asyncrat | hxxps://download2260[.]mediafire[.]com/8z5me9rbv5egliK0QorznLNdVFQVB2yJPfxkAoNbA9Jzw-XVz8BqZ37CnAA2czOZRNRQVlW8yK_tFkTf0yUA1DRBXPBb71HG_U0jcyIGZkTFbIknUtI5jE0LbUPjFnrbGO8J5IDA_HAtvV-xu65bbK4Zjiebr1B33WjcvM8fLmRdOA/by9n59rwi4ek33p/Rebel[.]7z

Resubmissions

06-09-2024 17:17

240906-vtpjjaycjr 10

06-09-2024 17:14

240906-vr54haybmn 10

Analysis

max time kernel
261s
max time network
300s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
06-09-2024 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download2260.mediafire.com/8z5me9rbv5egliK0QorznLNdVFQVB2yJPfxkAoNbA9Jzw-XVz8BqZ37CnAA2czOZRNRQVlW8yK_tFkTf0yUA1DRBXPBb71HG_U0jcyIGZkTFbIknUtI5jE0LbUPjFnrbGO8J5IDA_HAtvV-xu65bbK4Zjiebr1B33WjcvM8fLmRdOA/by9n59rwi4ek33p/Rebel.7z

Score

10^/10

asyncrat stormkitty default credential_access discovery rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4264-469-0x0000000000400000-0x0000000000432000-memory.dmp	family_stormkitty

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 16 IoCs

Processes:

RebelCracked.exeRuntimeBroker.exeRebelCracked.exeRuntimeBroker.exeRuntimeBroker.exeRebelCracked.exeRuntimeBroker.exeRuntimeBroker.exeRebelCracked.exeRuntimeBroker.exeRuntimeBroker.exeRebelCracked.exeRuntimeBroker.exeRuntimeBroker.exeRebelCracked.exeRuntimeBroker.exe

pid	process
2324	RebelCracked.exe
3444	RuntimeBroker.exe
728	RebelCracked.exe
4264	RuntimeBroker.exe
4852	RuntimeBroker.exe
2580	RebelCracked.exe
2388	RuntimeBroker.exe
200	RuntimeBroker.exe
4948	RebelCracked.exe
3588	RuntimeBroker.exe
1424	RuntimeBroker.exe
4704	RebelCracked.exe
1624	RuntimeBroker.exe
3084	RuntimeBroker.exe
1952	RebelCracked.exe
4048	RuntimeBroker.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 14 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

137 pastebin.com
202 pastebin.com
207 pastebin.com
213 pastebin.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

139 icanhazip.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
137	pastebin.com
202	pastebin.com
207	pastebin.com
213	pastebin.com

flow	ioc
139	icanhazip.com

Suspicious use of SetThreadContext 5 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

description	pid	process	target process
PID 3444 set thread context of 4264	3444	RuntimeBroker.exe	RuntimeBroker.exe
PID 4852 set thread context of 2388	4852	RuntimeBroker.exe	RuntimeBroker.exe
PID 200 set thread context of 3588	200	RuntimeBroker.exe	RuntimeBroker.exe
PID 1424 set thread context of 1624	1424	RuntimeBroker.exe	RuntimeBroker.exe
PID 3084 set thread context of 4048	3084	RuntimeBroker.exe	RuntimeBroker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 13 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

Processes:

netsh.exenetsh.exenetsh.exenetsh.execmd.execmd.execmd.execmd.exenetsh.execmd.execmd.execmd.exenetsh.exe

pid	process
1220	netsh.exe
2324	netsh.exe
6116	netsh.exe
5944	netsh.exe
2656	cmd.exe
4416	cmd.exe
1032	cmd.exe
5784	cmd.exe
3408	netsh.exe
2552	cmd.exe
6044	cmd.exe
1324	cmd.exe
5684	netsh.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

MiniSearchHost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe
NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Rebel.7z:Zone.Identifier msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Rebel.7z:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exeRuntimeBroker.exeRuntimeBroker.exe

pid	process
864	msedge.exe
864	msedge.exe
3104	msedge.exe
3104	msedge.exe
2108	identity_helper.exe
2108	identity_helper.exe
3552	msedge.exe
3552	msedge.exe
3936	msedge.exe
3936	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4264	RuntimeBroker.exe
4264	RuntimeBroker.exe
4264	RuntimeBroker.exe
4264	RuntimeBroker.exe
4264	RuntimeBroker.exe
4264	RuntimeBroker.exe
4264	RuntimeBroker.exe
2388	RuntimeBroker.exe
2388	RuntimeBroker.exe
2388	RuntimeBroker.exe
4264	RuntimeBroker.exe
4264	RuntimeBroker.exe
4264	RuntimeBroker.exe
4264	RuntimeBroker.exe
2388	RuntimeBroker.exe
2388	RuntimeBroker.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zG.exe

pid process

3280 7zG.exe

pid	process
3280	7zG.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

Processes:

msedge.exe

pid	process
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

7zG.exe7zG.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

description	pid	process
Token: SeRestorePrivilege	3280	7zG.exe
Token: 35	3280	7zG.exe
Token: SeSecurityPrivilege	3280	7zG.exe
Token: SeSecurityPrivilege	3280	7zG.exe
Token: SeRestorePrivilege	244	7zG.exe
Token: 35	244	7zG.exe
Token: SeSecurityPrivilege	244	7zG.exe
Token: SeSecurityPrivilege	244	7zG.exe
Token: SeDebugPrivilege	4264	RuntimeBroker.exe
Token: SeDebugPrivilege	2388	RuntimeBroker.exe
Token: SeDebugPrivilege	3588	RuntimeBroker.exe
Token: SeDebugPrivilege	1624	RuntimeBroker.exe
Token: SeDebugPrivilege	4048	RuntimeBroker.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MiniSearchHost.exe

