote to memory of 412	996	msedge.exe	84
PID 996 wrote to memory of 412	996	msedge.exe	84
PID 996 wrote to memory of 412	996	msedge.exe	84
PID 996 wrote to memory of 412	996	msedge.exe	84
PID 996 wrote to memory of 412	996	msedge.exe	84
PID 996 wrote to memory of 412	996	msedge.exe	84
PID 996 wrote to memory of 412	996	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://download1478.mediafire.com/1gu2oqfzx0rg_7tBuOj6nWmJWNgo-ATHYTAMPviPD3JG4R3ucmiQEkL54OJQpIM2JzhMgmukQVIRQsH97t1M7NkfASkBz3PbGgzwhbHBsxcVwCLVDmsVhvKbjkA3nR-g4gujoXIkVm_KyCtKRZG5hVdd1QXyEjRY3vjfbg2NM8IvmQ/by9n59rwi4ek33p/Rebel.7z
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc406f3cb8,0x7ffc406f3cc8,0x7ffc406f3cd8
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1724,3439379570226843489,3552516413295920979,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:2
  2⤵
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1724,3439379570226843489,3552516413295920979,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1724,3439379570226843489,3552516413295920979,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,3439379570226843489,3552516413295920979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,3439379570226843489,3552516413295920979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:2900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,3439379570226843489,3552516413295920979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1724,3439379570226843489,3552516413295920979,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4076 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1724,3439379570226843489,3552516413295920979,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1724,3439379570226843489,3552516413295920979,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3340 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,3439379570226843489,3552516413295920979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:2976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2780

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2216

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3028

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\rebel\" -an -ai#7zMap14571:78:7zEvent24190
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\rebel\Rebel\ReadMe.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4208

C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
"C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
1⤵
- Executes dropped EXE
PID:2564
- C:\Users\Admin\AppData\Local\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:3408
- - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3452
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4368
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1576
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:740
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      4⤵
      System Location Discovery: System Language Discovery
      PID:1096
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4624
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3684
- C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
  "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
  2⤵
  - Executes dropped EXE
  PID:3664
- - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:5056
  - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      Drops desktop.ini file(s)
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1768
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2288
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4604
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4116
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4344
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2572
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2664
- - C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
    "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
    3⤵
    - Executes dropped EXE
    PID:3708
  - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2724
    - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:980
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1216
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3528
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4016
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4732
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3616
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3644
  - - C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
      "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
      4⤵
      Executes dropped EXE
      PID:3988
    - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1116
      - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4328
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        8⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4592
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        8⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        7⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        8⤵
        
        PID:1340
    - - C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        5⤵
        Executes dropped EXE
        
        PID:1432
      - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:788
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        7⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        8⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        9⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        9⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        8⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        9⤵
        
        PID:4832
      - C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        6⤵
        Executes dropped EXE
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:228
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        8⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        9⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3936
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        
        PID:644
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        10⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5080
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        10⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        9⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        10⤵
        
        PID:104
        
        C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        7⤵
        Executes dropped EXE
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        9⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        10⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        11⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:480
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        11⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        10⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        11⤵
        
        PID:3200
        
        C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        8⤵
        Executes dropped EXE
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        11⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:400
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        12⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1356
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        12⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        11⤵
        
        PID:896
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        12⤵
        
        PID:4832
        
        C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        9⤵
        Executes dropped EXE
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        10⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        11⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        12⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        13⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1012
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        13⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        12⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        13⤵
        
        PID:5108
        
        C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        10⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        11⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        12⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        13⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4328
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        14⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3028
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        14⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        13⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        14⤵
        
        PID:4136
        
        C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        11⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        12⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        13⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        14⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4600
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        15⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3988
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        15⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        14⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        15⤵
        
        PID:4920
        
        C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        12⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        13⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        14⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        15⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1756
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        16⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4260
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        16⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        15⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        16⤵
        
        PID:1924
        
        C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        13⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        14⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        15⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        15⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        15⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        15⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        15⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        16⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5096
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        17⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        17⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:124
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        17⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        16⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        17⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        17⤵
        
        PID:2420
        
        C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        14⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        15⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        16⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        17⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        18⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:236
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        18⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        17⤵
        
        PID:716
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        18⤵
        
        PID:2912
        
        C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        15⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        16⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        17⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        18⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4380
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        19⤵
        
        PID:236
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        19⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4728
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        19⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        18⤵
        
        PID:4624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        19⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        19⤵
        
        PID:1964
        
        C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        16⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        17⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        18⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        19⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4308
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        20⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2816
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        20⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        19⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        20⤵
        
        PID:4868
        
        C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        17⤵
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        18⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        19⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        20⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3620
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        21⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        21⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2484
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        21⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        20⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        21⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        21⤵
        
        PID:5304
        
        C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        18⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        19⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        20⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        21⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5560
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        22⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5780
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        22⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        21⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        22⤵
        
        PID:2820
        
        C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        19⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        20⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        21⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        21⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        21⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        22⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:948
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        23⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2480
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        23⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        22⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        23⤵
        
        PID:1368
        
        C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        20⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        21⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        22⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        22⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        23⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3544
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        24⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5440
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        24⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        23⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        24⤵
        
        PID:5136
        
        C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        21⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        22⤵
        
        PID:124
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        23⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        24⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5804
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        25⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        25⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5124
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        25⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        24⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        25⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        25⤵
        
        PID:5992
        
        C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        22⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        23⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        24⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        25⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5480
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        26⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6068
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        26⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        25⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        26⤵
        
        PID:5516
        
        C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        23⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        24⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        25⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        26⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5820
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        27⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        27⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:748
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        27⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        26⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        27⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        27⤵
        
        PID:404
        
        C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        24⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        25⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        26⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        27⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5920
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        28⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5148
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        28⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        27⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        28⤵
        
        PID:6000
        
        C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        25⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        26⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        27⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        28⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5960
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        29⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        29⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6056
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        29⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        28⤵
        
        PID:124
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        29⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        29⤵
        
        PID:5508
        
        C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        26⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        27⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        28⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        29⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6020
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        
        PID:748
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        30⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2536
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        30⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        29⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        30⤵
        
        PID:5788
        
        C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        27⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        28⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        29⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        30⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5968
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        31⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        31⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4920
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        31⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        30⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        31⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        31⤵
        
        PID:5720
        
        C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        28⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        29⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        30⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        31⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5104
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        32⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        32⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5352
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        32⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        31⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        32⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        32⤵
        
        PID:5252
        
        C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        29⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        30⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        31⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        32⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4112
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        33⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        33⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6028
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        33⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        32⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        33⤵
        
