asyncrat | 9bfb72e86979ae7f37efb1a8191e7e7bd2126051635bbff5223e1bac98730183

Analysis

max time kernel
27s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New folder/RebelCracked.exe
Size

344KB
MD5

a84fd0fc75b9c761e9b7923a08da41c7
SHA1

2597048612041cd7a8c95002c73e9c2818bb2097
SHA256

9d9a79f4ae9bf7a992945f6c06c5bec642c05e4e828217c50255dabfa3677006
SHA512

a17f1144a0e3ce07c7ed6891987c5b969f291e9991442c33750028d35e2194794e8a649c397e8afc9f8ce19d485c453600c75cab4fcead09e38414d85819251a
SSDEEP

6144:lOcpeK8lucxAtLNFHUVuI/2zj1z6jZ755NofmWx4PCQL23wBw7R0ljTwrVuAdJKp:QcpSnx0LNFDQ60Ntbo5d7gBw7R7rbdJk

Score

10^/10

asyncrat stormkitty default credential_access discovery persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral4/memory/3644-25-0x0000000000400000-0x0000000000432000-memory.dmp	family_stormkitty

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	RebelCracked.exe

Executes dropped EXE 22 IoCs

pid	Process
2596	RuntimeBroker.exe
3644	RuntimeBroker.exe
1492	RuntimeBroker.exe
3588	RuntimeBroker.exe
4072	RuntimeBroker.exe
3068	RuntimeBroker.exe
1188	RuntimeBroker.exe
224	RuntimeBroker.exe
4976	RuntimeBroker.exe
840	RuntimeBroker.exe
536	RuntimeBroker.exe
4856	RuntimeBroker.exe
3008	RuntimeBroker.exe
384	RuntimeBroker.exe
4588	RuntimeBroker.exe
1584	RuntimeBroker.exe
1680	RuntimeBroker.exe
1604	RuntimeBroker.exe
4776	RuntimeBroker.exe
1624	RuntimeBroker.exe
1228	RuntimeBroker.exe
4976	RuntimeBroker.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 57 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\8506be12beeee320712513ea6e947914\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\b82b87cf34c3ca2d2a0b6fd09646285a\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\d96d8b50c07a65ecc182961d57cfcf5d\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\d96d8b50c07a65ecc182961d57cfcf5d\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\d96d8b50c07a65ecc182961d57cfcf5d\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\8506be12beeee320712513ea6e947914\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\17c9d5e5339b574ab370670abb376628\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\b82b87cf34c3ca2d2a0b6fd09646285a\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\b82b87cf34c3ca2d2a0b6fd09646285a\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\5db207b1d09101bcf27c7734dcb3a1b7\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\d96d8b50c07a65ecc182961d57cfcf5d\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\b82b87cf34c3ca2d2a0b6fd09646285a\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\8506be12beeee320712513ea6e947914\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\8506be12beeee320712513ea6e947914\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\8506be12beeee320712513ea6e947914\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\17c9d5e5339b574ab370670abb376628\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\8506be12beeee320712513ea6e947914\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\8506be12beeee320712513ea6e947914\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\99b03d914a1bba9ce39aaa145a795729\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\d96d8b50c07a65ecc182961d57cfcf5d\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\17c9d5e5339b574ab370670abb376628\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\17c9d5e5339b574ab370670abb376628\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\d96d8b50c07a65ecc182961d57cfcf5d\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\8506be12beeee320712513ea6e947914\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\5db207b1d09101bcf27c7734dcb3a1b7\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\99b03d914a1bba9ce39aaa145a795729\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\b82b87cf34c3ca2d2a0b6fd09646285a\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\d96d8b50c07a65ecc182961d57cfcf5d\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\d96d8b50c07a65ecc182961d57cfcf5d\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\8506be12beeee320712513ea6e947914\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\17c9d5e5339b574ab370670abb376628\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\5db207b1d09101bcf27c7734dcb3a1b7\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\5db207b1d09101bcf27c7734dcb3a1b7\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\17c9d5e5339b574ab370670abb376628\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\5db207b1d09101bcf27c7734dcb3a1b7\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\d96d8b50c07a65ecc182961d57cfcf5d\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\8506be12beeee320712513ea6e947914\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\99b03d914a1bba9ce39aaa145a795729\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\8506be12beeee320712513ea6e947914\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\d96d8b50c07a65ecc182961d57cfcf5d\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\99b03d914a1bba9ce39aaa145a795729\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\d96d8b50c07a65ecc182961d57cfcf5d\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\b82b87cf34c3ca2d2a0b6fd09646285a\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\8506be12beeee320712513ea6e947914\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\17c9d5e5339b574ab370670abb376628\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\99b03d914a1bba9ce39aaa145a795729\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\99b03d914a1bba9ce39aaa145a795729\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\8506be12beeee320712513ea6e947914\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\5db207b1d09101bcf27c7734dcb3a1b7\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\99b03d914a1bba9ce39aaa145a795729\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\b82b87cf34c3ca2d2a0b6fd09646285a\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\d96d8b50c07a65ecc182961d57cfcf5d\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\8506be12beeee320712513ea6e947914\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\17c9d5e5339b574ab370670abb376628\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\5db207b1d09101bcf27c7734dcb3a1b7\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\d96d8b50c07a65ecc182961d57cfcf5d\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\d96d8b50c07a65ecc182961d57cfcf5d\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 24 IoCs

Web Service

T1102

flow	ioc
53	pastebin.com
131	pastebin.com
153	pastebin.com
166	pastebin.com
174	pastebin.com
24	pastebin.com
25	pastebin.com
44	pastebin.com
216	pastebin.com
65	pastebin.com
130	pastebin.com
132	pastebin.com
160	pastebin.com
171	pastebin.com
212	pastebin.com
213	pastebin.com
50	pastebin.com
72	pastebin.com
149	pastebin.com
161	pastebin.com
185	pastebin.com
97	pastebin.com
144	pastebin.com
147	pastebin.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	icanhazip.com
107	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 2596 set thread context of 3644	2596	RuntimeBroker.exe	89
PID 1492 set thread context of 3588	1492	RuntimeBroker.exe	93
PID 4072 set thread context of 3068	4072	RuntimeBroker.exe	100
PID 1188 set thread context of 224	1188	RuntimeBroker.exe	104
PID 4976 set thread context of 840	4976	RuntimeBroker.exe	108
PID 536 set thread context of 4856	536	RuntimeBroker.exe	121
PID 3008 set thread context of 384	3008	RuntimeBroker.exe	125
PID 4588 set thread context of 1584	4588	RuntimeBroker.exe	128
PID 1680 set thread context of 1604	1680	RuntimeBroker.exe	132
PID 4776 set thread context of 1624	4776	RuntimeBroker.exe	135
PID 1228 set thread context of 4976	1228	RuntimeBroker.exe	144

