asyncrat | hxxps://download2260[.]mediafire[.]com/8z5me9rbv5egliK0QorznLNdVFQVB2yJPfxkAoNbA9Jzw-XVz8BqZ37CnAA2czOZRNRQVlW8yK_tFkTf0yUA1DRBXPBb71HG_U0jcyIGZkTFbIknUtI5jE0LbUPjFnrbGO8J5IDA_HAtvV-xu65bbK4Zjiebr1B33WjcvM8fLmRdOA/by9n59rwi4ek33p/Rebel[.]7z

Resubmissions

06-09-2024 17:17

240906-vtpjjaycjr 10

06-09-2024 17:14

240906-vr54haybmn 10

Analysis

max time kernel
83s
max time network
133s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
06-09-2024 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download2260.mediafire.com/8z5me9rbv5egliK0QorznLNdVFQVB2yJPfxkAoNbA9Jzw-XVz8BqZ37CnAA2czOZRNRQVlW8yK_tFkTf0yUA1DRBXPBb71HG_U0jcyIGZkTFbIknUtI5jE0LbUPjFnrbGO8J5IDA_HAtvV-xu65bbK4Zjiebr1B33WjcvM8fLmRdOA/by9n59rwi4ek33p/Rebel.7z

Score

10^/10

asyncrat stormkitty default credential_access discovery rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3628-237-0x0000000000400000-0x0000000000432000-memory.dmp	family_stormkitty

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 17 IoCs

Processes:

RebelCracked.exeRuntimeBroker.exeRebelCracked.exeRuntimeBroker.exeRuntimeBroker.exeRebelCracked.exeRuntimeBroker.exeRuntimeBroker.exeRebelCracked.exeRuntimeBroker.exeRuntimeBroker.exeRebelCracked.exeRuntimeBroker.exeRuntimeBroker.exeRebelCracked.exeRuntimeBroker.exeRuntimeBroker.exe

pid	process
5880	RebelCracked.exe
4964	RuntimeBroker.exe
1436	RebelCracked.exe
3628	RuntimeBroker.exe
5272	RuntimeBroker.exe
3036	RebelCracked.exe
3112	RuntimeBroker.exe
5916	RuntimeBroker.exe
4160	RebelCracked.exe
4384	RuntimeBroker.exe
1852	RuntimeBroker.exe
2824	RebelCracked.exe
5856	RuntimeBroker.exe
452	RuntimeBroker.exe
2704	RebelCracked.exe
2876	RuntimeBroker.exe
5076	RuntimeBroker.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 14 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\847b19771ec05254524dbacfa3aba31c\Admin@ZFKGDPGJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\847b19771ec05254524dbacfa3aba31c\Admin@ZFKGDPGJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\847b19771ec05254524dbacfa3aba31c\Admin@ZFKGDPGJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\847b19771ec05254524dbacfa3aba31c\Admin@ZFKGDPGJ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\42dd8ae398c2c328bbe4e07bc2461c08\Admin@ZFKGDPGJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\42dd8ae398c2c328bbe4e07bc2461c08\Admin@ZFKGDPGJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\42dd8ae398c2c328bbe4e07bc2461c08\Admin@ZFKGDPGJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\847b19771ec05254524dbacfa3aba31c\Admin@ZFKGDPGJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\847b19771ec05254524dbacfa3aba31c\Admin@ZFKGDPGJ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\42dd8ae398c2c328bbe4e07bc2461c08\Admin@ZFKGDPGJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\42dd8ae398c2c328bbe4e07bc2461c08\Admin@ZFKGDPGJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\42dd8ae398c2c328bbe4e07bc2461c08\Admin@ZFKGDPGJ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\847b19771ec05254524dbacfa3aba31c\Admin@ZFKGDPGJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\42dd8ae398c2c328bbe4e07bc2461c08\Admin@ZFKGDPGJ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service
T1102

Processes:

flow ioc

80 pastebin.com
92 pastebin.com
15 pastebin.com
62 pastebin.com
70 pastebin.com
73 pastebin.com
59 pastebin.com
74 pastebin.com
90 pastebin.com
91 pastebin.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 icanhazip.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
80	pastebin.com
92	pastebin.com
15	pastebin.com
62	pastebin.com
70	pastebin.com
73	pastebin.com
59	pastebin.com
74	pastebin.com
90	pastebin.com
91	pastebin.com

flow	ioc
1	icanhazip.com

Suspicious use of SetThreadContext 5 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

description	pid	process	target process
PID 4964 set thread context of 3628	4964	RuntimeBroker.exe	RuntimeBroker.exe
PID 5272 set thread context of 3112	5272	RuntimeBroker.exe	RuntimeBroker.exe
PID 5916 set thread context of 4384	5916	RuntimeBroker.exe	RuntimeBroker.exe
PID 1852 set thread context of 5856	1852	RuntimeBroker.exe	RuntimeBroker.exe
PID 452 set thread context of 2876	452	RuntimeBroker.exe	RuntimeBroker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 28 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

Processes:

cmd.execmd.execmd.exenetsh.execmd.exenetsh.exenetsh.exenetsh.exenetsh.execmd.exenetsh.execmd.execmd.exenetsh.execmd.execmd.execmd.exenetsh.execmd.exenetsh.execmd.exenetsh.exenetsh.exenetsh.execmd.exenetsh.execmd.exenetsh.exe

pid	process
3008	cmd.exe
5608	cmd.exe
5596	cmd.exe
1804	netsh.exe
1276	cmd.exe
2304	netsh.exe
3616	netsh.exe
1868	netsh.exe
3768	netsh.exe
2832	cmd.exe
1960	netsh.exe
2356	cmd.exe
5872	cmd.exe
4644	netsh.exe
2280	cmd.exe
5736	cmd.exe
3516	cmd.exe
3144	netsh.exe
4784	cmd.exe
3964	netsh.exe
3744	cmd.exe
2060	netsh.exe
2012	netsh.exe
3848	netsh.exe
4732	cmd.exe
1300	netsh.exe
5140	cmd.exe
2620	netsh.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Rebel.7z:Zone.Identifier msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Rebel.7z:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exeRuntimeBroker.exeRuntimeBroker.exe

pid	process
5980	msedge.exe
5980	msedge.exe
3852	msedge.exe
3852	msedge.exe
1304	msedge.exe
1304	msedge.exe
1976	identity_helper.exe
1976	identity_helper.exe
3280	msedge.exe
3280	msedge.exe
3628	RuntimeBroker.exe
3628	RuntimeBroker.exe
3628	RuntimeBroker.exe
3628	RuntimeBroker.exe
3628	RuntimeBroker.exe
3628	RuntimeBroker.exe
3112	RuntimeBroker.exe
3112	RuntimeBroker.exe
3628	RuntimeBroker.exe
3628	RuntimeBroker.exe
3628	RuntimeBroker.exe
3628	RuntimeBroker.exe
3628	RuntimeBroker.exe
3628	RuntimeBroker.exe
3112	RuntimeBroker.exe
3112	RuntimeBroker.exe
3628	RuntimeBroker.exe
3628	RuntimeBroker.exe
3112	RuntimeBroker.exe
3112	RuntimeBroker.exe
3628	RuntimeBroker.exe
3628	RuntimeBroker.exe
3112	RuntimeBroker.exe
3112	RuntimeBroker.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