        PID:6096
        
        C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        30⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        31⤵
        
        PID:5576
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        32⤵
        
        PID:5696
        
        C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        31⤵
        
        PID:5624
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        32⤵
        
        PID:5364
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        33⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        34⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5512
        
        C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        32⤵
        
        PID:5448
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        33⤵
        
        PID:5204
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        34⤵
        
        PID:5360
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        34⤵
        
        PID:1096
        
        C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        33⤵
        
        PID:5244
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        34⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        35⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        36⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6140
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        37⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        37⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5764
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        37⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        36⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        37⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        37⤵
        
        PID:4816
        
        C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        34⤵
        
        PID:5332
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        35⤵
        
        PID:5580
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        36⤵
        
        PID:5240
        
        C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        35⤵
        
        PID:5236
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        36⤵
        
        PID:5756
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        37⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        38⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6072
        
        C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        36⤵
        
        PID:5764
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        37⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        38⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        38⤵
        
        PID:5508
        
        C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        37⤵
        
        PID:5716
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        38⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        39⤵
        
        PID:5676
        
        C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        38⤵
        
        PID:5468
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        39⤵
        
        PID:5444
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        40⤵
        
        PID:5344
        
        C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        39⤵
        
        PID:5752
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        40⤵
        
        PID:5164
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        41⤵
        
        PID:5648
        
        C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        40⤵
        
        PID:5856
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        41⤵
        
        PID:5844
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        42⤵
        
        PID:5572
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        42⤵
        
        PID:6076
        
        C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        41⤵
        
        PID:5392
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        42⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        43⤵
        
        PID:4776
        
        C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        42⤵
        
        PID:5524
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        43⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        44⤵
        
        PID:5516
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        44⤵
        
        PID:5804
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        44⤵
        
        PID:5372
        
        C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe"
        43⤵
        
        PID:5996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0dc2e9767170cf0916b3334bad14c83d\Admin@ITMJLVNR_en-US\Directories\Temp.txt

Filesize
4KB

MD5
ecf1165d1f60cdc60bb1f801d636a91b

SHA1
5d22d9a9755754c77a201c2d4b8b5f080a658cbb

SHA256
9769ab6b1db06a8b7a9d2f632d5283c03cb09a448c24cf178e5e3db9dbe10e3a

SHA512
949c8eba8f8d698bd090ab3e31f337601cb0243457f0cd8a28f10bba41d609429171642b15a2fee3cdeebf3bd7713a231a9e182f32f9e968c2f5bea8fe199321

Download Submit
C:\Users\Admin\AppData\Local\0dc2e9767170cf0916b3334bad14c83d\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
4KB

MD5
75a261febd5c349ed801fc2e574e90e5

SHA1
a8e502f4eaaa9c2b6d2378765b757783269d9f0d

SHA256
e93fa7a900794e3a041786a49769e3447b3d59672c0bf1e3d2091d6991a84c76

SHA512
55bf6d2b1e0f9ee05d1aaedd80be9c1c4852e85e98d944afb4b2251f17c03fe9e6d70eb3d71835540b68e0c58539f8ff862f97f5f5daf826b28dcb08459ee087

Download Submit
C:\Users\Admin\AppData\Local\0dc2e9767170cf0916b3334bad14c83d\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
4KB

MD5
9886c090bfb434d8d9c56f36b3097b8c

SHA1
fdf899e1d64c8e4ab9a30bbc52faeddbef0fa049

SHA256
e62a3edc01115dc6dbae554071531fed4d477677640cb982d8de2220fbe74d2c

SHA512
6a10981d0f4026221efa51b6472396958526e10b7d692835c71adbf83aacd655c7646f183bd16969b784a030e8f777e5928592f3c10c66826b91444f4bb6589c

Download Submit
C:\Users\Admin\AppData\Local\0dc2e9767170cf0916b3334bad14c83d\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
325B

MD5
f15e77bea44a7d21ceca149e26d3a65e

SHA1
669c870dbe2e302c5d5eefb126be429436a5a3bb

SHA256
055df87440683abad84bfe4b04711f5ffd269f35febff8321ef8c9d2ed5b0b2b

SHA512
1122545c21dddccd9df98ce0e454939ee33eddb676d2c2f6bb8981121d5af9cddf221e965636198f946d08c81af881609e7fb367c3b7d92424dd2572ac0a2883

Download Submit
C:\Users\Admin\AppData\Local\0dc2e9767170cf0916b3334bad14c83d\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
389B

MD5
4310375b1d01a1750ffadb32fceaa877

SHA1
62f17406bb7d40cb62b10d83c9d5d13fd1f88076

SHA256
07ba0ad3846fc1fac0a10e51bfbab7dd68265db7e55549e329541c84e0783d7c

SHA512
4c26d9a2e31914f1766ae38d234e65a5dc4fee3d838eff1f12ad376657906ee2c4c07c6567020e96b82a2e9c7d8ff77b058f1cb72529ef4915c20fd577ea917d

Download Submit
C:\Users\Admin\AppData\Local\0dc2e9767170cf0916b3334bad14c83d\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
4KB

MD5
6b115ab326456d2a6099d597dec4659c

SHA1
d1c535ef94b351ae6353c73539d30dea22539f84

SHA256
95b3322454eaa2b5e23f4fd94210a43893625d09d7feb0e0342ecece00a5c044

SHA512
255b66e61e0c675583e923fdc65c920bf734288a7a77aeeb2b9b6c0f1e59085dd43985c07ca0dfabc69575b17a642f8285a8da1ec487f91be592e324ef21033f

Download Submit
C:\Users\Admin\AppData\Local\0dc2e9767170cf0916b3334bad14c83d\Admin@ITMJLVNR_en-US\System\ScanningNetworks.txt

Filesize
168B

MD5
9f11565dd11db9fb676140e888f22313

SHA1
35ae1ce345de569db59b52ed9aee5d83fea37635

SHA256
bd652c6bfa16a30133dd622f065e53aee489e9066e81ecb883af1c3892af727d

SHA512
d70edbd84693afbdb90424b9f72a4bd4a51bd27c719506e17a58b171c251046aea23ca7228ccd8b98b47cd8eb1227bc2d90a07c4f50e8b080f9a41d253935ace

Download Submit
C:\Users\Admin\AppData\Local\0dc2e9767170cf0916b3334bad14c83d\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\12c9eacd2450ff2a6eb9a8ab73ecc396\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
1KB