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 15 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 64 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3128	netsh.exe
1744	netsh.exe
6288	cmd.exe
6540	cmd.exe
5600	netsh.exe
4328	cmd.exe
844	cmd.exe
5964	cmd.exe
6020	cmd.exe
5648	cmd.exe
6936	cmd.exe
4328	netsh.exe
5356	netsh.exe
5664	cmd.exe
3372	netsh.exe
6828	netsh.exe
6752	netsh.exe
900	cmd.exe
5956	cmd.exe
6356	cmd.exe
6900	cmd.exe
5128	netsh.exe
548	netsh.exe
5552	netsh.exe
6396	cmd.exe
1796	netsh.exe
5188	netsh.exe
1284	cmd.exe
3372	cmd.exe
5064	netsh.exe
4088	cmd.exe
4980	cmd.exe
5400	netsh.exe
3240	netsh.exe
1280	cmd.exe
4496	cmd.exe
2404	netsh.exe
5968	netsh.exe
5864	cmd.exe
6680	netsh.exe
5012	cmd.exe
6112	netsh.exe
1848	netsh.exe
3876	netsh.exe
6620	netsh.exe
5208	netsh.exe
3468	cmd.exe
3500	netsh.exe
5444	cmd.exe
4372	netsh.exe
4668	cmd.exe
1604	netsh.exe
3444	netsh.exe
732	cmd.exe
5672	cmd.exe
5480	netsh.exe
5660	netsh.exe
4576	cmd.exe
7160	cmd.exe
5444	cmd.exe
7132	cmd.exe
6204	netsh.exe
6828	cmd.exe
6668	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3644	RuntimeBroker.exe
3644	RuntimeBroker.exe
3644	RuntimeBroker.exe
3644	RuntimeBroker.exe
3588	RuntimeBroker.exe
3588	RuntimeBroker.exe
3588	RuntimeBroker.exe
3588	RuntimeBroker.exe
3588	RuntimeBroker.exe
3588	RuntimeBroker.exe
3068	RuntimeBroker.exe
3068	RuntimeBroker.exe
3068	RuntimeBroker.exe
3068	RuntimeBroker.exe
3068	RuntimeBroker.exe
3588	RuntimeBroker.exe
3588	RuntimeBroker.exe
3588	RuntimeBroker.exe
3588	RuntimeBroker.exe
3068	RuntimeBroker.exe
3068	RuntimeBroker.exe
3588	RuntimeBroker.exe
3588	RuntimeBroker.exe
224	RuntimeBroker.exe
224	RuntimeBroker.exe
224	RuntimeBroker.exe
224	RuntimeBroker.exe
224	RuntimeBroker.exe
3068	RuntimeBroker.exe
3068	RuntimeBroker.exe
3588	RuntimeBroker.exe
3588	RuntimeBroker.exe
224	RuntimeBroker.exe
224	RuntimeBroker.exe
3068	RuntimeBroker.exe
3068	RuntimeBroker.exe
840	RuntimeBroker.exe
840	RuntimeBroker.exe
840	RuntimeBroker.exe
3068	RuntimeBroker.exe
3068	RuntimeBroker.exe
3588	RuntimeBroker.exe
3588	RuntimeBroker.exe
840	RuntimeBroker.exe
840	RuntimeBroker.exe
3588	RuntimeBroker.exe
3588	RuntimeBroker.exe
224	RuntimeBroker.exe
224	RuntimeBroker.exe
3588	RuntimeBroker.exe
3588	RuntimeBroker.exe
4856	RuntimeBroker.exe
4856	RuntimeBroker.exe
4856	RuntimeBroker.exe
840	RuntimeBroker.exe
840	RuntimeBroker.exe
3068	RuntimeBroker.exe
3068	RuntimeBroker.exe
224	RuntimeBroker.exe
224	RuntimeBroker.exe
4856	RuntimeBroker.exe
4856	RuntimeBroker.exe
224	RuntimeBroker.exe
224	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	3644	RuntimeBroker.exe
Token: SeDebugPrivilege	3588	RuntimeBroker.exe
Token: SeDebugPrivilege	3068	RuntimeBroker.exe
Token: SeDebugPrivilege	224	RuntimeBroker.exe
Token: SeDebugPrivilege	840	RuntimeBroker.exe
Token: SeDebugPrivilege	4856	RuntimeBroker.exe
Token: SeDebugPrivilege	384	RuntimeBroker.exe
Token: SeDebugPrivilege	1584	RuntimeBroker.exe
Token: SeDebugPrivilege	1604	RuntimeBroker.exe
Token: SeDebugPrivilege	1624	RuntimeBroker.exe
Token: SeDebugPrivilege	4976	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 2596	4060	RebelCracked.exe	87
PID 4060 wrote to memory of 2596	4060	RebelCracked.exe	87
PID 4060 wrote to memory of 2596	4060	RebelCracked.exe	87
PID 4060 wrote to memory of 5012	4060	RebelCracked.exe	88
PID 4060 wrote to memory of 5012	4060	RebelCracked.exe	88
PID 2596 wrote to memory of 3644	2596	RuntimeBroker.exe	89
PID 2596 wrote to memory of 3644	2596	RuntimeBroker.exe	89
PID 2596 wrote to memory of 3644	2596	RuntimeBroker.exe	89
PID 2596 wrote to memory of 3644	2596	RuntimeBroker.exe	89
PID 2596 wrote to memory of 3644	2596	RuntimeBroker.exe	89
PID 2596 wrote to memory of 3644	2596	RuntimeBroker.exe	89
PID 2596 wrote to memory of 3644	2596	RuntimeBroker.exe	89
PID 2596 wrote to memory of 3644	2596	RuntimeBroker.exe	89
PID 5012 wrote to memory of 1492	5012	RebelCracked.exe	90
PID 5012 wrote to memory of 1492	5012	RebelCracked.exe	90
PID 5012 wrote to memory of 1492	5012	RebelCracked.exe	90
PID 5012 wrote to memory of 4536	5012	RebelCracked.exe	91
PID 5012 wrote to memory of 4536	5012	RebelCracked.exe	91
PID 1492 wrote to memory of 4500	1492	RuntimeBroker.exe	92
PID 1492 wrote to memory of 4500	1492	RuntimeBroker.exe	92
PID 1492 wrote to memory of 4500	1492	RuntimeBroker.exe	92
PID 1492 wrote to memory of 3588	1492	RuntimeBroker.exe	93
PID 1492 wrote to memory of 3588	1492	RuntimeBroker.exe	93
PID 1492 wrote to memory of 3588	1492	RuntimeBroker.exe	93
PID 1492 wrote to memory of 3588	1492	RuntimeBroker.exe	93
PID 1492 wrote to memory of 3588	1492	RuntimeBroker.exe	93
PID 1492 wrote to memory of 3588	1492	RuntimeBroker.exe	93
PID 1492 wrote to memory of 3588	1492	RuntimeBroker.exe	93
PID 1492 wrote to memory of 3588	1492	RuntimeBroker.exe	93
PID 4536 wrote to memory of 4072	4536	RebelCracked.exe	96
PID 4536 wrote to memory of 4072	4536	RebelCracked.exe	96
PID 4536 wrote to memory of 4072	4536	RebelCracked.exe	96
PID 4536 wrote to memory of 3692	4536	RebelCracked.exe	97
PID 4536 wrote to memory of 3692	4536	RebelCracked.exe	97
PID 4072 wrote to memory of 3600	4072	RuntimeBroker.exe	99
PID 4072 wrote to memory of 3600	4072	RuntimeBroker.exe	99
PID 4072 wrote to memory of 3600	4072	RuntimeBroker.exe	99
PID 4072 wrote to memory of 3068	4072	RuntimeBroker.exe	100
PID 4072 wrote to memory of 3068	4072	RuntimeBroker.exe	100
PID 4072 wrote to memory of 3068	4072	RuntimeBroker.exe	100
PID 4072 wrote to memory of 3068	4072	RuntimeBroker.exe	100
PID 4072 wrote to memory of 3068	4072	RuntimeBroker.exe	100
PID 4072 wrote to memory of 3068	4072	RuntimeBroker.exe	100
PID 4072 wrote to memory of 3068	4072	RuntimeBroker.exe	100
PID 4072 wrote to memory of 3068	4072	RuntimeBroker.exe	100
PID 3692 wrote to memory of 1188	3692	RebelCracked.exe	102
PID 3692 wrote to memory of 1188	3692	RebelCracked.exe	102
PID 3692 wrote to memory of 1188	3692	RebelCracked.exe	102
PID 3692 wrote to memory of 4524	3692	RebelCracked.exe	103
PID 3692 wrote to memory of 4524	3692	RebelCracked.exe	103
PID 1188 wrote to memory of 224	1188	RuntimeBroker.exe	104
PID 1188 wrote to memory of 224	1188	RuntimeBroker.exe	104
PID 1188 wrote to memory of 224	1188	RuntimeBroker.exe	104
PID 1188 wrote to memory of 224	1188	RuntimeBroker.exe	104
PID 1188 wrote to memory of 224	1188	RuntimeBroker.exe	104
PID 1188 wrote to memory of 224	1188	RuntimeBroker.exe	104
PID 1188 wrote to memory of 224	1188	RuntimeBroker.exe	104
PID 1188 wrote to memory of 224	1188	RuntimeBroker.exe	104
PID 4524 wrote to memory of 4976	4524	RebelCracked.exe	106
PID 4524 wrote to memory of 4976	4524	RebelCracked.exe	106
PID 4524 wrote to memory of 4976	4524	RebelCracked.exe	106
PID 4524 wrote to memory of 4352	4524	RebelCracked.exe	107
PID 4524 wrote to memory of 4352	4524	RebelCracked.exe	107
PID 4976 wrote to memory of 840	4976	RuntimeBroker.exe	108