3852 msedge.exe
3852 msedge.exe
3852 msedge.exe
3852 msedge.exe
3852 msedge.exe
3852 msedge.exe
3852 msedge.exe
3852 msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

7zG.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

description	pid	process
Token: SeRestorePrivilege	3088	7zG.exe
Token: 35	3088	7zG.exe
Token: SeSecurityPrivilege	3088	7zG.exe
Token: SeSecurityPrivilege	3088	7zG.exe
Token: SeDebugPrivilege	3628	RuntimeBroker.exe
Token: SeDebugPrivilege	3112	RuntimeBroker.exe
Token: SeDebugPrivilege	4384	RuntimeBroker.exe
Token: SeDebugPrivilege	5856	RuntimeBroker.exe
Token: SeDebugPrivilege	2876	RuntimeBroker.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

Processes:

msedge.exe

pid	process
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3852 wrote to memory of 6072	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 6072	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5560	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5980	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5980	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5456	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5456	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5456	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5456	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5456	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5456	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5456	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5456	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5456	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5456	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5456	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5456	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5456	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5456	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5456	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5456	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5456	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5456	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5456	3852	msedge.exe	msedge.exe
PID 3852 wrote to memory of 5456	3852	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://download2260.mediafire.com/8z5me9rbv5egliK0QorznLNdVFQVB2yJPfxkAoNbA9Jzw-XVz8BqZ37CnAA2czOZRNRQVlW8yK_tFkTf0yUA1DRBXPBb71HG_U0jcyIGZkTFbIknUtI5jE0LbUPjFnrbGO8J5IDA_HAtvV-xu65bbK4Zjiebr1B33WjcvM8fLmRdOA/by9n59rwi4ek33p/Rebel.7z
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffdc493cb8,0x7fffdc493cc8,0x7fffdc493cd8
  2⤵
  PID:6072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,9147085048539585683,9136400026496122749,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:5560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,9147085048539585683,9136400026496122749,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,9147085048539585683,9136400026496122749,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
  2⤵
  PID:5456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9147085048539585683,9136400026496122749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9147085048539585683,9136400026496122749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9147085048539585683,9136400026496122749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:1
  2⤵
  PID:1248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,9147085048539585683,9136400026496122749,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4108 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1304
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,9147085048539585683,9136400026496122749,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6072 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9147085048539585683,9136400026496122749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
  2⤵
  PID:340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9147085048539585683,9136400026496122749,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
  2⤵
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9147085048539585683,9136400026496122749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9147085048539585683,9136400026496122749,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9147085048539585683,9136400026496122749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,9147085048539585683,9136400026496122749,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:5524

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5632

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\cracked folder virus lolol\" -an -ai#7zMap22072:120:7zEvent6207
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3088

C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe
"C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe"
1⤵
- Executes dropped EXE
PID:5880
- C:\Users\Admin\AppData\Local\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4964
- - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3628
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2280
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3856
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1868
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        5⤵
        
        PID:848
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      4⤵
      PID:1492
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:5176
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        
        PID:2704
- C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe
  "C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe"
  2⤵
  - Executes dropped EXE
  PID:1436
- - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:5272
  - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      Drops desktop.ini file(s)
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3112
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5140
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1960
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2620
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        6⤵
        
        PID:3968
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        5⤵
        
        PID:4716
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:776
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        6⤵
        
        PID:5024
- - C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe
    "C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe"
    3⤵
    - Executes dropped EXE
    PID:3036
  - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:5916
    - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4384
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4784
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3964
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        7⤵
        
        PID:3012
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        6⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        7⤵
        
        PID:3364
  - - C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe
      "C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe"
      4⤵
      Executes dropped EXE
      PID:4160
    - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1852
      - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5596
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        8⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1300
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        8⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        7⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        8⤵
        
        PID:3736
    - - C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe"
        5⤵
        Executes dropped EXE
        
        PID:2824
      - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:452
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        8⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        9⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1804
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        9⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        8⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        9⤵
        
        PID:5688
      - C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe"
        6⤵
        Executes dropped EXE
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        8⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        9⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2832
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        10⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        10⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        9⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        
        PID:248
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        10⤵
        
        PID:4604
        
        C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe"
        7⤵
        
        PID:5632
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        8⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        9⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        10⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3516
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        11⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        11⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        10⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        
        PID:124
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        11⤵
        
        PID:5060
        
        C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe"
        8⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        9⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        10⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        11⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3744
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        12⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        12⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        11⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        12⤵
        
        PID:5528
        
        C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe"
        9⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        10⤵
        
        PID:5852
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        11⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        11⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        11⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        11⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        11⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        12⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3008
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        13⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3768
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        13⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        12⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        13⤵
        
        PID:736
        
        C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe"
        10⤵
        
        PID:5700
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        11⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        12⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        13⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5736
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        14⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        14⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        13⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        14⤵
        
        PID:2300
        
        C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe"
        11⤵
        
        PID:816
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        12⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        13⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        13⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        14⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5608
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        15⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3848
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        15⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        14⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        15⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        15⤵
        
        PID:1756
        
        C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe"
        12⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        13⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        14⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        15⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5872
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        16⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3144
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        16⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        15⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        16⤵
        
        PID:5516
        
        C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe"
        13⤵
        
        PID:5556
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        14⤵
        
        PID:5516
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        15⤵
        
        PID:476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        16⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4732
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        17⤵
        
        PID:236
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        17⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4644
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        17⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        16⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        17⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        17⤵
        
        PID:3144
        
        C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe"
        14⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        15⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        16⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        17⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1276
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        18⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3616
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        18⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        17⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        18⤵
        
        PID:5876
        
        C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe"
        15⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        16⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        17⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        17⤵
        
        PID:4680
        
        C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe"
        16⤵
        
        PID:5364
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        17⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        18⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        18⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        18⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        18⤵
        
        PID:5008
        
        C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe"
        17⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        18⤵
        
        PID:32
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        19⤵
        
        PID:5340
        
        C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe"
        18⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        19⤵
        
        PID:5804
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        20⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        20⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        20⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        20⤵
        
        PID:4080
        
        C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe"
        19⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        20⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        21⤵
        
        PID:1528
        
        C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe"
        20⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        21⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        22⤵
        
        PID:4872
        
        C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe"
        21⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        22⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        23⤵
        
        PID:1436
        
        C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe"
        22⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        23⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        24⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        24⤵
        
        PID:5464
        
        C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe"
        23⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        24⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        25⤵
        
        PID:3972
        
        C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe"
        24⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        25⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        26⤵
        
        PID:2904
        
        C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe"
        25⤵
        
        PID:6136
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        26⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        27⤵
        
        PID:5816
        
        C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe"
        26⤵
        
        PID:6012
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        27⤵
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        28⤵
        
        PID:4256
        
        C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe"
        27⤵
        
        PID:940

C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\Bin\Injector.exe
"C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\Bin\Injector.exe"
1⤵
PID:2620

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
1⤵
PID:2164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:3632

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
1⤵
PID:4308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\387181ecd0ed91a1843a1fb6f03f0723\Admin@ZFKGDPGJ_en-US\System\Process.txt