pid process

2548 MiniSearchHost.exe

pid	process
2548	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3104 wrote to memory of 576	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 576	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3180	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 864	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 864	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3916	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3916	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3916	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3916	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3916	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3916	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3916	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3916	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3916	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3916	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3916	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3916	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3916	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3916	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3916	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3916	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3916	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3916	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3916	3104	msedge.exe	msedge.exe
PID 3104 wrote to memory of 3916	3104	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://download2260.mediafire.com/8z5me9rbv5egliK0QorznLNdVFQVB2yJPfxkAoNbA9Jzw-XVz8BqZ37CnAA2czOZRNRQVlW8yK_tFkTf0yUA1DRBXPBb71HG_U0jcyIGZkTFbIknUtI5jE0LbUPjFnrbGO8J5IDA_HAtvV-xu65bbK4Zjiebr1B33WjcvM8fLmRdOA/by9n59rwi4ek33p/Rebel.7z
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa1b2d3cb8,0x7ffa1b2d3cc8,0x7ffa1b2d3cd8
  2⤵
  PID:576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,1914002087945459708,15505923580530052651,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,1914002087945459708,15505923580530052651,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,1914002087945459708,15505923580530052651,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2568 /prefetch:8
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,1914002087945459708,15505923580530052651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,1914002087945459708,15505923580530052651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,1914002087945459708,15505923580530052651,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1936,1914002087945459708,15505923580530052651,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3780 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,1914002087945459708,15505923580530052651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,1914002087945459708,15505923580530052651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,1914002087945459708,15505923580530052651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
  2⤵
  PID:1456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,1914002087945459708,15505923580530052651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,1914002087945459708,15505923580530052651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6636 /prefetch:1
  2⤵
  PID:2608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,1914002087945459708,15505923580530052651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:1
  2⤵
  PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,1914002087945459708,15505923580530052651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,1914002087945459708,15505923580530052651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,1914002087945459708,15505923580530052651,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
  2⤵
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,1914002087945459708,15505923580530052651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2680 /prefetch:1
  2⤵
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,1914002087945459708,15505923580530052651,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1716 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1936,1914002087945459708,15505923580530052651,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,1914002087945459708,15505923580530052651,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6932 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4780

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2448

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3468

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\vius\" -an -ai#7zMap978:76:7zEvent10987
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3280

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\vius\" -an -ai#7zMap4877:76:7zEvent7574
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:244

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2548

C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe
"C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe"
1⤵
- Executes dropped EXE
PID:2324
- C:\Users\Admin\AppData\Local\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:3444
- - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4264
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4416
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:5136
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1220
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        5⤵
        
        PID:1192
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      4⤵
      PID:5480
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1952
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        
        PID:5612
- C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe
  "C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe"
  2⤵
  - Executes dropped EXE
  PID:728
- - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:4852
  - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      Drops desktop.ini file(s)
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2388
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2552
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:5828
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2324
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        6⤵
        
        PID:1528
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        5⤵
        
        PID:4620
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:5952
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        6⤵
        
        PID:5300
- - C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe
    "C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe"
    3⤵
    - Executes dropped EXE
    PID:2580
  - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:200
    - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3588
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6044
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6116
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        7⤵
        
        PID:2312
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        6⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        7⤵
        
        PID:5644
  - - C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe
      "C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe"
      4⤵
      Executes dropped EXE
      PID:4948
    - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1424
      - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        6⤵
        
        PID:3656
      - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        6⤵
        
        PID:988
      - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1032
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        8⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3408
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        8⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        7⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        8⤵
        
        PID:6120
    - - C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe"
        5⤵
        Executes dropped EXE
        
        PID:4704
      - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4048
      - C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe"
        6⤵
        Executes dropped EXE
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        7⤵
        
        PID:5520
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        8⤵
        
        PID:5588
        
        C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe"
        7⤵
        
        PID:5528
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        8⤵
        
        PID:5256
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        9⤵
        
        PID:5332
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        9⤵
        
        PID:5348
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        9⤵
        
        PID:5360
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        9⤵
        
        PID:5372
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        9⤵
        
        PID:5380
        
        C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe"
        8⤵
        
        PID:5280
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        9⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        10⤵
        
        PID:5144
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        10⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        11⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1324
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        12⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5944
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        12⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        11⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        12⤵
        
        PID:5624
        
        C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe"
        9⤵
        
        PID:5168
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        10⤵
        
        PID:6048
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        11⤵
        
        PID:6108
        
        C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe"
        10⤵
        
        PID:6072
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        11⤵
        
        PID:5716
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        12⤵
        
        PID:5964
        
        C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe"
        11⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        12⤵
        
        PID:5772
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        13⤵
        
        PID:6080
        
        C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe"
        12⤵
        
        PID:6016
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        13⤵
        
        PID:6084
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        14⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        15⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        16⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5684
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        16⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        15⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        
        PID:780
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        16⤵
        
        PID:3092
        
        C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe"
        13⤵
        
        PID:5892
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        14⤵
        
        PID:32
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        15⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        16⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5784
        
        C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe"
        14⤵
        
        PID:5280
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        15⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        16⤵
        
        PID:5200
        
        C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe"
        15⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        16⤵
        
        PID:236
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        17⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        17⤵
        
        PID:4852
        
        C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe"
        16⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        17⤵
        
        PID:5164
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        18⤵
        
        PID:4948
        
        C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe"
        17⤵
        
        PID:5140
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        18⤵
        
        PID:5856
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        19⤵
        
        PID:5300
        
        C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe"
        18⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        19⤵
        
        PID:6128
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        20⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        20⤵
        
        PID:3644
        
        C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe"
        19⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        20⤵
        
        PID:5676
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        21⤵
        
        PID:3920
        
        C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe"
        20⤵
        
        PID:5644

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\5c6f366629fcbcdf7a71dd35758e4d76\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\vius\Rebel\ReadMe.txt
1⤵
PID:4260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0dc2e9767170cf0916b3334bad14c83d\Admin@ITMJLVNR_en-US\Browsers\Edge\Cookies.txt