C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
"C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Users\Admin\AppData\Local\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3644
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4328
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3196
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4200
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5012
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      4⤵
      System Location Discovery: System Language Discovery
      PID:1820
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4532
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4536
- C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
  "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
      4⤵
      PID:4500
  - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      Drops desktop.ini file(s)
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3588
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:732
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2504
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1796
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4444
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2952
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5032
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:624
- - C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
    "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4536
  - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4072
    - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        5⤵
        
        PID:3600
    - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5012
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4328
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        7⤵
        
        PID:1188
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        6⤵
        
        PID:2864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        7⤵
        
        PID:3080
  - - C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
      "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3692
    - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1188
      - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4088
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        8⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        8⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        7⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        8⤵
        
        PID:2384
    - - C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4524
      - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        7⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        8⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        9⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3240
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        9⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        8⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        9⤵
        
        PID:4260
      - C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        6⤵
        Checks computer location settings
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        8⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        9⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:844
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5084
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        10⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4372
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        10⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        9⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        10⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        7⤵
        Checks computer location settings
        
        PID:512
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        9⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        10⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5964
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        11⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6112
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        11⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        10⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        11⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        8⤵
        Checks computer location settings
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        10⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        11⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6020
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        12⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5188
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        12⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        11⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        12⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        9⤵
        Checks computer location settings
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        11⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        12⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:900
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        13⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        13⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        12⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        13⤵
        
        PID:5176
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        10⤵
        Checks computer location settings
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        13⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5956
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        14⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1848
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        14⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        13⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        14⤵
        
        PID:5840
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        11⤵
        Checks computer location settings
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        13⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        14⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4496
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        15⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        15⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3876
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        15⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        14⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        15⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        15⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        12⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        13⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        14⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        14⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        15⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        16⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5400
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        16⤵
        
        PID:364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        15⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        16⤵
        
        PID:5852
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        13⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        14⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        15⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        15⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        15⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        16⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4980
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        17⤵
        
        PID:416
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        17⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3128
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        17⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        16⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        17⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        17⤵
        
        PID:5736
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        14⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        15⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        16⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        17⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1280
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        18⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        18⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        17⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        18⤵
        
        PID:5500
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        15⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        16⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        17⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        17⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        17⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        18⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5864
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        19⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        19⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        18⤵
        
        PID:556
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        19⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        19⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        16⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        17⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        18⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        18⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        19⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1284
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        20⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5660
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        20⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        19⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        20⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        17⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        18⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        19⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        20⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        21⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        21⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5968
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        21⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        20⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        21⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        21⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        18⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        19⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        20⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        21⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3468
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        22⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5552
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        22⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        21⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        22⤵
        