Filesize
317B

MD5
73898f8c6a3de051e4c8d45f66e2f008

SHA1
96311fe38cd63f48804c035acc3c611d2cabadd5

SHA256
a18a0ce2762fa6d8855ec68fc02fbe5997b537d081bb38c921b4b2aeab1dc805

SHA512
9239ab14dde1afb722ff064b23c136973a8ada6a35bb08ff95e1fb9742b95e672275223e6a0052ecefbac1056f5f718ca187a8af888e228d4acca13c8c6f2756

Download Submit
C:\Users\Admin\AppData\Local\387181ecd0ed91a1843a1fb6f03f0723\Admin@ZFKGDPGJ_en-US\System\Process.txt

Filesize
4KB

MD5
d2cbfd640c1b4e86ec2dc104d5744c9b

SHA1
433d67af278b962f3fd5d442ab24d96637fe69ea

SHA256
ab3614fad7b451a1a2de8efa0276b3235a27c7420d9c29505e6ae57f0dbd7681

SHA512
3f7d6b8fb069ade1119169f0f06e14c24800f89ad1b5e1d9f839273cfa9a0352b4c554e213afa1ad82fbb776b9a7e170c719c2ce2ebb998a2b57d67c0664d65f

Download Submit
C:\Users\Admin\AppData\Local\42dd8ae398c2c328bbe4e07bc2461c08\Admin@ZFKGDPGJ_en-US\Directories\Temp.txt

Filesize
6KB

MD5
589a2182aa554bb13c9b6d50668e8d4d

SHA1
fbec0f17015f1e0c5d467bd33f891e10fec76aff

SHA256
ad173fc59ab411e0d0c16aa5568c69129ad36807aea7621dd319bbbf5dddf130

SHA512
b8fb9b387f8ccd74ca0d473ce631d5ed8510eb474784840f4bb7b7895bc72204c5831505e7dd753fba21bae2388931cdf5325a00bfeccffcd6148b2659190f0e

Download Submit
C:\Users\Admin\AppData\Local\42dd8ae398c2c328bbe4e07bc2461c08\Admin@ZFKGDPGJ_en-US\System\Process.txt

Filesize
4KB

MD5
ff46b1b94ff86aa9f3d3f4d266eed955

SHA1
d8bbd57f720fb70a65e61599412b8dfbe1be5beb

SHA256
b1a6f37858d462be3c559d5d7eeb9199794469d2cdfb2496dd3cbf55f9c2d4e0

SHA512
df055c5599db38ed03fdb58304524d6c1886254bca2a90744f5b5b0aca84e058924369a543161fdb70f2ac9ef6d521d2841dd10fee272cd4fd006122117680cb

Download Submit
C:\Users\Admin\AppData\Local\42dd8ae398c2c328bbe4e07bc2461c08\Admin@ZFKGDPGJ_en-US\System\WorldWind.jpg

Filesize
97KB

MD5
4c0cbde82a74a7a033daa3a258e67ce0

SHA1
dc20e3602b67f66945b015a6372aa4c3d6a0d360

SHA256
f7f80a5bc726a8f5873aa6ffa85f12e141200229eaf4997fa37ad8d8694e746a

SHA512
73b903f00aa72f63beddf54d32297e2155e5eadcaaff0d2b3be152dfa98f66adc21a3dfeea03fa8b9069d6b3e3144de91d42c4b68a102fc0ce5d10239b537088

Download Submit
C:\Users\Admin\AppData\Local\5e02335600795c46d261a189ea9ab23c\Admin@ZFKGDPGJ_en-US\Directories\Desktop.txt

Filesize
716B

MD5
25e775a466c7cc35d7b4550db9d7fe3f

SHA1
c0b6eb02509b2869358aa22312432b44df258a4f

SHA256
0c01f47ba1a736ff9216269232ea1bd2ab1ccf4af3275801254f7698130a9541

SHA512
c6fc50d4591c8e62eb035a09454159f0892b79d95337275ce4708eaa465517587ab88b7b912df30aa1da4007d796b91c844761e1c4d0bf253beb2b5a08613509

Download Submit
C:\Users\Admin\AppData\Local\5e02335600795c46d261a189ea9ab23c\Admin@ZFKGDPGJ_en-US\Directories\Documents.txt

Filesize
854B

MD5
5e212215ff0b20db4838f827b6819eed

SHA1
7ee102215e14742e254a21e056941b0d4c44737f

SHA256
37d2877bf4a97f1461237e1c4651f408fe92e70123e2d4f79254007cdfae9002

SHA512
3e61ed41ebddecf3b66051a842873029475de6bb5ad3daec481dbf566078da13b9a08390869f7dd60ee7a201eaa7dcd2b75e4464def52dd77140ca2f942033ee

Download Submit
C:\Users\Admin\AppData\Local\5e02335600795c46d261a189ea9ab23c\Admin@ZFKGDPGJ_en-US\Directories\Downloads.txt

Filesize
746B

MD5
6e4856d37df099dbb52ea02cfb1bec9e

SHA1
37845239df81dcee3fcdd8bf795906937c93af03

SHA256
90e6942a7820db889e634f72af29cefc528a775de8629f39600304e7160c2855

SHA512
b434311ea26476a19de5cfe32b14abc346874a4ecb2dc10d66d9ac671acaa90bd7a3704264d4625a101b0525492d3ca7002f92bcf130c4f9940baa29e15e124a

Download Submit
C:\Users\Admin\AppData\Local\5e02335600795c46d261a189ea9ab23c\Admin@ZFKGDPGJ_en-US\Directories\OneDrive.txt

Filesize
25B

MD5
966247eb3ee749e21597d73c4176bd52

SHA1
1e9e63c2872cef8f015d4b888eb9f81b00a35c79

SHA256
8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e

SHA512
bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

Download Submit
C:\Users\Admin\AppData\Local\5e02335600795c46d261a189ea9ab23c\Admin@ZFKGDPGJ_en-US\Directories\Pictures.txt

Filesize
530B

MD5
75ccc23e9e7fd1be092aaf2613187443

SHA1
7e4546cf157800d58451db44b92a1081d901fa16

SHA256
0a59b3aa881e929b3e68dc15e5df565d072bf48bc670a571e4bcf8cf7c97c2f9

SHA512
ddd34a269845ea13c1e314baf18cbb7e28e8b18f10158d3acabf656b2ceec65f21de068baed7e54621e70fb45defc793b770ff48906f93d3195e528abaef94cc

Download Submit
C:\Users\Admin\AppData\Local\5e02335600795c46d261a189ea9ab23c\Admin@ZFKGDPGJ_en-US\Directories\Startup.txt

Filesize
24B

MD5
68c93da4981d591704cea7b71cebfb97

SHA1
fd0f8d97463cd33892cc828b4ad04e03fc014fa6

SHA256
889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

SHA512
63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

Download Submit
C:\Users\Admin\AppData\Local\5e02335600795c46d261a189ea9ab23c\Admin@ZFKGDPGJ_en-US\Directories\Temp.txt