MD5
a905fc6038e95cacba153f814180aaf0

SHA1
7d34bc70b5370b5737137672535fda246b7bcff3

SHA256
93f2d9ab495a2939614531fa3cfd1efb7305dacd40c728eb3563868c2948e58b

SHA512
e2e617401e6bb6d5b513a11ae2f7da9558cf8e6cadc50a9a2b51308b1a682d70f64784a8abbaa0b12254d20b99cd122f41d95d221d4d310b2c33bbe501c61bc0

Download Submit
C:\Users\Admin\AppData\Local\12c9eacd2450ff2a6eb9a8ab73ecc396\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
4KB

MD5
1a328d5c7b3cb1b60180a45b86eaa90c

SHA1
d668db79b15c8ff18d19af49b1946581046161c1

SHA256
9f1e6d933a7fc6c13030b5dfca32ec5eef4a6bdc2f7afa81289bf12a62ebdf74

SHA512
09ece6353c973faa7ce89dd2fc6a75108a2ec47ebe75c036cf56d2deb40a6e53314f3a9b3e4aa9ca3b8b162765dc70382e1e75b09c31cedd977bc52942774dbc

Download Submit
C:\Users\Admin\AppData\Local\2c3610d0f53b92f61d47286c87f13340\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
4KB

MD5
5454d181dc977ff4a3c097af439f80a7

SHA1
a367b654cbffae4465513f35b7f3ece5a33af466

SHA256
da138839b6cedb9110e5884e9a93dec25ebc94447761329c836a5a482e77c802

SHA512
5105973f6f6c6b857711ae34713e4dad427aff3106efd92560c0c9cf916d5e69082a005e665a123413e76de5cb5b4fd68522d4e459e23e1bd9b38cca474b4889

Download Submit
C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\Directories\Desktop.txt

Filesize
763B

MD5
65a5051fd9e03ca4574620e24e42852a

SHA1
13bda2d96776d8f5a47d0f2386f41520dc1c334c

SHA256
3e447109ca805df1c3cdb0dd4cda9a408b91ca5224b06d496686677c1b8417e3

SHA512
b8a9695c75eea770958b3cbe02985f230ab50811697726ac33d4769667725df11204989675c0e4fccce75c2f76fb787e8a2dc0239c7fc5c4f7d87e543f2618c7

Download Submit
C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\Directories\Documents.txt

Filesize
476B

MD5
927754182542fc8eb1e87d7defbc98ff

SHA1
1412c0bc1b906e5f317978caeda2ebc4b287e126

SHA256
ceac2d37758a8241e56b9bf115784f4185ec3191ce14a5453fcdbebe0f323201

SHA512
a563178d94b7c60380a19b2995b854016537c55078b78d475248b3290b4f0e2c0c4879b0b8fc88df8285053f1dc784b7ca84313df6426e59f97d8ee224b44a15

Download Submit
C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\Directories\Downloads.txt

Filesize
683B

MD5
8ba228ed3608147b8dc3818af8a7438e

SHA1
f73fa9ca34303aae768049451d97802acba3b17b

SHA256
babf50cb21d00923f6c0da07d0cc3b3e22eca2409dd44007191d4f6479b7f621

SHA512
14652aaee9118b66d5e1a1f8911b30e75a9307332fb5404bbfe181fcf82b51b4f724b28df9cba161f8eeeaf90221667d021e007b282bc94627e84f889899e4eb

Download Submit
C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\Directories\OneDrive.txt

Filesize
25B

MD5
966247eb3ee749e21597d73c4176bd52

SHA1
1e9e63c2872cef8f015d4b888eb9f81b00a35c79

SHA256
8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e

SHA512
bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

Download Submit
C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\Directories\Pictures.txt

Filesize
838B

MD5
71d6e1ea624e64b7d4ac710c186da9b7

SHA1
55e5514e6e5f1cbe5fecf7910a3f9464b58f1ad1

SHA256
cb43cf85c42f4e6bcc5d3669623e1edc51bc2d3bddd66e5c4c5805c1070b70ef

SHA512
484300d710d295a22b264d274d3b8c9bfbac3696cdb2afbe582f095f4a7f235d4d6f0cf26881723deacdd795c764e6242f32fa918ad289e41e4831c8e8060f62

Download Submit
C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\Directories\Startup.txt

Filesize
24B

MD5
68c93da4981d591704cea7b71cebfb97

SHA1
fd0f8d97463cd33892cc828b4ad04e03fc014fa6

SHA256
889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

SHA512
63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

Download Submit
C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\Directories\Temp.txt

Filesize
2KB

MD5
96bc746175298adfb84a6534849cca87

SHA1
0d21612e40fa6bc06bd628c2fbff6e0697c59d64

SHA256
ee380a0382a2c27df6b6b6336b9b3a7603010e02325aba3c0e2fbd4a695859b4

SHA512
2e67cbc2b42670dda54a15ad1361e3ff715733089abf11dd5806b9f02b901323b4f1e69198ebffe0ed27da69ecde91c0f89e11faa4a4e99d5b8add2d9c081316

Download Submit
C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\Directories\Videos.txt

Filesize
23B

MD5
1fddbf1169b6c75898b86e7e24bc7c1f

SHA1
d2091060cb5191ff70eb99c0088c182e80c20f8c

SHA256
a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

SHA512
20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

Download Submit
C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini

Filesize
282B

MD5
9e36cc3537ee9ee1e3b10fa4e761045b

SHA1
7726f55012e1e26cc762c9982e7c6c54ca7bb303

SHA256
4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

SHA512
5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

Download Submit
C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini

Filesize
402B

MD5
ecf88f261853fe08d58e2e903220da14

SHA1
f72807a9e081906654ae196605e681d5938a2e6c

SHA256
cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844

SHA512
82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

Download Submit
C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini

Filesize
282B

MD5
3a37312509712d4e12d27240137ff377

SHA1
30ced927e23b584725cf16351394175a6d2a9577

SHA256
b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3

SHA512
dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

Download Submit
C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini

Filesize
190B

MD5
d48fce44e0f298e5db52fd5894502727

SHA1
fce1e65756138a3ca4eaaf8f7642867205b44897

SHA256
231a08caba1f9ba9f14bd3e46834288f3c351079fcedda15e391b724ac0c7ea8

SHA512
a1c0378db4e6dac9a8638586f6797bad877769d76334b976779cd90324029d755fb466260ef27bd1e7f9fdf97696cd8cd1318377970a1b5bf340efb12a4feb4a