        PID:5864
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        19⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        20⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        21⤵
        
        PID:5256
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        21⤵
        
        PID:5264
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        21⤵
        
        PID:5272
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        21⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        22⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        23⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        23⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        23⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        22⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        23⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        23⤵
        
        PID:6552
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        20⤵
        
        PID:5188
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        21⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        22⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        23⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5664
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        24⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5208
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        24⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        23⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        24⤵
        
        PID:5588
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        21⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        22⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        23⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        24⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6396
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        25⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        25⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        25⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        24⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        25⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        25⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        22⤵
        
        PID:512
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        23⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        24⤵
        
        PID:6128
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        24⤵
        
        PID:5204
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        24⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        25⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5672
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        26⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5356
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        26⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        25⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        26⤵
        
        PID:5520
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        23⤵
        
        PID:5304
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        24⤵
        
        PID:5884
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        25⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        26⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6356
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        27⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        27⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6620
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        27⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        26⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        27⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        27⤵
        
        PID:6280
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        24⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        25⤵
        
        PID:416
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        26⤵
        
        PID:5736
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        26⤵
        
        PID:5792
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        26⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        27⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7132
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        28⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        28⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        27⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        
        PID:904
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        28⤵
        
        PID:6148
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        25⤵
        
        PID:5244
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        26⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        27⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        28⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7160
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        29⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        29⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3444
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        29⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        28⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        29⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        29⤵
        
        PID:6732
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        26⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        27⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        28⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        29⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5444
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        30⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5480
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        30⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        29⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        
        PID:556
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        30⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        27⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        28⤵
        
        PID:5928
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        29⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        28⤵
        
        PID:5156
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        29⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        30⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        31⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        32⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        32⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6828
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        32⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        31⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        32⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        32⤵
        
        PID:6636
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        29⤵
        
        PID:5908
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        30⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        31⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        32⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6668
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        30⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        31⤵
        
        PID:5320
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        32⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        33⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4576
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        34⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        34⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        34⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        33⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        34⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        34⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        31⤵
        
        PID:5708
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        32⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        33⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        34⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6900
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        35⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        35⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5064
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        35⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        34⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        35⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        35⤵
        
        PID:6420
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        32⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        33⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        34⤵
        
        PID:5316
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        33⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        34⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        35⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        34⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        35⤵
        
        PID:5480
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        36⤵
        
        PID:5904
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        35⤵
        
        PID:5620
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        36⤵
        
        PID:5992
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        37⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        38⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6288
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        39⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        39⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6752
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        39⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        38⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        39⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        39⤵
        
        PID:6452
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        36⤵
        
        PID:5700
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        37⤵
        
        PID:5708
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        38⤵
        
        PID:5772
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        37⤵
        
        PID:5472
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        38⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        39⤵
        
        PID:5632
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        38⤵
        
        PID:5580
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        39⤵
        
        PID:5968
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        40⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        40⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        41⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6828
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        42⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        42⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6204
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        42⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        41⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        42⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        42⤵
        
        PID:6412
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        39⤵
        
        PID:5396
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        40⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        41⤵
        
        PID:5288
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        41⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        42⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3372
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        43⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        43⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        43⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        42⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        43⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        43⤵
        
        PID:7128
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        40⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        41⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        42⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        43⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4668
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        44⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        44⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3372
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        44⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        43⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        44⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        44⤵
        
        PID:6368
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        41⤵
        
        PID:5424
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        42⤵
        
        PID:5320
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        43⤵
        
        PID:5968
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        43⤵
        
        PID:5676
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        43⤵
        
        PID:5136
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        42⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        43⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        44⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        45⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6540
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        46⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        46⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6680
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        46⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        45⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        46⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        46⤵
        
        PID:5796
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        43⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        44⤵
        
        PID:5332
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        45⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        44⤵
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        45⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        46⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        47⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6936
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        48⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        48⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5600
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        48⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        47⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        48⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        48⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        45⤵
        
        PID:5560
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        46⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        47⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        46⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        47⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        48⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        48⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        47⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        48⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        49⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        49⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        49⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        50⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5648
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        51⤵
        
        PID:684
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        51⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3500
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        51⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        50⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        51⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        51⤵
        
        PID:7024
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        48⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        49⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        50⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        49⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        50⤵
        
        PID:5420
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        51⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        50⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        51⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        52⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        53⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5444
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        54⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        54⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        54⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        53⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        54⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        54⤵
        
        PID:7148
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        51⤵
        
        PID:5344
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        52⤵
        
        PID:5708
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        53⤵
        
        PID:6176
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        53⤵
        
        PID:6252
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        52⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        53⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        54⤵
        
        PID:6580
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        54⤵
        
        PID:6392
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        53⤵
        
        PID:5436
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        54⤵
        
        PID:5752
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        55⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        54⤵
        
        PID:5988
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        55⤵
        
        PID:6504
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        56⤵
        
        PID:6924
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        55⤵
        
        PID:6468
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        56⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        57⤵
        
        PID:6156
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        56⤵
        
        PID:7152
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        57⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        58⤵
        
        PID:6032
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        57⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        58⤵
        
        PID:6400
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        59⤵
        
        PID:6880
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        58⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        59⤵
        
        PID:6932
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        60⤵
        
        PID:6636
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        59⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        60⤵
        
        PID:5600
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        61⤵
        
        PID:6752
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        61⤵
        
        PID:5988
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        60⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        61⤵
        
        PID:6400
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        62⤵
        
        PID:7144
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        61⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        62⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        63⤵
        
        PID:7016
        
        C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New folder\RebelCracked.exe"
        62⤵
        
        PID:6244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\17c9d5e5339b574ab370670abb376628\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
4KB

MD5
778ae7812eb2cfab0283d2c6cf18a01c

SHA1
d68e35838bd5a81cd667ca5cf575e40074746d16

SHA256
43ec3bba656bbfbe55ff45d03382e7e85f301641b09f6591f5a9ed5361144ca6

SHA512
77fcb5337ee845f44313b6f54420d5a402eb6b15313ba036cf2c6eeb3c2fab7d08dabfde3e9d6520fa93d9ff5f7cb3f69f68f858d1782865450068134a790986

Download Submit
C:\Users\Admin\AppData\Local\17c9d5e5339b574ab370670abb376628\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
4KB