Filesize
3KB

MD5
1c38637d971b2fe6e0a00da9f730c853

SHA1
2b9348cd20d2d4f6070978598b7d6b67b41fce47

SHA256
df4675fb454ce23608ee977d0688be673e178b592f79cc8a9ac03159f02f8c5f

SHA512
9fd5eb36434e21e1588930032a861920b93ee70b93d49e494dd71eae405bf3109a557174b990f8dbb46a6b99c0b513dca3ce9c0dbea2f0524211aefbee4035a4

Download Submit
C:\Users\Admin\AppData\Local\5e02335600795c46d261a189ea9ab23c\Admin@ZFKGDPGJ_en-US\Directories\Videos.txt

Filesize
23B

MD5
1fddbf1169b6c75898b86e7e24bc7c1f

SHA1
d2091060cb5191ff70eb99c0088c182e80c20f8c

SHA256
a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

SHA512
20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

Download Submit
C:\Users\Admin\AppData\Local\5e02335600795c46d261a189ea9ab23c\Admin@ZFKGDPGJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini

Filesize
282B

MD5
9e36cc3537ee9ee1e3b10fa4e761045b

SHA1
7726f55012e1e26cc762c9982e7c6c54ca7bb303

SHA256
4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

SHA512
5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

Download Submit
C:\Users\Admin\AppData\Local\5e02335600795c46d261a189ea9ab23c\Admin@ZFKGDPGJ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini

Filesize
402B

MD5
ecf88f261853fe08d58e2e903220da14

SHA1
f72807a9e081906654ae196605e681d5938a2e6c

SHA256
cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844

SHA512
82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

Download Submit
C:\Users\Admin\AppData\Local\5e02335600795c46d261a189ea9ab23c\Admin@ZFKGDPGJ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini

Filesize
282B

MD5
3a37312509712d4e12d27240137ff377

SHA1
30ced927e23b584725cf16351394175a6d2a9577

SHA256
b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3

SHA512
dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

Download Submit
C:\Users\Admin\AppData\Local\5e02335600795c46d261a189ea9ab23c\Admin@ZFKGDPGJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini

Filesize
190B

MD5
d48fce44e0f298e5db52fd5894502727

SHA1
fce1e65756138a3ca4eaaf8f7642867205b44897

SHA256
231a08caba1f9ba9f14bd3e46834288f3c351079fcedda15e391b724ac0c7ea8

SHA512
a1c0378db4e6dac9a8638586f6797bad877769d76334b976779cd90324029d755fb466260ef27bd1e7f9fdf97696cd8cd1318377970a1b5bf340efb12a4feb4a

Download Submit
C:\Users\Admin\AppData\Local\5e02335600795c46d261a189ea9ab23c\Admin@ZFKGDPGJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini

Filesize
190B

MD5
87a524a2f34307c674dba10708585a5e

SHA1
e0508c3f1496073b9f6f9ecb2fb01cb91f9e8201

SHA256
d01a7ef6233ef4ab3ea7210c0f2837931d334a20ae4d2a05ed03291e59e576c9

SHA512
7cfa6d47190075e1209fb081e36ed7e50e735c9682bfb482dbf5a36746abdad0dccfdb8803ef5042e155e8c1f326770f3c8f7aa32ce66cf3b47cd13781884c38

Download Submit
C:\Users\Admin\AppData\Local\5e02335600795c46d261a189ea9ab23c\Admin@ZFKGDPGJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini

Filesize
504B

MD5
29eae335b77f438e05594d86a6ca22ff

SHA1
d62ccc830c249de6b6532381b4c16a5f17f95d89

SHA256
88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4

SHA512
5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

Download Submit
C:\Users\Admin\AppData\Local\5e02335600795c46d261a189ea9ab23c\Admin@ZFKGDPGJ_en-US\System\Process.txt

Filesize
4KB

MD5
c774a48c914497897f1ee9a02ff7b05a

SHA1
f4f22fea59b4b322fa7069dc8a5def1a65a8da7d

SHA256
dfd67c08cef6fcfd7bdc4f2a5573f3459bde9758c892d0796d634fa7d0e61802

SHA512
9c41e1e628aa7a7b324dd69f32c84118823efdebbdbf0ba42e6098b1ca61c7a1a9a2067ee0d22170947cbebb94b716e15a20e027d23d09549a1fff1e66bf4c94

Download Submit
C:\Users\Admin\AppData\Local\5e02335600795c46d261a189ea9ab23c\Admin@ZFKGDPGJ_en-US\System\Process.txt

Filesize
64B

MD5
9b7a656b78bf793d60fdf8c592e746e6

SHA1
65c3c76c7df140f7e50ec38cb74b6115c25b0789

SHA256
c82f54709a387cdfedb8770ad1eeb62e7eef560316925e6069a8d599e61613d4

SHA512
d9725f1aa229b0fd11474ad097d7e5d36eca4ca7739c378daa3afb22482c39349dd816901962d45238bbf3422479ec01740de5a6953622359c82c2368eb02b76

Download Submit
C:\Users\Admin\AppData\Local\5e02335600795c46d261a189ea9ab23c\Admin@ZFKGDPGJ_en-US\System\Process.txt

Filesize
127B

MD5
74a76e111394be0909ad3708ababad13

SHA1
f26680eafec2a70f7e9a3b3dc5bdd39989b3e908

SHA256
0a44d52b9d5700d70aa402e78a04d3c2756e707875151c1642ca26902ca7063d

SHA512
e41c893c9f4abc9506461ac5d184a06ded9f86cf6ebeba498780f93effa6be410327814603605bfeacf6c30b58e773bfd54a9ce549e232b6356e42d0a85dc46d

Download Submit
C:\Users\Admin\AppData\Local\5e02335600795c46d261a189ea9ab23c\Admin@ZFKGDPGJ_en-US\System\Process.txt

Filesize
255B

MD5
5e475a9d5d66af1516921bbdbf619742

SHA1
c0153c672d159d05d6369f3a6024aacdb3527f7c

SHA256
2e71c3711b1267d8c2e8819b841a28e2bc36242c830d1f884fa3852a8b0a2d3f

SHA512
002383ab53dd699265b4c24d0a95e5c95401fe8dbf60d884f60cdae19fcfcca0ccd13bceba317b24e0b0d545af47f73d84add6ff4e7106b12156e67213d9cec0

Download Submit
C:\Users\Admin\AppData\Local\5e02335600795c46d261a189ea9ab23c\Admin@ZFKGDPGJ_en-US\System\Process.txt

Filesize
318B

MD5
2809ccc4ebed733b54476dbdbc1386cb

SHA1
1148d80202b75b8796d95b45e0c78bfc2bb53fd6

SHA256
44bb5976cab4a752cac966dbc5abdb9a1fd5c1edc38c764356c57c22186fa264

SHA512
3947a6c1805cf589ca5781bd9517a622fd46cc9798ec904a4b5d868c1fdab10378ed07d18364159f12f355baeaa0ed07e33dde66d18458d261905800b8e388f3

Download Submit
C:\Users\Admin\AppData\Local\5e02335600795c46d261a189ea9ab23c\Admin@ZFKGDPGJ_en-US\System\Process.txt