Download Submit
C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini

Filesize
190B

MD5
87a524a2f34307c674dba10708585a5e

SHA1
e0508c3f1496073b9f6f9ecb2fb01cb91f9e8201

SHA256
d01a7ef6233ef4ab3ea7210c0f2837931d334a20ae4d2a05ed03291e59e576c9

SHA512
7cfa6d47190075e1209fb081e36ed7e50e735c9682bfb482dbf5a36746abdad0dccfdb8803ef5042e155e8c1f326770f3c8f7aa32ce66cf3b47cd13781884c38

Download Submit
C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini

Filesize
504B

MD5
29eae335b77f438e05594d86a6ca22ff

SHA1
d62ccc830c249de6b6532381b4c16a5f17f95d89

SHA256
88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4

SHA512
5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

Download Submit
C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
4KB

MD5
0986a3d2633835999ab1074525c9a35d

SHA1
4563d57f1872e95f4244de90a6aba9dedaa17653

SHA256
70e2c4941af466b6cc9a999ad8a362b23dc199c5d9ed2177fe3e983501643088

SHA512
a6e086777e542b8a74fd1fea8161764a35aa67bb6e9d16203873f5093dfb65402ec89c5e6ef65cff6df2898a7b9a18979d6a0efc553a8d70a2396e01cfbc7f12

Download Submit
C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
5KB

MD5
ef34acd95f0950a6eb4f912c1a9eab53

SHA1
081ee03f2a5b041231bcf284ca0e9895e46a1bc1

SHA256
aa86f8a4361bc5d5fcf09e3ae39011df69edf70760632415c87f75ee1e8ba125

SHA512
6c42cf73728cf8f3a50e3654514d22130aab22a6f5f96587c6caa41e25efaedb5ce22177c05824e55be1543988b517c75d9c1db89104391af0faf537805bbd8d

Download Submit
C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
4KB

MD5
1c3b22418c357f56f8385a91b1889435

SHA1
2f329c59bf2267d1ca9c8fb010252adcb9793ac3

SHA256
a977184af8cf060f4fca9022303dfa9eb13365faf65ca7cf9b76d63ba246ff90

SHA512
a7220f6f7c410d9a0465a4104fee87fce31d42d3ff85db05fc1cf87e45d8806e83e74a15f1ac9e0de90ec8e606fbe7348ac5b9f49a08b1986808f1c5c258f0b2

Download Submit
C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
4KB

MD5
9261d460da70ca54ad2f4c7fa6a0826c

SHA1
a4d64abc5965b3b1ad691a2fc4cb27e6a84f430a

SHA256
7083ee59b77c5c79a40a20f7edbe73f0425794f945e5c905fb18bc780e1a3abb

SHA512
54c9a0b317909597ba2b259cbc4c37feaefe54d3f222df26e0249f167bb7d12207eb372e6c8793fc008846fef461e28053507ba1898c9e9434b4c7d1ed787104

Download Submit
C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
598B

MD5
02b7ed287434843b18b70262ee00936c

SHA1
2995e9b64ee6a671574772042bf7f1d92f342695

SHA256
bab8412c87c3c6fb644e849fc0aa341971d1979b4cd789faba7e72f59a1c7908

SHA512
76fcfef2a2439b8c2a3f855cb6e82fe0381fe468f2eb3500c6cdf56e931a8fb514bd472d66a2e7e70988e3df900f5f5855984b8cb2a7963f334189e4dd99732f

Download Submit
C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\System\WorldWind.jpg

Filesize
98KB

MD5
d4862e667e3b9c97bf584f432af4add1

SHA1
dc6945095872beea79184679191c222c1a23d452

SHA256
3964c5490f2b561f502d20bbc2a52f9eab5ad79b2fef0b408b10ef49e585f4d5

SHA512
c09bf461c2953f45cfd5bb96f71d96d3968779a499a62ec99fa9d0d405a6e51ae8d498594c8774c039c568f7173737498df79f39c3f261dc4d4ba59a492b0a00

Download Submit
C:\Users\Admin\AppData\Local\4ecfcad46d0735dbf6e822410f4bb9d1\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
4KB

MD5
0d707ab48db2d46c85b2a80a6579ad50

SHA1
50f7af6422713d4201c0fcc6864a77cedd7ff588

SHA256
1a856e26a990f4afbd618883074e689cf6d5b4664932d19356d34ea3e68d2099

SHA512
e170aa04dbd788705ea748e531d98514995466d938f52a22832188ab903cfec80fc09ea2668e4e2f95a31c7a1d1f80aa59464b92c6d48572e52461175c725834

Download Submit
C:\Users\Admin\AppData\Local\4ecfcad46d0735dbf6e822410f4bb9d1\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
272B

MD5
aa31aa35caa7398ea5c0292ab009b99b

SHA1
175a52a71a00e25d27b0254a40d72f235e09dc39

SHA256
07bb54cfb5c4421a538cab1ac36a7a5660c3fffabb9d922ec42c0f4211b4ea3b

SHA512
ba88bf6651ccec6aa05d7acf5c8bc4664e1c19068da93aaa7813400f238fd7c8379a241782ea7d012fd95e8e49db98e7af66a4fa1a8fd483b7d21b3e2e18e4e8

Download Submit
C:\Users\Admin\AppData\Local\4ecfcad46d0735dbf6e822410f4bb9d1\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
4KB

MD5
56e4f2cc497b74b63649b1357c3899a1

SHA1
3fb033893887a5668b68d1232531ac4baaa7523e

SHA256
b78921422c67ed9a06d5d24d1165ab658fe1d2949e5fe8b64ecf90a924c8a664

SHA512
8eb4ba84801c6dc4a4d10e7a5b910e96db4b4a00222b6e03dc50a73e95e70c6d2097ce0542234261247ec6234a52587d4f37b09867345c5143c0c562346fbcea

Download Submit
C:\Users\Admin\AppData\Local\4ecfcad46d0735dbf6e822410f4bb9d1\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
357B

MD5
0edf00abbe682970f2d87828c59e7176

SHA1
c5b50528446f4f7d228391b32e5f486f5f22f8ce

SHA256
9e4c4594a0b9482433707d8280d3021bee19ed5636d87b3d113686d445cca7d3

SHA512
56e27869314b3be028c003861950cd1b3674959deee59f93ca1a6988d873db7e316845ade13aa6d18a971c773bfc077d9ca8caca78870f3f859edb5d92dfc53d

Download Submit
C:\Users\Admin\AppData\Local\4ecfcad46d0735dbf6e822410f4bb9d1\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
4KB