MD5
8412856de1a73f457944ec15e2732747

SHA1
392ece2712bb6b8adc82bcc41edc64857a7e355a

SHA256
1f3c276b914f73579abfd061ce64ba6e735b6f4239176c91b1cfa6071bc65579

SHA512
10c2f382586cf38904979e6d7aec8884930d1b558c3b2875ab6c2358b0d638b139ea9dedc2a1db35adaa0356ca83a2df19b6385afbfdea930bdfdaf51dac9f15

Download Submit
C:\Users\Admin\AppData\Local\17c9d5e5339b574ab370670abb376628\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
4KB

MD5
7eb800f03feb8aa31e50ab9b807022ff

SHA1
dec867bf13e37a6be7a5269b517f8f2a40369fbf

SHA256
9b1b0dca797a6bd554a1a8724b3391fe94b8ee53dac28bee0c58ad6bbb3f3701

SHA512
b458747470b7bde97c3e043887d5db9a0574141616812cc3231d498a99f7f1733fa9e1f8ab93efb533da7f3d2e6b5864a296fc9656aac91021f0f11ae9973698

Download Submit
C:\Users\Admin\AppData\Local\17c9d5e5339b574ab370670abb376628\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
4KB

MD5
90912d81cc0739f4166736b0fe34de8d

SHA1
1b5016c5c55c113ec3a2bf61c69d98bc980c1971

SHA256
c7edeadbaf48f2f71bccde1e924b860a06a9dc2baab157703680471699736dd2

SHA512
278ff629bcc444b6313aae77dba1d7829d7c6e00a67a51aa8f340df05743b927ca92e2e3ec184754fe8ef24fef440ad6f95720d7946453b03c4a349836c00c8e

Download Submit
C:\Users\Admin\AppData\Local\17c9d5e5339b574ab370670abb376628\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
4KB

MD5
f74113b0ae7fcb77b3012e506298a301

SHA1
b5973dc049a59d2924c0cc22502b7d0259fb2a1a

SHA256
c9df3bc0cc683053e2547fe9217b64dfc2dd828b787c49036bb34927f883a375

SHA512
5f96e020e808eba0cc61c4149bdc2192e7004cdfacea2b94eb35637d0cf049be137528e73261b5b7364138341a283ef10fa7da7418849b39558127637650cca7

Download Submit
C:\Users\Admin\AppData\Local\17c9d5e5339b574ab370670abb376628\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
1KB

MD5
b049ef3e0da6e912d5c421dffb6bcb0c

SHA1
b50f04507eb12751fff0c1e3ed8907686e47ccf9

SHA256
3ebb326e29376ee206bd9824df71cd6a59272578aa7b45e079b8f0196b54281d

SHA512
70a7b588804302a55799dea322ddac2051c0c1f113293d475c45988d3197759759013ff437225b9d7173807f898916cf5d6971ee20eeba6e4b675f0b962bcfe5

Download Submit
C:\Users\Admin\AppData\Local\17c9d5e5339b574ab370670abb376628\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
800B

MD5
1870af93b015b1ed011e7c848226089c

SHA1
15bf37eefa67a5b9dcf32143ba5d85e8335a6067

SHA256
2990b1e396a52ff5fbe749469dcd893e77c4f0c8fb33770cd1843209f7406722

SHA512
c1c490370d59fa5cbba2209ece9e9eb3f1b1a7ff85b433f2b2ce8bfd7288db9dadd09c3602715dd3144ff4c9fa9e5303b29fad38b368335ddb347bfb614ddbe9

Download Submit
C:\Users\Admin\AppData\Local\17c9d5e5339b574ab370670abb376628\Admin@PVMNUDVD_en-US\System\ProductKey.txt

Filesize
29B

MD5
71eb5479298c7afc6d126fa04d2a9bde

SHA1
a9b3d5505cf9f84bb6c2be2acece53cb40075113

SHA256
f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3

SHA512
7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

Download Submit
C:\Users\Admin\AppData\Local\17c9d5e5339b574ab370670abb376628\Admin@PVMNUDVD_en-US\System\ScanningNetworks.txt

Filesize
168B

MD5
9f11565dd11db9fb676140e888f22313

SHA1
35ae1ce345de569db59b52ed9aee5d83fea37635

SHA256
bd652c6bfa16a30133dd622f065e53aee489e9066e81ecb883af1c3892af727d

SHA512
d70edbd84693afbdb90424b9f72a4bd4a51bd27c719506e17a58b171c251046aea23ca7228ccd8b98b47cd8eb1227bc2d90a07c4f50e8b080f9a41d253935ace

Download Submit
C:\Users\Admin\AppData\Local\3e8a5b436b2081e2452a87045b3fe346\Admin@PVMNUDVD_en-US\Directories\Temp.txt

Filesize
9KB

MD5
d94258a23a30267461e0ba4be777259b

SHA1
9618fd54fa68f7f29a414b9cc3f2b60d4bcadb45

SHA256
d7d378d9797c97e0afd3ceb7f1833f0c063f010dec1ef2693232b6c9ef19fbd3

SHA512
c6e57d33a0c9542cab4ea3af1249945da9faa26d7331e93620555c1785e9b1fae1e4b42cfadc396b32e8830b9453044208cc506accbd7a1f33b55acf605da2f4

Download Submit
C:\Users\Admin\AppData\Local\3e8a5b436b2081e2452a87045b3fe346\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
4KB

MD5
24dc58ba95efd7a5664f297237825ad7

SHA1
b2e64a71fa56755d2f27395f9bb34e323b163a4b

SHA256
36d4a951ce1ca46d341871c12acd955ba2fcd79c8db0a04e0ce8bf517145d67b

SHA512
cf5a960604080d15267301b533e5c524918177ac71f3e7ea475040a077efdfd600f3ff4ae36326f8530e71a6e7dbe70e73dd0475d2fa7e5575c045e0bdbe3c09

Download Submit
C:\Users\Admin\AppData\Local\3e8a5b436b2081e2452a87045b3fe346\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
4KB

MD5
20f72de051bd826ef1ef64f994ad8df1

SHA1
0f4e735a1f3b205f6e6688e743a5e4e64f08bf0d

SHA256
22ae52f0ddea8391d39ae79b985fa79e6f0dfc143dd3789862f6d6b37b4efc31

SHA512
0774781605d64fbe2e842bb876d52ef60011a0a179a81d236c9a593e51d91f2efaefbdde52678a2880d814c05e7b7ae51f227d3a62e6ac503895422eecc74515