Filesize
382B

MD5
c0f41740ed53a9da664795c2a6197b98

SHA1
1d168450c5a56da5db7ab9a9f14941b2d7f74dfb

SHA256
5e2742c641c28dd6c51233f30196d0d0568c4d2a68c71b379fd3d2efc754f600

SHA512
d699ff113fd5a69562da38ff88ba957eea3dbea27df0751716ee1bfa4510a4706823479e05a768bd446b844698fb1f8b9ae00cb82593b30db1925f529571ce3e

Download Submit
C:\Users\Admin\AppData\Local\5e02335600795c46d261a189ea9ab23c\Admin@ZFKGDPGJ_en-US\System\Process.txt

Filesize
496B

MD5
e058975663175d0b2530099a48bf964f

SHA1
f39a41e038af13722b5041c71a7aa442656fd878

SHA256
124283b535d2ef52bba3c4e4184a263ba0203a8311d168e0b082ee0101e50924

SHA512
4f88a86d90a440f56d6fdd2f8e5e5fb35bf0e276b0c3b60b914d1a14b5049d4b95c8e8a5b7e2e3591c1c3d900bc614315d52fe12d68e928b525eaee4dd975142

Download Submit
C:\Users\Admin\AppData\Local\5e02335600795c46d261a189ea9ab23c\Admin@ZFKGDPGJ_en-US\System\Process.txt

Filesize
560B

MD5
55ca52be80abc7f5f70a75b484963df9

SHA1
866865b7582334dafd36b1218320d54fe8f62832

SHA256
e8a2d706e2ecae97070d32f6e7451ed98ce2b5b4d25dd8ca691a717af24bfa72

SHA512
c879672c59a8afae1b27883b553bb4757ef17b7202d960b8cb6618666199e294abff76ae670371e358a5cbef5907be991fce3887c400660bfcaeb0eddb664918

Download Submit
C:\Users\Admin\AppData\Local\5e02335600795c46d261a189ea9ab23c\Admin@ZFKGDPGJ_en-US\System\Process.txt

Filesize
624B

MD5
8fb29b9fb1100e0a7bd6a6776e227f8c

SHA1
c26df933db9550882d9d246c3d37a432b0bcc6e9

SHA256
cd3fdd08668642549a6de986e2398c487fe367feba05c09f752cc4cb62a382c7

SHA512
5290d4bba53e0e2a2f45489dea149d58ff534721746072dabfcd019dd67c74e57aa861d38345dc765cde5a4b1ce4f5b5439dd5b847c611557b42b4208696de42

Download Submit
C:\Users\Admin\AppData\Local\5e02335600795c46d261a189ea9ab23c\Admin@ZFKGDPGJ_en-US\System\Process.txt

Filesize
688B

MD5
7bbaf9c0ee28cabd498e2ce909ab3837

SHA1
0f8bd44f0bf83cb8d4e8a07107e38ca01d0cc4d1

SHA256
9d3b43ddfb27a3946be943526af88e363d43bf856fa6f44a060426d5dcde0c87

SHA512
8dd17b4b1cda3e5e57620b08512d68c58271daafde10053f9d530a0f1c7605f883a5bfb0734705a43d85c857320102825792d26da5db57401cdb6206105e2695

Download Submit
C:\Users\Admin\AppData\Local\5e02335600795c46d261a189ea9ab23c\Admin@ZFKGDPGJ_en-US\System\Process.txt

Filesize
752B

MD5
588ea2b3eafb35112d4c756bc7c2b5d0

SHA1
fc5d8445fcd399662bcfad41a64736bc082e77f0

SHA256
e15fe8a675021d70ace5ac160292ef3a800f6b667960c0df7bde0861f65e222a

SHA512
afd781595f602812cb2b8cfcb03202df7f4923b5993f24ae64379f393f57d6f821bd865c2277cc35be9c16085068a5e62e8da7595caf0d830bf2db3a13eeacdc

Download Submit
C:\Users\Admin\AppData\Local\5e02335600795c46d261a189ea9ab23c\Admin@ZFKGDPGJ_en-US\System\Process.txt

Filesize
816B

MD5
d286fe09fcfac91fa1f64120997cd88c

SHA1
e920f1636bd205bb9df399f4f182bf3e71ccaef5

SHA256
ce3a0d40afef3288ab6614efce772f6b9380458f389c71fea29234bdb5ba1d75

SHA512
6a62c7f88c93f96e91d4278a9d3dbacc8a1fb4f731fb49e7413786a0472c1ef4132563d51813278b1e9c3185806432f75f345e20fb98820a14df6bd7758af1dd

Download Submit
C:\Users\Admin\AppData\Local\5e02335600795c46d261a189ea9ab23c\Admin@ZFKGDPGJ_en-US\System\Process.txt

Filesize
962B

MD5
68c48f724f41f900e77013aea61f95ed

SHA1
4444282f5ceffc98ee783bb074742c93eac1195c

SHA256
139ed41fed60f335b8e88566812555644aa258fb46b024408984a65001b4d271

SHA512
6c2b76cd48d6a945b1e3e9645d660d198f5ce8a7bfeb10d251635b9bb732432f5ce8f69d81570db1a199b91db9a18bea10baf70fb383bbe0fd002d1a4df7edca

Download Submit
C:\Users\Admin\AppData\Local\6f9c048860368b1dcd6eff0ed757d705\Admin@ZFKGDPGJ_en-US\System\Process.txt

Filesize
148B

MD5
71086cfba50a609125ed68ba64904fc4

SHA1
15cf35d98cb6b11afae426d5c0ff21022cfd7741

SHA256
8e83e862bf008428bdbb492be3280ff159f26e692fdabbfdc19e566c036b18b9

SHA512
d3dd13ba63b3315d2f66a390dad00f8d678ac77bb3bd5d1206fcba63e073002b1a272cf92705abbf1fda9a07dadb02d46c37fb374ad6292d5de264becaf08d4f

Download Submit
C:\Users\Admin\AppData\Local\6f9c048860368b1dcd6eff0ed757d705\Admin@ZFKGDPGJ_en-US\System\Process.txt

Filesize
4KB

MD5
c085d218c204c7bd4678bb7f9aac9964

SHA1
b6e784c1c701407c721897e9627a7283b6a47006

SHA256
0a81e8b16acfeb3102108a3205cc5da2ba12aeff0c743bc7f883a1544d075692

SHA512
0dbe62a8ad7dfd338627d72f64da06be5ecfc30f11c9ee91f20c4be32711ea09a6e312f0596aeaea6575bb8b33a1b1aa8e95f22b861f64474d6143033c514134

Download Submit
C:\Users\Admin\AppData\Local\6f9c048860368b1dcd6eff0ed757d705\Admin@ZFKGDPGJ_en-US\System\Process.txt

Filesize
84B

MD5
3071eea869d816f095e552e3ceb914ab

SHA1
c1e12210686a4885aeee0b14b124420fdb310df2

SHA256
bee50c8f6bcbb2ea4551404a5bd49b37e0a5697d7b4eb7bd501a8ed6e721a71f

SHA512
a44dcdf96cf6fb5c27f888d57dda8ba30c246e53664e146564605b83159d70c083f86dfcdcc2866d4b40d76a2bff4eb7f94522d30a318474fd923799bf17db55