MD5
0a8fbf8ccb12af67485087b9cb00b3d6

SHA1
4e58a8dd7eda1e4831814e365822258fd9a6dd45

SHA256
ceab56b90f66498d79ec8d82db63761e4705223cc58ec029fd50913fae07e339

SHA512
d5c0e49ceb1471861d70337c9280c343208723af86da69cb30dd7d2f801200e29ce2030e5a23aca9a97b7a42a148d824d7322966533e9fd68ec5aeea1dca1315

Download Submit
C:\Users\Admin\AppData\Local\5c6f366629fcbcdf7a71dd35758e4d76\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
4KB

MD5
e5200d1758934d01a62155d8d0b2941f

SHA1
9512c1e375edabcc89f4110d0d14b9052d6e8c36

SHA256
cb99f9c7b9a85e41e155b676cb85c378e06506cbf877984486f74e185d7621de

SHA512
a16011726adf1ec3f65e17891f41f7d87ac6d22ce61a8ba0671b99c0502b333d9716f44c759ed6a0a2e9677802c040cc395b08c1ec634dd908360de18b6a3c85

Download Submit
C:\Users\Admin\AppData\Local\5c6f366629fcbcdf7a71dd35758e4d76\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
285B

MD5
d85a7dcf1d46794927e7e20fbed810f4

SHA1
2bdee71d18cb1f0640f26f6436600183627c5992

SHA256
913343b60666cff83de0589fe3228477c122d1e7678252375b9ef79799932170

SHA512
02e06e98f1ea28797f30645d9a12209c90ab57d68416a72724076bfce6c4803b01408103b65b98f6d29e59139fd35f79898568bfb02616e418a49072712b0e37

Download Submit
C:\Users\Admin\AppData\Local\5c6f366629fcbcdf7a71dd35758e4d76\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
349B

MD5
1b3c11cde41270f5fd03614536b5d445

SHA1
3d2cf4d64dbfc56abab5d6019ab35f9e0b2a0845

SHA256
789245ac81749b7008a605429c8c71380ad007c93365bc9bfdd68f7c98e03b31

SHA512
119bdedc6b7cb97be23c1084dd0ab6a9f2f6a60c6ee53a9c2554a90fe1c0aa9ffdec5ea81f2c60db7223fc6c4840fbca5301cf429f0da07b234d6dafb87021dd

Download Submit
C:\Users\Admin\AppData\Local\5c6f366629fcbcdf7a71dd35758e4d76\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
413B

MD5
c36f3e2d36bcae1a03d6a8fddc0a3793

SHA1
cc594967e304a0e098d04e7b9ec40377bd7d68a2

SHA256
148461cd2a71104e796c944bddf0f970001d5d6b1b71a8adbf5df34d7e7c8d07

SHA512
c867d123dbd8bc01e7c44aff5e7f1d85ce51ec6c39fc2dda1a7c34ac9981441484faca8d87edb4423617bcaaea9be790e78502e293d8016600c2372609d832a4

Download Submit
C:\Users\Admin\AppData\Local\5c6f366629fcbcdf7a71dd35758e4d76\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
442B

MD5
b46318d3d80e7cdad7ade1deead052c7

SHA1
c139025ff898b5a1fa8b288806e0a386d7379580

SHA256
9bc4854003a9fac9f883f70b7b29e3c4223f7fa982f902be47d7e493ae21ce0c

SHA512
6a764ac81dc7c9c8094955e3aa78caf13a89bcb8c65fa5a84f5d663e0708b53d2bbbe1b622db3906d99a55231dade13d86d9d341440e6fe5a7070bacf71d0e50

Download Submit
C:\Users\Admin\AppData\Local\5c6f366629fcbcdf7a71dd35758e4d76\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
513B

MD5
304b9095cf3f1170cbc554c337f36723

SHA1
44bf941c58860d61dbbe4a34256e662dd50e0b22

SHA256
2b7962b0c988d5593618e25dfb42404c71464f12f7c45fc32fa9e273eef0c918

SHA512
58c98f86ecc7334844aed02db01308a3b0e62a4af3f7b1576bd71cbd7cac8e2e615681ef632c8c5b3ca59c27b68e7c79eadbf11a4923296d898d54e83442650d

Download Submit
C:\Users\Admin\AppData\Local\5c6f366629fcbcdf7a71dd35758e4d76\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
577B

MD5
c8dc69d0634ae0e38b5417c35427555d

SHA1
b68ed0c57e97e331e9a3911329d2e5a31ab1bc22

SHA256
1ae055cda41ac2f082e1b5524f7584a9a059853fde3f1ce9ffbf7fdda32e9f42

SHA512
939a6ec407ee26301e873609bf26b2340707c033248e007dd0051a2d7c74c91896e37446b9a7373a04e418920d6cf8ddc939920279da2657b0869b8a0d8f9789

Download Submit
C:\Users\Admin\AppData\Local\5c6f366629fcbcdf7a71dd35758e4d76\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
653B

MD5
097ba06bcfa640c7335331eda4a3ec5a

SHA1
06a6beafad57a1ef56698b6f1048c24abb790d08

SHA256
a338546a45e0a1bcd28133015fc4d19b42245bd4ec705313181dc70e5c7cddd6

SHA512
70ab098c14ae962cc57acb77ad62a7396fdf5682be896b70d5bf48cf9419c34d9ecbadba084da5309f477db65fc24f63a4b3d49271838dbe5bbe369e859d14a5

Download Submit
C:\Users\Admin\AppData\Local\5c6f366629fcbcdf7a71dd35758e4d76\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
717B

MD5
0489bd071e7676790130775e9312961b

SHA1
ea4f4ea192770c51ce9171c5c7c55cfc641fcce7

SHA256
e9b793e76eb7b9555310ab47b322ba6d52dbd967421de373094c3908b198f416

SHA512
e9ff7f3e8f93de5516b45d8af1529fae417400e36a2be408b9d21ff5c606b8d8265274941826cf144d1da5912c2c6a31e7bb0cd5bf5434deca677573881dcf54

Download Submit
C:\Users\Admin\AppData\Local\5c6f366629fcbcdf7a71dd35758e4d76\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
781B

MD5
08590ea8f6521c1cd85f09ec81608b4e

SHA1
c6124494df89e430b9fa4549078a18028a923754

SHA256
e511435476d6e3ddd317005251fa02dd38c64edeb3f09cbc84c1ac1731fefdb6

SHA512
fd9dec235c0170c0899e33d07de40e13811badd03ae32c07fbd10de6d9e7b22f381baf91bb776abdd62c420c29aded3254bd2e9f6241a1f7ddc9b14c3dc3186c