Filesize
7KB

MD5
892c65e33dc81b6376b1b64ad4db5d30

SHA1
96ca100fd61dae5e45323fe700598328429d8fef

SHA256
3d5964ede2c74095fd86724e113c757bd1ad4504011dd5da0cf76b480052d345

SHA512
54d00dea9360e976b6edc60d0fbf6e3ae181bf922fb21c9165f3208bb6b9bd09b918b4ea8be14802cf4f4d5ff08dd99747304122e2e8d9efab535f7948d9bf60

Download Submit
C:\Users\Admin\AppData\Local\0dc2e9767170cf0916b3334bad14c83d\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
881B

MD5
8c46aae3086ce33c73ed0e8502c97a04

SHA1
6672a0175cbc833796f2befdd9d93e064d85d26e

SHA256
4b98e4b2bd6043362750d654ade6f20140517282572dd7f5292f5023eb01dfa2

SHA512
df3925c8ac3d005aafe4f49cb13adf401208373426ffc878fc5b79126de70cfb82ba6b9c43a5a3bcbfb86c23317a72d49bc44f53d18ad84df4e64179ef3f6c80

Download Submit
C:\Users\Admin\AppData\Local\0dc2e9767170cf0916b3334bad14c83d\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
973B

MD5
8f40ac2b553db49a28ae38816033bdb7

SHA1
4f0c133f111b6990568aad5aec6d1760d739552d

SHA256
68e89a8cca1af5a107a2cd7530d2d02ae8c42011d500c12d2d99905c116e34bf

SHA512
64f53a124d956e6f2b2bc5385925bca79a5c1e1624483b879abe81ed21326d3b21d19c0b735d703cb6e637b6b28679815bc1857858ae44984dd7aeb59ad7d3cb

Download Submit
C:\Users\Admin\AppData\Local\0dc2e9767170cf0916b3334bad14c83d\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
1KB

MD5
22f21cd0024e7ab8837f066dadcb4cf7

SHA1
c61ac2c7f89fb6c47842dcf5bfb7a4b35b586226

SHA256
97bb79c213426a3767115029963ebc4d13e7e42189e949252a2ccbaf260ad315

SHA512
d90d7ab587ce04e34ef6f77b5cc8f4a9b45bef3fe55173209f0cb80d4c4cb321d4f282d854d6d09292cf43e5ed057d6314ab92cab6c84ac13339e77ac8c3c189

Download Submit
C:\Users\Admin\AppData\Local\12c9eacd2450ff2a6eb9a8ab73ecc396\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
4KB

MD5
cb3443fa1d768d8651194a6409694977

SHA1
3e9fd30159a8a0ba232fc08b7e33ca91249b3318

SHA256
985be7cfd9055b64003cc1e4a884dac51e14538214976ccdc0f257810ae9fd35

SHA512
cede0baafea08508e7ef94ca51b96d88c0ef5fc10b362e5691f254839eff8389410ec9ef3b4cfccf0cbd93771e5c1e5a49abcc9661ad2c63c42434242ca266ac

Download Submit
C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
4KB

MD5
54c31961aa48515f71e528927593f96c

SHA1
dcf96adab7e9f4e4bf17130866ec9c2d687c2750

SHA256
2d6a6ae38d43849f06776de5610dcb78a242e3de207b5d29b80dc4847aee9f7f

SHA512
2e7593a850c4f605a2622cf76daad419561623423600d28ddc2148ea2a1a94e8b60f2293ce9dfcfac14da03b48a19413488f785da839ed4c41571fb450a3cbe3

Download Submit
C:\Users\Admin\AppData\Local\3a117b6d93ab1aaf2ee3093e0d4f785e\Admin@ITMJLVNR_en-US\System\ScanningNetworks.txt

Filesize
84B

MD5
58cd2334cfc77db470202487d5034610

SHA1
61fa242465f53c9e64b3752fe76b2adcceb1f237

SHA256
59b3120c5ce1a7d1819510272a927e1c8f1c95385213fccbcdd429ff3492040d

SHA512
c8f52d85ec99177c722527c306a64ba61adc3ad3a5fec6d87749fbad12da424ba6b34880ab9da627fb183412875f241e1c1864d723e62130281e44c14ad1481e

Download Submit
C:\Users\Admin\AppData\Local\4ecfcad46d0735dbf6e822410f4bb9d1\Admin@ITMJLVNR_en-US\Browsers\Edge\Cookies.txt

Filesize
1KB

MD5
419266691c136c6518a0823a62fa8c76

SHA1
7f1386fe656ac257413b6fd2f1efdde9123eba64

SHA256
528d2a7938a6dc861abd2b74275c2543f91ac55a1d3e91f91659349e3e240b4c

SHA512
3c5daf3a1ad4b62f67f258c7ec35cd7b1ea8f6ad1026a103baeeeef6f186f89aeb0be2a479afdb775ca64e037a7f32d4d16cb69760621fd76fdbaa171a30b9f7

Download Submit
C:\Users\Admin\AppData\Local\4ecfcad46d0735dbf6e822410f4bb9d1\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
191B

MD5
d33479cbd89c12f73fa32f900eb292ed

SHA1
5bcce430d56db2c6cbc0bffb61f6ccd88dc731fb

SHA256
826d1b7ed45fd7596f8b67fb345ccace2640d175ec7ec1108d713608f354fc18

SHA512
c8e65c08809bb97e0f6dff6604ef137e519d4a5c49868712a8504cedc60391e4ddf6969566e8ac1c17af347fb312ba3021d672d9d6b4b93a4ad5928deb3f5bb8

Download Submit
C:\Users\Admin\AppData\Local\4ecfcad46d0735dbf6e822410f4bb9d1\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
255B

MD5
b0e0880b811331b1e745acd012a8c45a

SHA1
637cbbe31255d7b8561c95db0eef87f437d854c6

SHA256
6190c31eb989e3bb85429ef1df6b1abefe2867acfea07816982dc24596495588

SHA512
c58722ae71f2dbfb055a5c1f2fc7228637aa2c7fa7255018c556e27bf60cef28f78ec1ca3e7e178f79ce1d9f8a2b5d469115b6b37471face702567d4fe82d175