Download Submit
C:\Users\Admin\AppData\Local\6f9c048860368b1dcd6eff0ed757d705\Admin@ZFKGDPGJ_en-US\System\Process.txt

Filesize
380B

MD5
2ce5c050801980fa0da6d8c98c07d780

SHA1
4355e8cd0caee9431f0cf3ec9b2dedd1a2383f03

SHA256
25fb4f20f2c450244b4bc30fa5944bbbd8ea3c8548ec2e76f966fb490728898e

SHA512
059165e914ce5d0c3b02da6e9ce5e879ddd0ba4c167911346c2d48db037b5cfbefb2bff7cc46a18f6a7b72f46014801b69295fa7db923268c3630babaf12ed65

Download Submit
C:\Users\Admin\AppData\Local\6f9c048860368b1dcd6eff0ed757d705\Admin@ZFKGDPGJ_en-US\System\Process.txt

Filesize
419B

MD5
d552e5f525d8df2b27b217ce2a89e334

SHA1
03c5c7c3cdab6f4083044dd7406d159c3dcfdc6b

SHA256
2f0c51f9ab1249bc1aa768f65af27987d1797dcb7374a014a52f7098f48f7ec5

SHA512
8a094d433313d3998f373e561e2766b9068865fae2b9766a123d855aa76a9317b24c5efc5b6d1ab2ff663d4786cc6fd96eec7dc5c89bad6ccc7132793b5a4f90

Download Submit
C:\Users\Admin\AppData\Local\6f9c048860368b1dcd6eff0ed757d705\Admin@ZFKGDPGJ_en-US\System\Process.txt

Filesize
4KB

MD5
c9cc725453f1d0be30d535e48a7da113

SHA1
8a2e00862127f96bab5a8856eae682b3f5a78964

SHA256
90bfb7878496d05fc46ecbadcbc20d502bd9064edb6508037e4825e9d9bae0dd

SHA512
6d83533c06443ab86dd0e272e05f2ad666130c7acdb853de069010d9c7612e95375a30f366e859dcb7ae5a3f174423303e0685091868b9d9cfc88b47b2a6f15e

Download Submit
C:\Users\Admin\AppData\Local\6f9c048860368b1dcd6eff0ed757d705\Admin@ZFKGDPGJ_en-US\System\Process.txt

Filesize
4KB

MD5
d95e98d2801965c45f0de813b4abecda

SHA1
1c938615093d0154e68a02f636e3e7820c7caab0

SHA256
19d22e9b263814ecc6ececde13742df1f42bc6ecaa9ad367c09d58f5dee25b39

SHA512
54077f4014d956af04aa60e1783f7b4a24ebbde64adbb2e1a5c6e26864248762701272490ee6ea1e0d81e5c34822f3cccbe777f8ba13944878b88f5ed51eb3d9

Download Submit
C:\Users\Admin\AppData\Local\6f9c048860368b1dcd6eff0ed757d705\Admin@ZFKGDPGJ_en-US\System\ProductKey.txt

Filesize
29B

MD5
71eb5479298c7afc6d126fa04d2a9bde

SHA1
a9b3d5505cf9f84bb6c2be2acece53cb40075113

SHA256
f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3

SHA512
7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

Download Submit
C:\Users\Admin\AppData\Local\6f9c048860368b1dcd6eff0ed757d705\Admin@ZFKGDPGJ_en-US\System\ScanningNetworks.txt

Filesize
84B

MD5
58cd2334cfc77db470202487d5034610

SHA1
61fa242465f53c9e64b3752fe76b2adcceb1f237

SHA256
59b3120c5ce1a7d1819510272a927e1c8f1c95385213fccbcdd429ff3492040d

SHA512
c8f52d85ec99177c722527c306a64ba61adc3ad3a5fec6d87749fbad12da424ba6b34880ab9da627fb183412875f241e1c1864d723e62130281e44c14ad1481e

Download Submit
C:\Users\Admin\AppData\Local\6f9c048860368b1dcd6eff0ed757d705\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\847b19771ec05254524dbacfa3aba31c\Admin@ZFKGDPGJ_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\847b19771ec05254524dbacfa3aba31c\Admin@ZFKGDPGJ_en-US\System\Process.txt

Filesize
4KB

MD5
359321c1cc58b9792c7be42d602c4a43

SHA1
797a22ca3050a356ffa53371faae0d1a7e1b9026

SHA256
06dabc645237f346523faa8656490869096020075b734279da97e23ba23e2357

SHA512
8fec7bafb1c6b2f48d6c37fb01a1fb11514ca66381a81faee35a0e2cb3f35f0b8172bb21be1b90b27845383ca864c611ac8dba0e85f098a612832636d30e2251

Download Submit
C:\Users\Admin\AppData\Local\847b19771ec05254524dbacfa3aba31c\Admin@ZFKGDPGJ_en-US\System\Process.txt

Filesize
4KB

MD5
b046a6166533d7a6b2cc9e31f86f08c1

SHA1
77b5a3d33a9b6dfb2eaa9cd0388651aab5e6f431

SHA256
0b9d18745f84f62a8af5ef755366d723bc4ded9d6fd5976af4aad171e19ef139

SHA512
19a11499761e90beb6c68d10ccdb360099ef985df1fa5304bafcc1259fabf67ec06048710ea62b5d7550fa6963032b67b5c5fc9b1c2bec0ac313036d347a8971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RebelCracked.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RuntimeBroker.exe.log

Filesize
706B

MD5
1356da7590c7343415dc5977d32b17c8

SHA1
6b2d7cb07839255395f6b24391fe5fec5201e359

SHA256
2126fa4651af160534e852712f55be80e16308e9cad3fed7b0bd3ac6ce528702

SHA512
6f1cff058fd47eb299d81dcb53d6c8138d433c8f2d44fc281639ed72f88bfcaa56e100367a77f856a8e06a490a932bc0ae53d6ed10e78fcfbebb97be9d8cb97c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\4d378f8d-93f5-46d8-8375-82befbac84bd.tmp

Filesize
10KB

MD5
29ec760df5f295b77200daea913ea3fe

SHA1
5adbf2ab42738aa0ebf96bc7638728a3ae0d3933

SHA256
b281f44abc7d13a63e252a32ba9c291d12885b9786c198cd43e48ed793892c61

SHA512
be5e0cf101089f53e7b6709060d40c79e8494299a0e9402e108caa9ec96e7e23c87b2dba1cbee06efb4f54ba62e7fd18fe6ed18d4db65ca7563cec14b79c5807

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e681bda746d695b173a54033103efa8

SHA1
ae07be487e65914bb068174b99660fb8deb11a1d

SHA256
fee5f7377e5ca213c1d8d7827b788723d0dd2538e7ce3f35581fc613fde834c2

SHA512
0f4381c769d4ae18ff3ac93fd97e8d879043b8ec825611db27f08bd44c08babc1710672c3f93435a61e40db1ccbf5b74c6363aaaf5f4a7fc95a6a7786d1aced8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f081a02d8bbd5d800828ed8c769f5d9