Download Submit
C:\Users\Admin\AppData\Local\5c6f366629fcbcdf7a71dd35758e4d76\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
1020B

MD5
779f550abdf1ab686d76db289cbff515

SHA1
2bbdd0a74c6d75cfca1a2f695b47ac9c84ab1ce1

SHA256
3e67b2cca776670e1966eb54b71a7d46b726c8856b302745841ecd021276bed9

SHA512
e390439461f6e2407fdc950aaf496a70b8256942f093bec173b0b7bc3dd107228dd500b92678877ecaf8453098b37dbeff52a3fc4773d27ecad4b3e0cf015223

Download Submit
C:\Users\Admin\AppData\Local\5c6f366629fcbcdf7a71dd35758e4d76\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
4KB

MD5
a3c9758ba42eac996ba2c7f93a72395f

SHA1
63aacd7522634a4ac540114b5b2816c33be8962f

SHA256
072823ca62fe284906dc19982ffc23c8b7433c577d3411cc7577ad3d4a09e6ca

SHA512
e577b51d793627b5c5767566320753c8af45d864e5724b71062c39b61b315f39c4564fc28df1465479dd800e29c610b783276e0b80f8855adf4409e14c49ef45

Download Submit
C:\Users\Admin\AppData\Local\5c6f366629fcbcdf7a71dd35758e4d76\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
63B

MD5
9e10e104d651a780cb38acdad352edd8

SHA1
dced3fa7e07aca80712c319342bb2e41894354cd

SHA256
9deb2ddcd5fec79952c8c377d73a2d48cb12140a4b02b4843523af12a3110c1d

SHA512
57b48733508eaccbca2bd340528f1d6c2d928e7eb2770d4c5155fc03644313243b23ecee42ddecb0e6f0df34966f31960dff8cc9de205e3d62520c97f8df5419

Download Submit
C:\Users\Admin\AppData\Local\5c6f366629fcbcdf7a71dd35758e4d76\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
4KB

MD5
a0bdac1d1e9e47c12e33c150a940ad78

SHA1
3086cc941351ab471675ac948ad62576d9e72d2b

SHA256
fe5824a6db4588101458b0c454ffd9d4395c12e1c02c417587558c64c273ad8d

SHA512
e2badbf0fa8af6e7e2c5cebcc23d6ae45098197cfc28960fa20f16250fe6770fff2a7df7b5f2bf0a5805d2f6452e21fe2a2806a906149b9b4f60e5e64ba6d19b

Download Submit
C:\Users\Admin\AppData\Local\6c96bff79533d46ef82f56a8e3d3528a\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
4KB

MD5
c5247c0e7d8c77fcb84316c6dbe39af0

SHA1
00f5eb430eca1996263896e786eccf9581d5767c

SHA256
3ff7dbe724f2bc6531719a3924dd6b0723bda4bf9cef693de83cdfb5c672cd55

SHA512
aba1cdf9071f92b44ac0b3ccc7fb9bf7dd69500ce96a2e3eb14744ac36f1a70e69979c97c2463022489c1d49170d952f5106f15bc3e6081c3d73647a08940ae6

Download Submit
C:\Users\Admin\AppData\Local\6c96bff79533d46ef82f56a8e3d3528a\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
4KB

MD5
45cfae2f7b48dbe51ab02f33e62a4dd7

SHA1
19e02c4038307b309b9c749f363e86ea4d8a0e89

SHA256
4f4142f67b8a639a30819964dcad24bd6e34b28b3bbf78b7553dce61902ce6d4

SHA512
f5d5aa8413c96057d675e9187ee2eb547a48ff2c5133c753ea1e479e9a72ebdcc1b0eab700d646d1e1de1ddb6ae63948799dbff1a4b625f4bbb3d4bd6c7ecb7c

Download Submit
C:\Users\Admin\AppData\Local\7f465630f56e59a12978c20033ae45dc\Admin@ITMJLVNR_en-US\Directories\Temp.txt

Filesize
8KB

MD5
40614aea26525b676679a0c9e646d059

SHA1
0effc5b3a1a85eecfc2cc0f318a6e40334f118fb

SHA256
e129bba335c29a6be79632cc617a8403980878ceb69ba3415ec2c9386a5fdc61

SHA512
a9cdd1b1cf0476975c5b32907d4846842015bb15d1e80cbbaa0cf932a30320e8ac62e22ab0068ab2bf8392b243d3c166d5720864e2659a23cd3f9321dc2428a7

Download Submit
C:\Users\Admin\AppData\Local\7f465630f56e59a12978c20033ae45dc\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
4KB

MD5
81dda564cc42a0f9e6349804a0771d79

SHA1
ac522918d3da519321df4809137514ab3ce8247c

SHA256
e8900a8f26eed39fce6a441eb1022d8d3e667b25d3507f80411b3d204c53d716

SHA512
f14c23fcbf7e8b334b41ef23b08d4de3bfa182101c63fd9687f990048a79b21f12c86db6844e6095c2780f3b9dff54efaeca8add13be4450b8c05e950ed32fd1

Download Submit
C:\Users\Admin\AppData\Local\7f465630f56e59a12978c20033ae45dc\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
4KB

MD5
56ae26d8f37ec510a6cc7e2ab317ecc6

SHA1
8f98612a0cd0773299b2c2dfc4540b787a383dc3

SHA256
ef3fb25060e79c5ddf5a49a13ab7bccad7ee5cc7f9107cf925e4867d85220e95

SHA512
3ecffc9f6bfeddc908ba4b1b897e710fe30a3e9d9ae68ce6e3ea502c4db93642621d38ef7ba4b0e1b0af8b79debd7446dfd2a9c1a96671f94a508c6c05f4c500

Download Submit
C:\Users\Admin\AppData\Local\7f465630f56e59a12978c20033ae45dc\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
4KB

MD5
98a8a13a6fe757901e69d99cd8e888ec

SHA1
f4c363708b97ee70b8be96b260c085f22e54be82

SHA256
98af1e5b5daf11e6605840f7f08423ac5f48eea08bd9d73f564db03c0196bff5

SHA512
ea223b10db315e6c216955b89f33ab217e812c2e282201c50388f49eed0c5bdabe086536cc05eaba0448aff7922108542748cd91661a49a5e8fb2f33010bff9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RebelCracked.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RuntimeBroker.exe.log