Download Submit
C:\Users\Admin\AppData\Local\4ecfcad46d0735dbf6e822410f4bb9d1\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
319B

MD5
c48617cdc8050650b59ebc55ee51a0c4

SHA1
e575bcba40b30af44b8f69f4755bb45754d5813f

SHA256
c37eacc67c477f3b9e7ae48ea89c692b52a623e8b4a37070dcf0d7f54ba5c8db

SHA512
97a9efbc8f313a68b69e558f5b3179ed1b625cb49e7614b998d146e39b133af617d3fee3344e11754f3f5b77b510ac74f05c12d06404fad0805f08c1fdfadcb9

Download Submit
C:\Users\Admin\AppData\Local\4ecfcad46d0735dbf6e822410f4bb9d1\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
383B

MD5
c40e7a700080e9967df098edae8c7c1c

SHA1
69f2ad3df862acaade4e64cf2cce5a1e7dd42802

SHA256
9dcdc97898d038bb22dfc35013ea8d17264e3e8c21710957d07d41925e5f5eba

SHA512
876ed39e977b65b48af688445f2264225ea8af2a39aeaee342ac63a6adf68a10aed48c928377c6c2ae6f6655381af687d975548ef010de7ba5f535761e147474

Download Submit
C:\Users\Admin\AppData\Local\4ecfcad46d0735dbf6e822410f4bb9d1\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
446B

MD5
403ae6b4cf16c35a4a43a6fcb018cc25

SHA1
9cd9db42a6461fa3d08eb8f9e0855c986b386aa7

SHA256
41a0bf6f9b5779d8bde6da257a503615d1956bbf124651932420dbf95e63d8a9

SHA512
56ddb93287a127d4d74db2aa4289db4bebff6a2345f6fd835f67ad8f46dc7cdd12d214ee24acd4c63e492df883be6d9e968457cbaa8ca8c3735191a4f4ff7b3d

Download Submit
C:\Users\Admin\AppData\Local\4ecfcad46d0735dbf6e822410f4bb9d1\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
510B

MD5
18a6587c8bc6e75ab7363c5ef3729cb4

SHA1
019d4d9e04361b94715592cc293edecd7a4b30af

SHA256
c9a69f96ac4315d355b30060b9b51032cc1f2744d469ab9ec1988e1d9f45598b

SHA512
02062a95d9e965112b416ee25fa9a048c55c716abb13e7becde727404bee9d26dc856504ad17f2af31c3f67a6d5ec4069c53709612a846c22c63bdf602177117

Download Submit
C:\Users\Admin\AppData\Local\4ecfcad46d0735dbf6e822410f4bb9d1\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
632B

MD5
661b06331d3daf8913209e5f285b7c75

SHA1
bce62e0f396c8dcacdac70150ed9cedc4edc4a25

SHA256
26dd557bbbbdf68b564b77d184002c137fb85af4800087693b8a398d342760a3

SHA512
27561173205c2bed1e7eca3356369a00cd036adba15c78e1a506dda19c3cf230451f8e2e9b3894ef9fb3af88ba784fe6fac1972d1d163854c74235f63b3e94db

Download Submit
C:\Users\Admin\AppData\Local\4ecfcad46d0735dbf6e822410f4bb9d1\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
661B

MD5
a734860a664fd54f87e68a0b1aee6d1a

SHA1
f73223eeedf602a9ebcc10672cee5c0b78ffe900

SHA256
7b7507e139d6057c160dfeba684825deed8a6307f9d93559082a3afa8491ac84

SHA512
337fe54745321da90f1d2f3fed504891d440015c862c13e77da24da716da99651a724fb342ad890c40f818b3d17d4630a51c7547fed8910097b33d249c8bc1be

Download Submit
C:\Users\Admin\AppData\Local\4ecfcad46d0735dbf6e822410f4bb9d1\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
725B

MD5
53e48d0adea620c6bc11f424856f3831

SHA1
ebc4b57b1ecde3168450fad2656ff239916bb0f1

SHA256
2e2fc81cbe71ea4800c70d0603d6e068056686c376bf19fdf607a5085749f185

SHA512
6bb17d8f8d101af51df252fd185bd457c3123ebbb19b7849b452baa2438e880320576d587f1161d90cb78fc1a2641b42601aa850472e5021308bf96261a76c88

Download Submit
C:\Users\Admin\AppData\Local\4ecfcad46d0735dbf6e822410f4bb9d1\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
817B

MD5
5e55acb1b004c8a7f38bf5434f6fd7aa

SHA1
d11ff33c04933dcdda2522d3f064154f4b54da03

SHA256
7ddc3f86e696f2e7064c411f20185b0a9322f0ae33a8811242d73e288528b6c7

SHA512
faee54d792a2a9ef25629fd19702fbc06aaaa0195191b3779c5d5f5bf8a00a969e64facd7217fea2370bbb6eede6eb3401dbb6a4366ae382a9818db91dd17d2c

Download Submit
C:\Users\Admin\AppData\Local\4ecfcad46d0735dbf6e822410f4bb9d1\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
4KB

MD5
e709dbdf9062209536f574ed1a4c26d0

SHA1
b57a84ff97cd637a6c3561508d187239a6f91bff

SHA256
086aa3216a84b2defcce991df92e7774fda7a9849cc7af5b2bf9406751f0b185

SHA512
de76031b4b971067f3f562fc780ab32faccb04ac55730a206c10d9da6f65c6cd199b0ffb8163dc219a604b19c7ede27303b7012eea28a7ddd4087415c584c3ff

Download Submit
C:\Users\Admin\AppData\Local\5c6f366629fcbcdf7a71dd35758e4d76\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini

Filesize
190B

MD5
87a524a2f34307c674dba10708585a5e

SHA1
e0508c3f1496073b9f6f9ecb2fb01cb91f9e8201

SHA256
d01a7ef6233ef4ab3ea7210c0f2837931d334a20ae4d2a05ed03291e59e576c9

SHA512
7cfa6d47190075e1209fb081e36ed7e50e735c9682bfb482dbf5a36746abdad0dccfdb8803ef5042e155e8c1f326770f3c8f7aa32ce66cf3b47cd13781884c38

Download Submit
C:\Users\Admin\AppData\Local\5c6f366629fcbcdf7a71dd35758e4d76\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini

Filesize
504B

MD5
29eae335b77f438e05594d86a6ca22ff

SHA1
d62ccc830c249de6b6532381b4c16a5f17f95d89

SHA256
88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4

SHA512
5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

Download Submit
C:\Users\Admin\AppData\Local\5c6f366629fcbcdf7a71dd35758e4d76\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
64B

MD5
4bf76e1f354c0c41d80a280d2c7888f8

SHA1
777f5fe0beb1e0e996af3cab949dafb0f9ccc39c

SHA256
b3732d786dc8b981c62d0e94109a501d7337395966c7b5222f14db9b37ba4550

SHA512
64ba18e3f49aba945907569932ccc0286ac77415d24c16137dd8cc8139c12eb182dd6a960221e8f4ed01d268a1b27fc5229c66b1cf54d40a5b0e8787c29f5145

Download Submit
C:\Users\Admin\AppData\Local\5c6f366629fcbcdf7a71dd35758e4d76\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
128B

MD5
642d245eec20d2cfc6d2481a324528d4

SHA1
2bb5f9ac3cf9928a01458a7440d58e0c90bbf90a

SHA256
691451aed3538e8107b1bf7086c73ede5900e0460444f8edc14481c2fccf19ba

SHA512
8ba900b60cde8c4723a2bb1dd360281d25f597f0541db5b19669af1eb32613baf8c3dd5949ae21658b0821590f71dc098be4dc8d0fe6e1aeaa695ed2b0a57763

Download Submit
C:\Users\Admin\AppData\Local\5c6f366629fcbcdf7a71dd35758e4d76\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
4KB

MD5
2f3d99c6f5e778adbfd0e268e08e4aa6

SHA1
f154faa60a4d351864930c93945a8433792cda86

SHA256
e85bc69601c59acfa5f168e903deb387bf0249bec522a93ea88cea4e6140d7fe

SHA512
a7f4e839d9446d78a18aab95b87c5ad3d30eb10f6a7928e04ca32f05c580bc2c8f12558d53303518830107ea69360957f1d3b867ba12e24a9eb22f8cf74a149c

Download Submit
C:\Users\Admin\AppData\Local\6c96bff79533d46ef82f56a8e3d3528a\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RebelCracked.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RuntimeBroker.exe.log

Filesize
706B

MD5
1356da7590c7343415dc5977d32b17c8

SHA1
6b2d7cb07839255395f6b24391fe5fec5201e359

SHA256
2126fa4651af160534e852712f55be80e16308e9cad3fed7b0bd3ac6ce528702

SHA512
6f1cff058fd47eb299d81dcb53d6c8138d433c8f2d44fc281639ed72f88bfcaa56e100367a77f856a8e06a490a932bc0ae53d6ed10e78fcfbebb97be9d8cb97c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
302c3de891ef3a75b81a269db4e1cf22

SHA1
5401eb5166da78256771e8e0281ca2d1f471c76f

SHA256
1d1640e5755779c90676290853d2e3ca948f57cf5fb1df4b786e277a97757f58

SHA512
da18e7d40376fd13255f3f67a004c3a7f408466bd7ce92e36a4d0c20441279fe4b1b6e0874ab74c494663fb97bd7992b5e7c264b3fc434c1e981326595263d33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c9efc5ba989271670c86d3d3dd581b39

SHA1
3ad714bcf6bac85e368b8ba379540698d038084f

SHA256
c2e16990b0f6f23efdcecd99044993a4c2b8ba87bd542dd8f6256d69e24b93b3

SHA512
c1bc0dc70ab827b54feb64ad069d21e1c3c28d57d126b08314a9670437881d77dba02b5cca57ef0f2aa7f8e7d4d163fbd2c6f246ea2d51ce201d61a89015e8b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
47fc0f741f3831ac64450d30f9f6986c

SHA1
cce78a807151f2a1b211f50e3650a1545f3e9757

SHA256
c3abb5d06ec450d58fff78669d265a7a2aa0b9e630b8fd725d5636dced9cb844

SHA512
e478bc734539456ab0e3044daebddd83b51da5f7d651880c6fc785cdedd4ee418264c23d07629e1a71dbd0c2f514b9c5644a8bfeb8aeb43f8c5213079979d3df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
32KB

MD5
6d6f33fd622d98059bc074edef41c554

SHA1
a6f731118a8266e632019b7dd5c9ecadf4860313

SHA256
59db2c42cf93e8367d46fee701e519be59017e5f3ef20fefd089d6e3e950109f

SHA512
db4597667f8ce32cdaf14efe05475e8bc102c0e150241832761132b968aa55fd2008f20604b7bdbd01faf275d47a342cffa30117efe7a981c0dde937fd2d8fb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
132KB

MD5
f6382af4ad2742bcba494e226b64658b

SHA1
0b3578ee607a0784cc23e3940d6224b7003e9b1c

SHA256
ac127da8a12fb7a3d34e2df1c139e95f8621e5259c378708325609296808d87e

SHA512
a3803013323eed199e10a3d405eb9a44f098d9f1ee6d61ae51d7e581e518e10e1fbea91af801cdc8e87e7a23be29dd0b22215451134ad3b1f542d9022e307412

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
6f76be2e17f69f3854c48ef372e4bfd2