Download Submit
C:\Users\Admin\AppData\Local\3e8a5b436b2081e2452a87045b3fe346\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
4KB

MD5
c62bd0d5aa1b379676cef227cedc63b1

SHA1
fc2025b282ce62855b40a98fcf79fc473c288025

SHA256
51101e0e02e0280380bc2e677ca79f5a3023d5b831b6355f02cb5db97b2ea4b8

SHA512
55ff530b7293ee8b0e94a8130707855e69809872825e85008f2a68e4663c5550dfb71e4b08a14dc99144aa45a421441a1a39348d94800f4dcdba25b00b54ddba

Download Submit
C:\Users\Admin\AppData\Local\3e8a5b436b2081e2452a87045b3fe346\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
1KB

MD5
5701274bea833377d01015f4d964f51e

SHA1
b1222c3b8a730d94f9075cd0a65c9c6558478d77

SHA256
ef780836198e5d5d29fba305ae40a7ee4866793d1db7a1aa70522d4bce64c2a8

SHA512
6c5b6cdea65a186092cbaa08f93ca17647ec284f63d538a7af80da86dd69befc0f6df7faab9ef8943b848ce4930e6756141a1af51a122b72e753c2d02d5107cf

Download Submit
C:\Users\Admin\AppData\Local\5db207b1d09101bcf27c7734dcb3a1b7\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
4KB

MD5
bb7f7cfc1c7c218867540b1cc4aad625

SHA1
4e89f3ef6321b479f259fd0581d5792182ec9055

SHA256
db6469a54e0368b68ffca1258c5721e3a01233d79fac8ffa95a414acd8945059

SHA512
68118f65e2d138e61118d9a6d15ece0c722e7edbd4b2e20c7cc0f8a500ca4a75e57910cd4cd9fcb50b8a2c94bce170dc8897fde982d85870fdca1981d10939f3

Download Submit
C:\Users\Admin\AppData\Local\5db207b1d09101bcf27c7734dcb3a1b7\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
466B

MD5
2f242bc0d7661752f9a557b5f611bb62

SHA1
9b87fc8e89182efec710bd103f9ba81fad9295db

SHA256
7c0393a19485c02abeeb546c6affa6477a3145d3aa4c19716a40c1a58f9b853e

SHA512
d83e5e257e70118b0f131c449efc9c95b66320e9771df8cc7eba1f379ff44cabe2506ce83ddc0d35e5a5f89eec66840e82d73b05f17fc0d0db645438309fe7b2

Download Submit
C:\Users\Admin\AppData\Local\5db207b1d09101bcf27c7734dcb3a1b7\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
614B

MD5
41a675835b89f53a09c8c1f31b69c208

SHA1
5efd055b1db9bc45c2c2271b6eacc219533d77fa

SHA256
e3853b3f95f59cdabdec2a5d069cfdcc1357192adee8851b9ec592f24e81e360

SHA512
a76f8082e150cfd16729b2e8d44d43f6c8d80fd27fb788f00dd48d1126bf4fc93ac4ae7cbf675e7e1f4c175708a3810a28447966fd8251a3561bb25f7076f0c9

Download Submit
C:\Users\Admin\AppData\Local\5db207b1d09101bcf27c7734dcb3a1b7\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
4KB

MD5
aa398a5f0e9932a2f98260ed26630916

SHA1
a1dc490737e443eb45ef784995ffc21282d2c6d6

SHA256
12d91d16bf0c86e1773f134b550c6739944af3653c1cbf312d3735faad88041d

SHA512
ec37d1f7e0192bee5f8e6280356df1e01e2c191df9cf5594986575722ffcd6753597f77faa4243a1a1a04be3ebf570e47079703f540c424f89949afe2efb21a8

Download Submit
C:\Users\Admin\AppData\Local\5db207b1d09101bcf27c7734dcb3a1b7\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
4KB

MD5
24793d3bf5ece632a06c528f035454db

SHA1
57c4150565a4304d12ecc7b851a0efeabec9c0ff

SHA256
bc0b3b5f3f796c0ba973e62ca0c0a3085731369bced71e4dbe08f62ce25a9936

SHA512
21a3e3316084700a56dd27cde31dc5dd27732465b78594cbe34647d288bc3758d3b8780afbccf558a1913ad5e2c3d734875aa00d9b65bd960a09ded9a3b417b5

Download Submit
C:\Users\Admin\AppData\Local\5db207b1d09101bcf27c7734dcb3a1b7\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
1KB

MD5
766c30ea28c1834a5190840afb9b4251

SHA1
33f8e8027e1a9c9d4c66c91cab7802178976d727

SHA256
3e4df480dd119e2d45f81b1318d7e93d53976b1d499f88d4e58d4dcac325f396

SHA512
30e554a52d1c7fca9d3286ad061b91cd8851c9ae6996eee37101043a68ca60f5941172893fcabbd2e23383568bc3ec441e14904dbf401b85b624344888b8d8fe

Download Submit
C:\Users\Admin\AppData\Local\5db207b1d09101bcf27c7734dcb3a1b7\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
3KB

MD5
c3795b294741cbe8898d05fe6d336b8e

SHA1
b3b3bce8bbf70e721c75c03773fc3b5fe96a443a

SHA256
4375b3a92400bf133beb5feddecfc93a5d2ce1ba342277471b356a442106d31f

SHA512
b52487f2f512aee8772f7c6e8aa57a87f54cb9b7105db60a8557e6fd44431a3c29aa5f870be2293ed6e19f7206dfeb1429086a4d21dbf0ae1710d845a76286c8

Download Submit
C:\Users\Admin\AppData\Local\5db207b1d09101bcf27c7734dcb3a1b7\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
1KB

MD5
b7281072fbcb8709a1dd1a83a360c86e

SHA1
d2916e16e540b1673c804d4adc3b3de4015b0baa

SHA256
ca387b1e019c23d02e9e49d8f9b218e997cf6df706f252944f4f63799891bf0e

SHA512
8545060de715ee4744f459df1acd3c81e49f3fd8bb997b6c1920856f5334dd0659646452df65d26e8ceb6cabf9eb5d74f31cc950953f4e58f46aa7bcc6b973a3

Download Submit
C:\Users\Admin\AppData\Local\5db207b1d09101bcf27c7734dcb3a1b7\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
1KB