Filesize
706B

MD5
1356da7590c7343415dc5977d32b17c8

SHA1
6b2d7cb07839255395f6b24391fe5fec5201e359

SHA256
2126fa4651af160534e852712f55be80e16308e9cad3fed7b0bd3ac6ce528702

SHA512
6f1cff058fd47eb299d81dcb53d6c8138d433c8f2d44fc281639ed72f88bfcaa56e100367a77f856a8e06a490a932bc0ae53d6ed10e78fcfbebb97be9d8cb97c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
302c3de891ef3a75b81a269db4e1cf22

SHA1
5401eb5166da78256771e8e0281ca2d1f471c76f

SHA256
1d1640e5755779c90676290853d2e3ca948f57cf5fb1df4b786e277a97757f58

SHA512
da18e7d40376fd13255f3f67a004c3a7f408466bd7ce92e36a4d0c20441279fe4b1b6e0874ab74c494663fb97bd7992b5e7c264b3fc434c1e981326595263d33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c9efc5ba989271670c86d3d3dd581b39

SHA1
3ad714bcf6bac85e368b8ba379540698d038084f

SHA256
c2e16990b0f6f23efdcecd99044993a4c2b8ba87bd542dd8f6256d69e24b93b3

SHA512
c1bc0dc70ab827b54feb64ad069d21e1c3c28d57d126b08314a9670437881d77dba02b5cca57ef0f2aa7f8e7d4d163fbd2c6f246ea2d51ce201d61a89015e8b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
69488ddc0006f887da9851350f48628c

SHA1
3a09815c8eaa9d910e39e4011c48e33f3484815f

SHA256
c8b3d260f4ba6b271f4f64b3a5c727c3cdc0b75ed3d473720ece10f4d422553d

SHA512
b2a1ed6d1e71204a67cd86b0e8662e03f5351dd20e1563ef8846b268389e85232f51425e72d5525ed32523aacc74af0e084128597fbac382d5ab7b6026000f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1565026828b66a05db388928041a3443

SHA1
79070c365fbcf0a919a17d4fbec2d8b311da87be

SHA256
40f98b7b03404684745c81fac3e7f0c634b2235e5a8dcfb6797bf58a6462980b

SHA512
ba719c09b859394905df8cfb174c7e0b595975d9bbbe43d9c8526a49b05435626bc23390e61d02e946b89ebe6cc23c83a10221643d42284b02528a06d5f43ee9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a694212ecbab200d0048441a74506769

SHA1
4556798934f262446643abce306ea3c8c9db4482

SHA256
226e7e231481aa085d4fd71cccf32f9936d011cbd66cc9de1845d224a49de82f

SHA512
70c1dedbb058790be8ef482a977fbb9c56d40f7120d09ac2cc07ff104a37a596bd9bdcf37767f8061d4d3ab08f7caa0a7ffa0aec600f356d7584e4d6346b68c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b54ab792-d141-484f-9580-13a22143864e.tmp

Filesize
5KB

MD5
80d78980589a82a2d92e87d98761e8fe

SHA1
d7c53edbe4c2a5d279b976eeb10efd95ff324666

SHA256
49601796908acb503bd4e588a45f4a55956a7dd22bf636c9699ce70d92fd4fd3

SHA512
b105ae7ffdde2ebd76fbb44b4e80dccc376c0ba9f766be0fa8ba4591eafdf0c3b78bb544f902289c37caf79d6e8e603c3aaae1f9ba58ed61b67ec1d6d5fda2f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
462f8cd527be3e8b8930839cc441f7bf

SHA1
8aac3f97c4d13d9a58181ba1c8d5f67fe256ca2a

SHA256
816f623a58c3ee615cd6a4a7d8f9e99db9ce8b87303176842620a7b1a3a274ee

SHA512
ee438e865f2afb9efb39d66d621acf2c20c63a0105ed1540a503f103e444c74c25b74da915a5ab3d40b4b04064b4c22df12a288ccd28cd700d1cdb48c4bda7bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
97dcdf8210313cd0185586e8ccbc1465

SHA1
06e95b0aae0371ff17fac309249aba934cef2c86

SHA256
4978609ab1233c59d4f4345434245e23b48171c45ef3ba5d9c397faa58b8a55f

SHA512
83b5fd0e4a8e81ebd5fda35aa5c83d2dcb6ffff2cf99ec66d97cf8b3e53188cda023cf377bb45334bc022e23dcfc762ffec7c236887ce402067001045b6e82cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\RuntimeBroker.exe

Filesize
330KB

MD5
75e456775c0a52b6bbe724739fa3b4a7

SHA1
1f4c575e98d48775f239ceae474e03a3058099ea

SHA256
e8d52d0d352317b3da0be6673099d32e10e7b0e44d23a0c1a6a5277d37b95cf3

SHA512
b376146c6fa91f741d69acf7b02a57442d2ea059be37b9bdb06af6cc01272f4ded1a82e4e21b9c803d0e91e22fc12f70391f5e8c8704d51b2435afc9624e8471

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
ce84fb305b0892c358c29bfda12713a9

SHA1
1aaad615f8a0e1ba510633ae27f0fb4c6487ccd0

SHA256
0364ae17e66cc096dc9be31ab981a013b748b6233b9bc67e32da68f7b3f7778b

SHA512
a84f62cd6b5dd2bb26059a66cba10c3a4f27b0926b7fb74e9d97581d03306909e300214fdaed172f389113ddcfafe63a38814d4d93af758ed9fe2aba5df7374e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1525.tmp.dat

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp153B.tmp.dat

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp153C.tmp.dat

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp154D.tmp.dat

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC4B.tmp.dat

Filesize
114KB

MD5
9161df81ba333649f936f4bb44ec6ec3

SHA1
c728bfe3bc8d7387e981275c8f78f7f6a47426e2

SHA256
4931786eac2f1a13af09d835afefeac1f99a00e4998bc4d2278d996cbd3690a4

SHA512
79898d636d42db253d50b6bab4cfee0f1352b920547a756c93c76af7ec35bc86df8dfe2a8b1b31258fc46eeb2a4516e47a45c59afeb50b83364c37151fa05886

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC4D.tmp.dat

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC5F.tmp.dat

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Local\c37a1055ceee7a8d60c6ff37f2995c11\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
4KB

MD5
231976ebc7dae7e74798fcd5a3c5c607

SHA1
44fbfabcd1ddab00402e8d75523dbf12fa9601f1

SHA256
cbce5cf94abfc91d7cdf7d975f478c8939bb1a75a99c285af947c890583ec4a7

SHA512
60c5ed72f2c9f91292e1b45c8233fa383c8cf99861b3550f7172b57c79f95ea1ef06ac8d433e238a0a3603134b69f3a2d423022479f5b0fd8b55c247b38d21ef