SHA1
abfd14c4fe87f36e3e064ec13c0b9b34945f2229

SHA256
ad823f2f8f4990f95b81fb64a73c593532b026c2cfbe3248c4edf67d3d4d9901

SHA512
6ace45a0b983dec8fedd177e1feb02f4ce241f6d69151c7e7fcf428cea77beeea4c47b04fd218f415009d3ea75eda27d743651c8ef7a1ac64473d1e763f2f0fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
20b0685f0475465e3a5660df7ba74078

SHA1
ac881b4106cf1f78bb73014d6c8ae202b603833a

SHA256
8851d6df053a9d6ab0fe55b595097036447f17781f04df375229a41f7236d31d

SHA512
ba3fb7eae59ef1de6498784cda5cc0b6db81c8588568e40e414a8cd12cf573893a2d9aca21af4421ce84b7b3c5c19726d7466858a9f2b053efa8b7cd9ae2b200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
e1b2b1a1679d43b1bd968bab015bc41e

SHA1
6a173fc51cc1ce03e2126bb71f84adbc87d16acc

SHA256
8e7f5e2ddc10f9a5524143f19b1e4748331cb3da88b14432afa8d48870e0f5be

SHA512
48bb727f556d8ed0ede9ec3b8c667ae265006f1d11935f130ad8c8f9f7e8940e9db74276d602b518999eca9e61d370df7888683605af96fee4f936100ffcbf3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6e57368b581c65803b749048638998ab

SHA1
98bc29b4c33ed828c540aeed1bed8b4a3b2f10af

SHA256
2376a5eee954868d895b08bd075d43b265627810d5ac53ae3a2cf1bd1e98e0a5

SHA512
2bfd95515b3d2bd55e9a56e625c8222d2839a23d3a8f094a67ffddfd2e5bda4b1cf6927716ad998d8ff3b346c0e1a6e3ecd3426050b29cdc454715b280b87b10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
d22ac64ee1dfa4147b0c47d15d624ff6

SHA1
b28a0be3874b932cbbf8acf2e5585569c5cd9873

SHA256
1f3a521a3765a0c6e1dafb99e7445cb82e14248f5400da371425fa5b053ffde3

SHA512
956bae75590fefddceee51f250e5226ec7a7997ef49cef188f57967354fd1b1353bfcc49bb84aec301c613c1a0f42ab429b5d32acdfc3c4a5790e01bce1e2353

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
097a19de59b318d6294840011de1e7bb

SHA1
16d4a33c00b8220735f857767361df9757728542

SHA256
07668f70dac85d52afc72add5e4355fc17bb5f33b279c7e2c4d5b04751dc027f

SHA512
e51ddbab1202c8282091961cf2043a880577a29704425abdedfc3b918ccdcc425e7fb0c59b121ebd6bb8de7a29721cad95c46cf04138f3733fe207f6801d6c50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
17c16370e824b1021ffe44dc9a6c6356

SHA1
6bc4500379ff4ce38221dc0719c40f4046d39dcc

SHA256
19d14b28de6126cb2b1a9bf75c0b241ed23c009b684d90de21cf5e709837d691

SHA512
6e8bd8c896c89bdfb865138b4fd7d91b85ebceac77dd92e4ebc8482bd3bf5acd32c092e59882128d8f25cc72b1318c6b2c492a149c1023f0209e1c0fde238a5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580700.TMP

Filesize
706B

MD5
4fb479f106d4e4f27c632faa17c72df2

SHA1
01db8b864b45d1897ef0abd7a1b789d1f8961cbd

SHA256
beaced05773c39a68e03eb3a061d64b10b000c2c29f6494c99465cee3dd8027e

SHA512
a5f60e9cc936b85e3bf37a3767fb9ffb6d76d65d69d8f01273d76bddbb60a2f13737ddbdb41c98e6271932cf9de78e89d88ebd7349298fb945d6dad060c1b169

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
efef54300727e94c09c23d0df1120325

SHA1
dc7ed9b5e5aaec6c57b62368f670e44e5a25f15a

SHA256
366e43c881e638f91826420b84e1a3747af46b73eafcd3c494853251b4fb09d1

SHA512
f8b69f1e3aa9b402ebb7eaeaf5c6b7ca952eff8c94abf5831d10f7276eea1ebf450c33f7f6202ea6dbe61d75b168a24893a9f987980b3794903c9894ebf73317

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
64fbc6eeb4ea5e7379b65430d63ad75d

SHA1
79e85ac94572cd22f014838846ad176a8439bd07

SHA256
aa6a0d2d379b5133b6856007554aa6f6fd99581901fb40c00226a8da1d62cb5b

SHA512
5d054b72dc3a05a6fb7bd110bd1ed1db4fd8f88516e90848556ac444c50a39db5eea2064c5424ca36e95e0c3551112450724385c39a9b145f9ec99e7c006c5cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6ab2c43ec03a7f6a8af312cbf76a2929

SHA1
d24255aded365968a9e9b8c81537840e4e707173

SHA256
768285edb6ce992664c897ec39fa5145181a947a2ec89656b6e080add1faa158

SHA512
8ab4da0e412f21d1e1a491aeafd6e018fa24bafe6d3e45428f38ad6ab60397fa8f25832c99979a7f509c2e4105f86af5962266d1aea9579e041f98bbbca492bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
743869ba4cad11f06fda4f556c93d55a

SHA1
2f82d4ad57622824c420e8549d7b61a958e57b3e

SHA256
dd986eeb420a00db5efc35a3ed07efb5e33090c0ea3776c4b211eedf56ac6271

SHA512
2bf02089b44cd09addda59dfc1e89d67ddc30e450d78375110441dde20435b3235920cae8d7fe5c735c30e211e9d17c69dbf746a3694012b063d105c102939b3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
eed1599235b9dd933e13cbd5751d7eec

SHA1
d461f7edc8bdb31b672f97b18d34e38bb7c96c4b

SHA256
13ee96f0fd8b45de1603cea7aa86ddaa749ea580989d6cb806d944f3547fbf43

SHA512
9679690676ef1ede8030e26359381a092eaec7cb671d51e91d8cd446006301bcb98518b977fd5d475e777baa11dd28e69135c517e3b3d74475134bfed4e8da9e