MD5
7e92cedc21d01004e30991fea4277a67

SHA1
171b109c6bc5e55b14b8882e1ba3839d30c4ec3f

SHA256
4e0f17785bda6ebde82a798c8a1d4f4e4336382e28a335424e9abda15b37ef65

SHA512
49ba04dfe3734992e67f726c673d5d79b2499c38545dfc571cc63426e14fe4eab32c62983d8ca54ed60f04f4e28bf189d5dccdfb1bbaf3d87a53f93d52af14ef

Download Submit
C:\Users\Admin\AppData\Local\5db207b1d09101bcf27c7734dcb3a1b7\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
4KB

MD5
4a98a3da63d50870e7a398711bbadc98

SHA1
b4270a4597a3e6e1d0117a6400957b11def25ebe

SHA256
0971786a764441530d740bf8a91ad871cd12298b7dadebaf8f5833e4e74f5438

SHA512
0f7d928020ab6fdbf1fb7b5dea9a203490aa5eeb817a1098f888b57a84055ff0e71cffae05a3714a359b60aae59ce31df083e29dec886ce98c40c313b2a573f7

Download Submit
C:\Users\Admin\AppData\Local\5db207b1d09101bcf27c7734dcb3a1b7\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
1KB

MD5
d76808f9f19285403bf1907e8916c4c3

SHA1
aea8a3fef9aea1fed96e3ebd58b504d2f2579024

SHA256
acadac098e31ae522e9e39e0972fa5a72e5af552e37b73d1194f11f2830892dd

SHA512
72a8eb2a1ff1bf2732febbb1f37a7f394921ea6e41e15ea422fea0e1bde69ad389ac1671466c79d5a6f01638e3abc8975c55c66daea9c1f363e8e0702b159208

Download Submit
C:\Users\Admin\AppData\Local\5db207b1d09101bcf27c7734dcb3a1b7\Admin@PVMNUDVD_en-US\System\ScanningNetworks.txt

Filesize
84B

MD5
58cd2334cfc77db470202487d5034610

SHA1
61fa242465f53c9e64b3752fe76b2adcceb1f237

SHA256
59b3120c5ce1a7d1819510272a927e1c8f1c95385213fccbcdd429ff3492040d

SHA512
c8f52d85ec99177c722527c306a64ba61adc3ad3a5fec6d87749fbad12da424ba6b34880ab9da627fb183412875f241e1c1864d723e62130281e44c14ad1481e

Download Submit
C:\Users\Admin\AppData\Local\833859423f1ca52271b2ced45d5e288c\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
39B

MD5
0983fcb4f19898801a1ae938cb1956fe

SHA1
56a56d4a88ca2958e055c588031502e33a4f9dd6

SHA256
41e0471ed31471f3365e02ec3b49164c842033839f1120ecb958b5d7ff90472e

SHA512
e1311302343d4807bf2536763c539690dcaec303b3c7e3e5f5cb2330139ac08e27fbcbeb00b37110dc4a7846354566823c53143c2002ef8a9f01edffc9548070

Download Submit
C:\Users\Admin\AppData\Local\833859423f1ca52271b2ced45d5e288c\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
115B

MD5
76bf2b882fd0c0aadd5f0903120d2d25

SHA1
38d4b29b1cd2ebe9b761a12615f5e757ed6db1ad

SHA256
cfbdbc59c918dd26d0bdf9041e65339858797739b997cf05253a70437897f031

SHA512
c169f8db424d29bf0474bd8fac38108677eb57c3c18b291819b44be79fdfaeee505c7fa6211977ba33de6c1c52870a2919b133bb6ad1190cec7108a67f11ab31

Download Submit
C:\Users\Admin\AppData\Local\833859423f1ca52271b2ced45d5e288c\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
178B

MD5
44ece17c5e38bafcb9bc68847e8c20dd

SHA1
ffbc495ba30ce6f1f5c1f781810284f3962d9f0a

SHA256
4506fe6de24fecf8c4e9d3cbf8a3a4ea774434b5b32de167a2087c44e17aea7f

SHA512
c48a968b634ef14460d6cf27b6bfdf9f83267c5d9f1a9cf30a71435109dd5cd79c8dc5f66995ccdca25a8466e827b7928ed94b9dc27e1b8bf0f2d67423d0bdce

Download Submit
C:\Users\Admin\AppData\Local\833859423f1ca52271b2ced45d5e288c\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
242B

MD5
58ae3dc9323401816c38c9ad15ff2113

SHA1
a3a94b7c6786d50c8f5e9447c9a6557a8581c8c9

SHA256
ff7498fb2e467b68a7e9da10052ff55480ddc8bc80b5c127261b8ea5e2bed9f0

SHA512
301f9792aef06ee6377e76faa6b42a39957c6d866bd53fe3bf901c9737a63d65f6edb2020e5bd1cca050de517e0f0382f811398883c69c61dd7574d14321873c

Download Submit
C:\Users\Admin\AppData\Local\833859423f1ca52271b2ced45d5e288c\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
317B

MD5
b021e46cd55043023112c2ecdae4153a

SHA1
09f7bfbaef671f6cd645322a851c88456360bc8d

SHA256
8ad78244d3a52358c96c1c4980a7752e1cfc347d566bd3a2f2bfc9b692a34241

SHA512
4ed6fe5a4948166f52bd64c6b3c3853255c2762c9b705fb518989f0c78ae334a1af836b2848a1e599d593ffbd8753af529bdc50e352d8811bd59d0154e126d7a

Download Submit
C:\Users\Admin\AppData\Local\833859423f1ca52271b2ced45d5e288c\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
342B

MD5
ea714da8ab11601b11740189e1b8b490

SHA1
1724533e076049c7715f0d3fd4358f7bdffc21c2

SHA256
5dfa39d97c3b9b64435202eefb875115247273cea3b84c08872326332cc38769

SHA512
19b0bb07c54833382b45fff312f7d2fc13fca4eea07de55d7a5134fd8403d473a085998b415cf1e1022e4d856efc9d62b1e8130eb24cdbca22b53c78eaf1f61d

Download Submit
C:\Users\Admin\AppData\Local\833859423f1ca52271b2ced45d5e288c\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
529B

MD5
395bf56282c1e10f89f9c3adffdc6790

SHA1
da7b464c8f6394c682c90187a25b58b3946a64a3

SHA256
cc3e5e99badd3a82a8a398c1b9897da9a0bdef6e60139f22bf78c98a9da72435

SHA512
92eeda8d851ae0e50b784cff43b1293bddfdca02a37b95eeb7a0c97b308583f6f2275e8f0041025634ed1e4af06e5fce7436da6a6fcea13cf698ed62e897e797