Download Submit
C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
148B

MD5
314042276f3d34700e6ac35479be101e

SHA1
1071a45dce6c7dbb03d443c59c49ed8d22a711cf

SHA256
b0ce13a694ef470257d09279173b1f57bd9222255f88bf0e9b6f644f0fe462eb

SHA512
9d3726958e54f4c8daf4eca8350cd3fe270457a4d8d560bd50b465c19a729f9fd425f67d97fc7f8d1cd7cd48395e97673aef62d114e15de07a6985f483f2e6bd

Download Submit
C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
4KB

MD5
10d547bea2c497569d3267e65cb5cc92

SHA1
540df602d298ada3a6e430b5a3e76b78ebe7f4d7

SHA256
02aa0b45e92833a93610195ce42e36371c9069cc5f688d8b7104296efcc97472

SHA512
49fe54fda7603c28294ba6dd2dcab2c0ff0cddee7beb8ba8b3a8dc270f02885c2bc6fa18f2dcf857cf3704a116993855af6a7bbdb75865a55f107f5bfe9b73da

Download Submit
C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
410B

MD5
4fdb8ca95b3f2b64d8f8a86cb690de8a

SHA1
24156c00456f0c4633c0a69ce8be5e528253a19f

SHA256
7fe6f5e6789d4bf3825efd6b742137e2a40afd23397dd4be5fb3b415a54a39c0

SHA512
2ce9bc3d4ebd90330c52e2a45d441a0c2b0d8e9bfdd925083e76f563d2782b85fa98b5a1300570e68c9796878b5fd18427b07acb757f8c35bf8e80e3bc6d3079

Download Submit
C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
474B

MD5
f558e0bd466e4a35adfb275d381be69d

SHA1
3041e1cfaaa03b22c632c26c204b7c4e7a0dbd0c

SHA256
beb2c3dcb48c2ac3d86ae2c81ef116db21640019fc0748562264b5a70adeadee

SHA512
581807942a555c7786a4cf01af4e572b14f63678d829f3ce7d17e8863e5c1d5c8f6599e3c533aa6f44f60d69330f47a353792d666091e4fe0e43f2c6e20e46cb

Download Submit
C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
232B

MD5
2fab9ecab652518b7b4f5e5cf949488f

SHA1
2ecd3abef8d9b07f2749876feb3df397de4fd296

SHA256
a777024507adcd00f94c698d747c214b217ec241321a34191870c2c88776fe72

SHA512
892a490a90bc11a5d394851cde73f546ff7ff2ec84dca6f3566b81b9bcb8db6fd5d6ff8b1a174020d163229545d35aac5470a5b04741fbc99a35eba685b26de0

Download Submit
C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
4KB

MD5
584acf75253fa8bf0dc2fa1a0d8decd9

SHA1
638e9a2edc37732045a34204ab9e9a258cbcc230

SHA256
ffdeb035ea20f615a53e7b25cfa2c0b1ed0cd3cc5b8a04ef6d5a5561faa00b9a

SHA512
4f62783f4db62de68a34ee89376bb40d10e1b1515d0d319c336eb735e50790c1feb5e84f2b0b2112d64f8b77a1978f3287a5698c1b79a124e082b2e54e928d78

Download Submit
C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\System\ProductKey.txt

Filesize
29B

MD5
71eb5479298c7afc6d126fa04d2a9bde

SHA1
a9b3d5505cf9f84bb6c2be2acece53cb40075113

SHA256
f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3

SHA512
7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

Download Submit
C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\System\ScanningNetworks.txt

Filesize
84B

MD5
58cd2334cfc77db470202487d5034610

SHA1
61fa242465f53c9e64b3752fe76b2adcceb1f237

SHA256
59b3120c5ce1a7d1819510272a927e1c8f1c95385213fccbcdd429ff3492040d

SHA512
c8f52d85ec99177c722527c306a64ba61adc3ad3a5fec6d87749fbad12da424ba6b34880ab9da627fb183412875f241e1c1864d723e62130281e44c14ad1481e

Download Submit
C:\Users\Admin\Desktop\rebel\Rebel\ReadMe.txt

Filesize
13B

MD5
1c6c20f0c324e98e38272f1245d24e11

SHA1
bbb5dc3a18a532529ec6fa88c86542288dd979f7

SHA256
4ca7414e2aba6d74826403afb6ccbcc1752297a1b61aced8808b75d80d212f2d

SHA512
a30aed5a54580ad73f16ad237f82e2dc99c99d9645d40d1fbdf88a7d6c10c238b6967c011ba46c6084d409e4a37b41983d600146f93cd9250a810b7d784d8246

Download Submit
C:\Users\Admin\Desktop\rebel\Rebel\RebelCracked.exe

Filesize
344KB

MD5
a84fd0fc75b9c761e9b7923a08da41c7

SHA1
2597048612041cd7a8c95002c73e9c2818bb2097

SHA256
9d9a79f4ae9bf7a992945f6c06c5bec642c05e4e828217c50255dabfa3677006

SHA512
a17f1144a0e3ce07c7ed6891987c5b969f291e9991442c33750028d35e2194794e8a649c397e8afc9f8ce19d485c453600c75cab4fcead09e38414d85819251a

Download Submit
C:\Users\Admin\Downloads\Rebel.7z:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/2564-163-0x00000000009B0000-0x0000000000A0C000-memory.dmp

Filesize
368KB

Download
memory/2596-913-0x0000000006D50000-0x0000000006D5A000-memory.dmp

Filesize
40KB

Download
memory/2596-184-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2596-194-0x0000000006000000-0x0000000006066000-memory.dmp

Filesize
408KB

Download
memory/2596-1241-0x00000000079F0000-0x0000000007A02000-memory.dmp

Filesize
72KB

Download
memory/3408-182-0x0000000005E70000-0x0000000005F0C000-memory.dmp

Filesize
624KB

Download
memory/3408-181-0x0000000005C70000-0x0000000005CBA000-memory.dmp

Filesize
296KB

Download
memory/3408-183-0x0000000005DF0000-0x0000000005DFA000-memory.dmp

Filesize
40KB

Download
memory/3408-180-0x0000000005CC0000-0x0000000005D52000-memory.dmp

Filesize
584KB

Download
memory/3408-179-0x00000000061B0000-0x0000000006756000-memory.dmp

Filesize
5.6MB

Download
memory/3408-178-0x0000000000AA0000-0x0000000000AF8000-memory.dmp

Filesize
352KB

Download