Download Submit
C:\Users\Admin\AppData\Local\RuntimeBroker.exe

Filesize
330KB

MD5
75e456775c0a52b6bbe724739fa3b4a7

SHA1
1f4c575e98d48775f239ceae474e03a3058099ea

SHA256
e8d52d0d352317b3da0be6673099d32e10e7b0e44d23a0c1a6a5277d37b95cf3

SHA512
b376146c6fa91f741d69acf7b02a57442d2ea059be37b9bdb06af6cc01272f4ded1a82e4e21b9c803d0e91e22fc12f70391f5e8c8704d51b2435afc9624e8471

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
ce84fb305b0892c358c29bfda12713a9

SHA1
1aaad615f8a0e1ba510633ae27f0fb4c6487ccd0

SHA256
0364ae17e66cc096dc9be31ab981a013b748b6233b9bc67e32da68f7b3f7778b

SHA512
a84f62cd6b5dd2bb26059a66cba10c3a4f27b0926b7fb74e9d97581d03306909e300214fdaed172f389113ddcfafe63a38814d4d93af758ed9fe2aba5df7374e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9835.tmp.dat

Filesize
114KB

MD5
9161df81ba333649f936f4bb44ec6ec3

SHA1
c728bfe3bc8d7387e981275c8f78f7f6a47426e2

SHA256
4931786eac2f1a13af09d835afefeac1f99a00e4998bc4d2278d996cbd3690a4

SHA512
79898d636d42db253d50b6bab4cfee0f1352b920547a756c93c76af7ec35bc86df8dfe2a8b1b31258fc46eeb2a4516e47a45c59afeb50b83364c37151fa05886

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9847.tmp.dat

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp984A.tmp.dat

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA381.tmp.dat

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA387.tmp.dat

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA3F7.tmp.dat

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE0C0.tmp.dat

Filesize
32KB

MD5
0c78cfc5efd7cd02414d2b82053335f1

SHA1
5fff24afb78706b79a22c0163f66212c690eb86f

SHA256
00809ab31dc3fc852eb378850e6e84b25d163c402afa9d94923a1d99c16ccdc7

SHA512
d1eb5e387c24ebb15703527e64e03f826cf57ffa2c00d6bfe92cf384e0dfed8cc6e65ed04ffb59834162d81b117c739a37f2dcb8752867b85fd561716320a67e

Download Submit
C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\Browsers\Edge\Cookies.txt

Filesize
7KB

MD5
d3ce18e642c5712ddb59e80cbaa29835

SHA1
d0ae540c64f29268c6762df98926dba7029f6bb1

SHA256
77eb00c7c63b962e32f2f9595067c95e5f08f827481be705f7ec1d0cd162947b

SHA512
a1a51a8ca202e01dcc74dc5ba93582c5484039300703caf0caf4b8fcc3cc4637a8a40dd68750b50eb147232aa7c4c9ed1c9873d5b2a63eccc85dd4a043145558

Download Submit
C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\Browsers\Edge\History.txt

Filesize
4KB

MD5
5455ec4b0bb927073228eb25f0adedf1

SHA1
a504d122c28d90b5fc0e86c5c6d2a4dcd6ef8deb

SHA256
edf44ccb7ebde410f1afe8d845246b6a46945bb1222f35f4aafd5aba805c6ff1

SHA512
21dc094e5ea227ebb5b669159ae6d937a24c38b13eb2efbc9792baac887be9832b864ed5c038a11828018934518ad4d5c957d67bd2d61a67fd6c2c757c108886

Download Submit
C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\Directories\Desktop.txt

Filesize
706B

MD5
97f5da7e2a091ebff239fa986e9fcbfe

SHA1
4839bad817c592c677832a72a954b91a14f92548

SHA256
cff319bf9249bb7811c94a6da4fc8a5ab16c98be31eefbd9bf2860d4b5fcc0bd

SHA512
e7a3d1c4dfe3f9fd5c5761961858a9fe41889a637cfcf9e92f4105d26344536b8ccb03f9fcff4e583e967e26e7e6bea25f9893dc6cc367adbdd66fff5a91ddc3

Download Submit
C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\Directories\Documents.txt

Filesize
467B

MD5
d8a2a3e04cc1524d12d3f3fc8d0e9596

SHA1
40416253f01f9f9429308d28a74055a7f1e51472

SHA256
a0596ccb09498167c07f34273c4e866a48d2de98438cc799d43e138b971561ed

SHA512
90dcbfae60152ca52a3911c988eab2d3a01a3a9ec6fc985925b324dc03aa1e3422430b6089c859a622728cec208b6389738e5735ab660e93c01f8bf4a1ab5a79

Download Submit
C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\Directories\Downloads.txt

Filesize
580B

MD5
27b7c0d35f0f5501c365e28af221175b

SHA1
259ad564a9d3006a5d313fafc7a6a9429eba58c2

SHA256
0668d0fe1471fa9f2301ffe0620e08734fb04597b0e9c99fca0b078104e737c1

SHA512
93f29cb50aaf968dc9d1200fd8061b11489bd7a1ab4a739d7f86bc77fe934248e27f6d28c57698dbd2b3a7d8f79ad9c651be6cd4f7f783281735ba8dad4d8adf

Download Submit
C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\Directories\OneDrive.txt

Filesize
25B

MD5
966247eb3ee749e21597d73c4176bd52

SHA1
1e9e63c2872cef8f015d4b888eb9f81b00a35c79

SHA256
8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e

SHA512
bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

Download Submit
C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\Directories\Pictures.txt

Filesize
568B

MD5
e39f37be26014cabf4170003ab9cfdb8

SHA1
97ce4276dbf5e9634898a793495b4424423cff9d

SHA256
10f12ac191c6ccf8b5e60f4130012dcb42260d9d346f3a205f69d7de44048173

SHA512
85dd0a6ea3872065c9e28b0ae1bce05c159c35e2039f0bbe5fb6ce8317ff9c31aaed652c5ed0c6ae39b0ba94dee743285fb25ad68a4357259057d1a8dd0ae1d9