SHA1
978d807096b7e7a4962a001b7bba6b2e77ce419a

SHA256
a7645e1b16115e9afec86efa139d35d5fecc6c5c7c59174c9901b4213b1fae0e

SHA512
7f3045f276f5bd8d3c65a23592419c3b98f1311c214c8e54a4dfe09122a08afb08ab7967b49bd413bc748ce6363658640bc87958d5e0a78974680a8f9beadf44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
dbaa861acbc23088d31d7f0d2cec8b64

SHA1
67fa5e24b56276b3e6e556e304d9c1240504d2f1

SHA256
17e9e3a14adf797c902416849b6c0ad7ef36dd60589b2c4131a60955ea4cef35

SHA512
616e6f9414219f9f0f46a51b64a40aa3ef2e6a1af7883137175c8f09e2fe5b34e169d00055031297495e091d047ee0caa30f49920f872662f3025dfb2c7d11f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1545f9e74f00e5d1c2555babb07878c6

SHA1
2782de780fdfb2762a91818c4d626361fd19cf49

SHA256
5cf34792346b984075e8072dfa03d3aff1240df216a912b17bfd141e9cd8f075

SHA512
29297a6ef7094fbe9ca5ecf7ba70fb528d31dfb78ce96ee1cc42cc2fbc4a19155f85fb38ae3d5992a72c16f22a4f7c5a42bf897f06459f40ec22db54f153c67e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
097eb2858c7cef40d54620d21726852d

SHA1
db8990fca1dc76c95e239a4bb6b22fc00b16a93e

SHA256
04e1d4281d4bcf008dca819438cbf5dd748315b8c5283919f7fb3f21d3f66689

SHA512
71d77b1f3aa4f8159576034f8c3850fd43dcfe04455a640e93f3049b9445fe51e0062b2b1401aabb9d650a4716ec5a1b43fc165fad02122252ed9157924138fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
06742d1b5afb187568eacdc2ef6e0ed9

SHA1
258b87bb7197fcded3038f83b67163d2c49d68c8

SHA256
5866e60ea9983b2dd90eb4c28f997defffc11436ccfd07187da9026707a58da1

SHA512
5c270739445c7835c68bb32cca4307cfb1bb707ef4c6dd45f9a024ee039951714374255a6de45fb1135226ab0ee894a41e02744463c62bf77629ac9dec3260bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f5e998c71b23204cfaee2010e1f4d1b7

SHA1
3c6b1b16a30179529a2264be9b1a9e9cbaa4d34c

SHA256
ea451c0d63c844461dd3e0702d53ba09f721a7560edcdcb2cb45d8c5e0a1dced

SHA512
df56fb957f4b10577147c95052ceec18a565b60f8539a02979a706e13a8b43914959a2536d8d3a70b9c6f263713eea0fe052a08c0a12497171bed03bd3845d35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
86f56c81a8afdad690200b392e84d46d

SHA1
dd7f1d00e7147a1df676875019cbb3ddfc94b2a1

SHA256
388d0604dc0ee85b598c1ed057bb6c83a0a3cada2d541fb3277f9e8484143423

SHA512
bd75fbc23ebd83845baf3fc037cff022ccf9c575743e5b3e1429dd6320bc8f02a9f46ccb7da5327caaa34c110a455bca87bb227ba37ff768923b753dec178620

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
310c88ad988a6059ce9d6dd9ab5c29db

SHA1
dd07e1e703aa4b5e5f33fc3391d9d4849b92c77d

SHA256
73ce51ba81945ba22c33c38e3bc3da05f947173fb49e10755e09ad9434ee2225

SHA512
fd3d2664f5e566f3fc4e88f18780a1427e98afa321cb3ed0f0086f0fc2430d6aa429124f28a5470525d3e0691a4234a267cf32de3096843292ce02a9cca5451c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
d090e7c2962bd1d917587ddefc4e6cce

SHA1
cbcebc2236890f4a80f96ea19cbb3982ce67bc87

SHA256
945c8f0ca384a66433a134a8a8d5d9720493bdcd9c1fa1cb5dca75f4f47c8b65

SHA512
ec42ad7bc61c92ddeebb3545431f8d8428f4c7d3c4712fac72785cf16f4c51c7696ee93bf7e4518b493ca9cb1ed4f4b6f510becc5939e4d2f406399c788c5faa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json

Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T8J0KUQ8\update100[1].xml

Filesize
726B

MD5
53244e542ddf6d280a2b03e28f0646b7

SHA1
d9925f810a95880c92974549deead18d56f19c37

SHA256
36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d

SHA512
4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62

Download Submit
C:\Users\Admin\AppData\Local\RuntimeBroker.exe

Filesize
330KB

MD5
75e456775c0a52b6bbe724739fa3b4a7

SHA1
1f4c575e98d48775f239ceae474e03a3058099ea

SHA256
e8d52d0d352317b3da0be6673099d32e10e7b0e44d23a0c1a6a5277d37b95cf3

SHA512
b376146c6fa91f741d69acf7b02a57442d2ea059be37b9bdb06af6cc01272f4ded1a82e4e21b9c803d0e91e22fc12f70391f5e8c8704d51b2435afc9624e8471

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
facffc6194a12456e74c7fec35feaee2

SHA1
ae7b94d41a1cc71824401b13ad7779b002dab53d

SHA256
fe8a5a9bffca41975790902915e715918f4e39242789f4d13a6e92c28d275830

SHA512
19f5ef69d8c7a772942ccc4fa18ec5a3cce084a7efaee1e4bdb10f4b8f9ba7c7bc89e05d1939d0d038bf1d0f30efacefd54b33f0de8916191f7fc5d56388d2d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCDCB.tmp.dat

Filesize
114KB

MD5
02ab6938b515ec3ddd6522a02f389fb1

SHA1
e28c597019484e3879425053501d0f47910f3487

SHA256
27b568107aba4d0c0c7405c6e3e911871fc1fc52edda32f93578c30f86fa8d71

SHA512
4955182941788fd7d0a90ca828461a9eedaf2d05b9528e5e23a14a4956212e1e1897b8519d7cf956599136cc990deac93d02b708c49d0242dbaab64843bbaa92

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCDCD.tmp.dat

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCDDF.tmp.dat

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD703.tmp.dat

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD719.tmp.dat

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD71A.tmp.dat

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD71C.tmp.dat

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\a6f214bc03b39d653626f591fcd7e193\Admin@ZFKGDPGJ_en-US\System\Process.txt

Filesize
483B

MD5
73dfed079163b8ec525dfee32c6656ea

SHA1
ef749eb9c1b9bfcf8578c2048cb2b8ea8a1c23b0

SHA256
fce89ba1ce654fda14e59167addceb3e4409deee9353b03ccc81bba216fdb266

SHA512
af5ce2f3e791e681c02bbe677743ca16dfadb32c8f0a77abd9930eea3c90e408667a67ef1aba87b64a0b034c601bcac3fb8c3f83bcedeb644e368fdb9cf35f72

Download Submit
C:\Users\Admin\AppData\Local\a6f214bc03b39d653626f591fcd7e193\Admin@ZFKGDPGJ_en-US\System\Process.txt

Filesize
547B

MD5
ab9bff012d54f76566203ea26e5ad53c

SHA1
26c3fce11f833f23ddd638013229a87f382cbe8c

SHA256
d2402f205d243da3e08d67e8d1b33faeeed1ac1408714bc3e73a7056b5767fcf

SHA512
ddd47ddbc95cef26515c5158411778b39354efd1d560d1bf02ca1fe97e16ec54790681497993ea44102add5a75ce91ee2b27cd3e01b5110a6ec392a85dc52af3