Download Submit
C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\Directories\Startup.txt

Filesize
24B

MD5
68c93da4981d591704cea7b71cebfb97

SHA1
fd0f8d97463cd33892cc828b4ad04e03fc014fa6

SHA256
889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

SHA512
63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

Download Submit
C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\Directories\Temp.txt

Filesize
2KB

MD5
49b2d3bbc1813325db853855eece3c7f

SHA1
769be8f15814801fc1cf969931baecc8baba2480

SHA256
e0afebd94ff180458e2fb12558695bdc1fdde12d9d7fbadc13c477681b1598ac

SHA512
6684af7e0390699ef39bf428fc0cb15ab1dd08d031636165612459c11a2f2db0390843745ac52b2fd56685afa94b4f86684df0c19eea11ef8108b27c8e2e69d2

Download Submit
C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\Directories\Videos.txt

Filesize
23B

MD5
1fddbf1169b6c75898b86e7e24bc7c1f

SHA1
d2091060cb5191ff70eb99c0088c182e80c20f8c

SHA256
a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

SHA512
20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

Download Submit
C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini

Filesize
282B

MD5
9e36cc3537ee9ee1e3b10fa4e761045b

SHA1
7726f55012e1e26cc762c9982e7c6c54ca7bb303

SHA256
4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

SHA512
5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

Download Submit
C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini

Filesize
402B

MD5
ecf88f261853fe08d58e2e903220da14

SHA1
f72807a9e081906654ae196605e681d5938a2e6c

SHA256
cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844

SHA512
82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

Download Submit
C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini

Filesize
282B

MD5
3a37312509712d4e12d27240137ff377

SHA1
30ced927e23b584725cf16351394175a6d2a9577

SHA256
b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3

SHA512
dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

Download Submit
C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini

Filesize
190B

MD5
d48fce44e0f298e5db52fd5894502727

SHA1
fce1e65756138a3ca4eaaf8f7642867205b44897

SHA256
231a08caba1f9ba9f14bd3e46834288f3c351079fcedda15e391b724ac0c7ea8

SHA512
a1c0378db4e6dac9a8638586f6797bad877769d76334b976779cd90324029d755fb466260ef27bd1e7f9fdf97696cd8cd1318377970a1b5bf340efb12a4feb4a

Download Submit
C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
4KB

MD5
046fb2b6cd3c36c6cfd18e34ed5bf8fa

SHA1
bc4e92ef2a073a589a5ba867859e50ad4f4adf4f

SHA256
228b6a3c7fa1ffb90a67703c17baa904cff323732041c69f823fb09c7cd1822f

SHA512
ae8f52282be63184cc63b54bf19fbf6ce7ae212c7e238bae774797939a7eb8bf6cba9378cc123883ec87a35837fe681ee70a9957a117ef0ad6252997d8df4872

Download Submit
C:\Users\Admin\AppData\Local\db81a968559c18d3ebb05809a10f800b\Admin@ITMJLVNR_en-US\System\ProductKey.txt

Filesize
29B

MD5
71eb5479298c7afc6d126fa04d2a9bde

SHA1
a9b3d5505cf9f84bb6c2be2acece53cb40075113

SHA256
f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3

SHA512
7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

Download Submit
C:\Users\Admin\Desktop\vius\Rebel\ReadMe.txt

Filesize
13B

MD5
1c6c20f0c324e98e38272f1245d24e11

SHA1
bbb5dc3a18a532529ec6fa88c86542288dd979f7

SHA256
4ca7414e2aba6d74826403afb6ccbcc1752297a1b61aced8808b75d80d212f2d

SHA512
a30aed5a54580ad73f16ad237f82e2dc99c99d9645d40d1fbdf88a7d6c10c238b6967c011ba46c6084d409e4a37b41983d600146f93cd9250a810b7d784d8246

Download Submit
C:\Users\Admin\Desktop\vius\Rebel\RebelCracked.exe

Filesize
344KB

MD5
a84fd0fc75b9c761e9b7923a08da41c7

SHA1
2597048612041cd7a8c95002c73e9c2818bb2097

SHA256
9d9a79f4ae9bf7a992945f6c06c5bec642c05e4e828217c50255dabfa3677006

SHA512
a17f1144a0e3ce07c7ed6891987c5b969f291e9991442c33750028d35e2194794e8a649c397e8afc9f8ce19d485c453600c75cab4fcead09e38414d85819251a

Download Submit
C:\Users\Admin\Downloads\Rebel.7z:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\pipe\LOCAL\crashpad_3104_ZOSFGGPSSINROHOP

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2324-448-0x0000000000C10000-0x0000000000C6C000-memory.dmp

Filesize
368KB

Download
memory/3444-464-0x00000000057D0000-0x0000000005D76000-memory.dmp

Filesize
5.6MB

Download
memory/3444-465-0x0000000005320000-0x00000000053B2000-memory.dmp

Filesize
584KB

Download
memory/3444-467-0x00000000054D0000-0x000000000556C000-memory.dmp

Filesize
624KB

Download
memory/3444-466-0x00000000052D0000-0x000000000531A000-memory.dmp

Filesize
296KB

Download
memory/3444-463-0x0000000000100000-0x0000000000158000-memory.dmp

Filesize
352KB

Download
memory/3444-468-0x0000000005450000-0x000000000545A000-memory.dmp

Filesize
40KB

Download
memory/4264-2174-0x00000000064A0000-0x00000000064B2000-memory.dmp

Filesize
72KB

Download
memory/4264-469-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4264-481-0x0000000005AE0000-0x0000000005B46000-memory.dmp

Filesize
408KB

Download
memory/4264-1367-0x00000000066B0000-0x00000000066BA000-memory.dmp

Filesize
40KB

Download