Download Submit
C:\Users\Admin\AppData\Local\b8cd6d3ecd5fdebd0f58b47a6f22bec3\Admin@ZFKGDPGJ_en-US\System\Process.txt

Filesize
4KB

MD5
3671db03eca2a9498c4c05b70f520d6a

SHA1
79711485e344e13c7157f9767fe8bc95cef5124e

SHA256
a595d87c6aabdd918f917d4bdb2058b880f987bf8f6913a6885d8ea8b47890cf

SHA512
c10004c16b6585c9d2983a0b0f790b906de7807d03a64acb15b88335345c029240ba9a1ed016a3b8b3bf9a2211a9e4333fa9bda46cd74f4cbbbdf23607b6bd0a

Download Submit
C:\Users\Admin\AppData\Local\b8cd6d3ecd5fdebd0f58b47a6f22bec3\Admin@ZFKGDPGJ_en-US\System\WorldWind.jpg

Filesize
96KB

MD5
cfdb15e164e0bb3d2d9b3c99d75c220f

SHA1
33ce83a40a3f5864d3ab7c3f43a3b6893b3f77a1

SHA256
c3e404243963791404c3d404c27f5f5263d1b99f4bd5d9dc6f3ae0933c6ffdff

SHA512
f92b73a888079fd26098840ed96c66ea82e14d26bc07856c2ed8d40d820466ee9eb42dde1baa5d74defb82c4fc4823d43ba155f3f1447a145baa52fd51194caa

Download Submit
C:\Users\Admin\AppData\Local\bd138ee1a7acf562c242fe9719b72596\Admin@ZFKGDPGJ_en-US\System\Process.txt

Filesize
4KB

MD5
7622d44127a0d5f47ad293a3145d2445

SHA1
89d3577a51609d91ff4f6b0b714e7065324d6999

SHA256
92f7013a826918b9139b4e1d43999ca8240b2245e1260899d1be3f9f758033ab

SHA512
262ca5438153821a7556e3e366c2c2eb2b1744592015df6648ffd45d1f5c1fd3712e693cbfb4acbfd2474918da0463313c0bc502308b9d6d88a8f0d1f7f8a128

Download Submit
C:\Users\Admin\AppData\Local\bd138ee1a7acf562c242fe9719b72596\Admin@ZFKGDPGJ_en-US\System\Process.txt

Filesize
4KB

MD5
a1d404872967a26a0855cf38f22aafba

SHA1
dbe84ad44bbc323b865f0a5c27262789af498e8b

SHA256
2931ac897e910e66c9e52690f08ba9daa286ca03aacec743fae79ecdc7fb76e0

SHA512
76fb242d68039a52075f073a185b4648bdd4d511a826ed59a90bcac3e3d8512790a19fdf2ad6a474a64e40f818477c65581e77a1a69d2a58a836ad3acbf68d1e

Download Submit
C:\Users\Admin\AppData\Local\bd138ee1a7acf562c242fe9719b72596\Admin@ZFKGDPGJ_en-US\System\Process.txt

Filesize
4KB

MD5
643a2c9fb94e3f6c8e58f51dc7df9cac

SHA1
c90d5af0d7258dff8118d26de5c8c2e1d65e1565

SHA256
0eaad8aee1ddcc7593d338d801984d567c280ae677a7b17679d11a9753e85e40

SHA512
c25bccf1253d58be78d056e9e5c3a9cb6961cba07380a67c01b04f087ff1cd2f9d5d8ca4e5ffcabbaf4d2f71a18df6f0275d8581a9412d62eaa3ca0abf41f248

Download Submit
C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\Bin\Injector.exe

Filesize
4.8MB

MD5
8da7ffaee1e5988d56e536d37a5e5d7d

SHA1
ed799e5ec866ec3dff0bffb306de4b1ab2ca2361

SHA256
7450c90fad1d9ed73652c7fee391adb41ee2c62d5d43f3bdcab945e3fdec5485

SHA512
34579bfbee7ec802322b12cc91276dc440d2df63d8e02b55ec303a19b4a198810a97157cf82739d0c30a509928d797142cee133aec994f0c8f5c58c5a6aebd16

Download Submit
C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\ReadMe.txt

Filesize
13B

MD5
1c6c20f0c324e98e38272f1245d24e11

SHA1
bbb5dc3a18a532529ec6fa88c86542288dd979f7

SHA256
4ca7414e2aba6d74826403afb6ccbcc1752297a1b61aced8808b75d80d212f2d

SHA512
a30aed5a54580ad73f16ad237f82e2dc99c99d9645d40d1fbdf88a7d6c10c238b6967c011ba46c6084d409e4a37b41983d600146f93cd9250a810b7d784d8246

Download Submit
C:\Users\Admin\Desktop\cracked folder virus lolol\Rebel\RebelCracked.exe

Filesize
344KB

MD5
a84fd0fc75b9c761e9b7923a08da41c7

SHA1
2597048612041cd7a8c95002c73e9c2818bb2097

SHA256
9d9a79f4ae9bf7a992945f6c06c5bec642c05e4e828217c50255dabfa3677006

SHA512
a17f1144a0e3ce07c7ed6891987c5b969f291e9991442c33750028d35e2194794e8a649c397e8afc9f8ce19d485c453600c75cab4fcead09e38414d85819251a

Download Submit
C:\Users\Admin\Downloads\Rebel.7z:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\pipe\LOCAL\crashpad_3852_GKOTZBGBBWOCLNCO

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2620-564-0x00007FFFEB550000-0x00007FFFEB552000-memory.dmp

Filesize
8KB

Download
memory/2620-565-0x00007FFFEB560000-0x00007FFFEB562000-memory.dmp

Filesize
8KB

Download
memory/2620-566-0x0000000140000000-0x00000001407ED000-memory.dmp

Filesize
7.9MB

Download
memory/3628-1339-0x00000000071F0000-0x0000000007202000-memory.dmp

Filesize
72KB

Download
memory/3628-247-0x0000000005800000-0x0000000005866000-memory.dmp

Filesize
408KB

Download
memory/3628-237-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3628-1009-0x0000000006540000-0x000000000654A000-memory.dmp

Filesize
40KB

Download
memory/4964-236-0x0000000005B00000-0x0000000005B0A000-memory.dmp

Filesize
40KB

Download
memory/4964-235-0x0000000005B90000-0x0000000005C2C000-memory.dmp

Filesize
624KB

Download
memory/4964-234-0x0000000005AA0000-0x0000000005AEA000-memory.dmp

Filesize
296KB

Download
memory/4964-233-0x0000000005A00000-0x0000000005A92000-memory.dmp

Filesize
584KB

Download
memory/4964-232-0x0000000005FB0000-0x0000000006556000-memory.dmp

Filesize
5.6MB

Download
memory/4964-231-0x00000000008F0000-0x0000000000948000-memory.dmp

Filesize
352KB

Download
memory/5880-216-0x0000000000080000-0x00000000000DC000-memory.dmp

Filesize
368KB

Download