Download Submit
C:\Users\Admin\AppData\Local\833859423f1ca52271b2ced45d5e288c\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
4KB

MD5
de71a5c4da8ac7bc8b692623adcc304d

SHA1
f359c2e2ebfa1fe6191e18a83c610f96bbc688ed

SHA256
ba03b6603d1bbd95fd71f6d8d39f5e19e7fab4712ed1e314e2b7273a6bbda584

SHA512
fc88e8774a16c323b182deafb99eda60e29255311a3b75ed163d26e901f547fc17da11b21dbf6e10ae2f7343a6d4445959acd92807f6a47e5eafe58291d4c4b2

Download Submit
C:\Users\Admin\AppData\Local\8506be12beeee320712513ea6e947914\Admin@PVMNUDVD_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\8506be12beeee320712513ea6e947914\Admin@PVMNUDVD_en-US\Directories\Desktop.txt

Filesize
609B

MD5
717a93e8c051bc4b3f9f0b12e84f9e40

SHA1
b82a9df82f021155d051410635b96c2226837970

SHA256
294990c53764a31a4b93226e2e4e41a85bfd391e0b2cdda694eb203d74009b60

SHA512
ad0b9de5360ff37417d1ceda252c9cb9f25eea40bcf4c93d17785e8d1c5ce4ed08faae6b2226b3cdc8e9c3464ed0399bed740ec9ff5de8a94a9bd4c7975a9ec8

Download Submit
C:\Users\Admin\AppData\Local\8506be12beeee320712513ea6e947914\Admin@PVMNUDVD_en-US\Directories\Documents.txt

Filesize
726B

MD5
04833d6834cc04dc52d5ad3ddfe670ff

SHA1
2bac2f0a21500cd51931988baad2ef88ade1cc4b

SHA256
514a55b19bb484a50c6dfe9d9b5da0ea117710ab3fbe98c904681bf99c39c7da

SHA512
5770c1dca872748de3bdb016b22dc08f4006c8d9e70622a8a7f52fb065e1e4e90655f4af7240aa60f4c467814f6d78cc3f18da24b110b60d4f1c04b28e0e68d8

Download Submit
C:\Users\Admin\AppData\Local\8506be12beeee320712513ea6e947914\Admin@PVMNUDVD_en-US\Directories\Downloads.txt

Filesize
761B

MD5
2f682e0c95f1919e1adcb72d51b7bdce

SHA1
42b6e5541b802b4fd334d6f52d7a517f7050a640

SHA256
8c2482231f0ffbb75c946d2383af2723598052227ecde22d96237ba55f88f65d

SHA512
e8affe7eb23e373c532e05bfd4a9b53cf095993a8ec074775ad9432cf9b5ee6d0f415cf2dd65c81ea75be1bf51974245230e7d21a58349f124374c77e5c03d9b

Download Submit
C:\Users\Admin\AppData\Local\8506be12beeee320712513ea6e947914\Admin@PVMNUDVD_en-US\Directories\OneDrive.txt

Filesize
25B

MD5
966247eb3ee749e21597d73c4176bd52

SHA1
1e9e63c2872cef8f015d4b888eb9f81b00a35c79

SHA256
8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e

SHA512
bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

Download Submit
C:\Users\Admin\AppData\Local\8506be12beeee320712513ea6e947914\Admin@PVMNUDVD_en-US\Directories\Pictures.txt

Filesize
433B

MD5
f8246143c6a02d9afa3afccea1f5b59a

SHA1
0447e4401b71a2530a48ed9287bbfb6ad0ec7878

SHA256
238d23446bb8d8da0d3793a3d918725a29bfb8cd9b2faf2f67a3e770cb6125c4

SHA512
83b40af0310b40b889b96f9d97e9e69c143b7da93e4820c419fa3f5f87f89b382fe9abfa0fec89164300621033a0c88a016ba8fdcd68bd3f88b71fdb81b22ec7

Download Submit
C:\Users\Admin\AppData\Local\8506be12beeee320712513ea6e947914\Admin@PVMNUDVD_en-US\Directories\Startup.txt

Filesize
24B

MD5
68c93da4981d591704cea7b71cebfb97

SHA1
fd0f8d97463cd33892cc828b4ad04e03fc014fa6

SHA256
889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

SHA512
63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

Download Submit
C:\Users\Admin\AppData\Local\8506be12beeee320712513ea6e947914\Admin@PVMNUDVD_en-US\Directories\Temp.txt

Filesize
3KB

MD5
f807db7c67b7fa71e0a552ecccf1c198

SHA1
c7d6dd8299fe45544739826cf563fd69237d445b

SHA256
f92e5db6facb00c55a31e6d557cbb678d04e942809a3a1f6e09eded2d65c4648

SHA512
1810522d6bca549cadaabea93c24148e2ce664502a4f5f91cad08342f4bd7dc8653187d2ca8427a009f437f814f4f88edef83f7b24f18a1f054d5f2b50d4bacd

Download Submit
C:\Users\Admin\AppData\Local\8506be12beeee320712513ea6e947914\Admin@PVMNUDVD_en-US\Directories\Temp.txt

Filesize
3KB

MD5
e64bd99880c69dec3aa3cf6a4bba7a57

SHA1
0a2ee4caef7554efb94a2641d75d25ca3d70e383

SHA256
7fc95970d2126e81166ba3699e6d0aea501f05dcac452b8b77b9120fcf9feb4f

SHA512
0c86ecb4ef712879ac992924331a332d5ccb5bf6263ead6e3e1ee4831dc46235756f99605ffdd9488451a35e7ebd12db6c824082d59aad5db9b103b35855e4a3

Download Submit
C:\Users\Admin\AppData\Local\8506be12beeee320712513ea6e947914\Admin@PVMNUDVD_en-US\Directories\Videos.txt

Filesize
23B

MD5
1fddbf1169b6c75898b86e7e24bc7c1f

SHA1
d2091060cb5191ff70eb99c0088c182e80c20f8c

SHA256
a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

SHA512
20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

Download Submit
C:\Users\Admin\AppData\Local\8506be12beeee320712513ea6e947914\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini

Filesize
282B

MD5
9e36cc3537ee9ee1e3b10fa4e761045b

SHA1
7726f55012e1e26cc762c9982e7c6c54ca7bb303

SHA256
4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

SHA512
5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

Download Submit
C:\Users\Admin\AppData\Local\8506be12beeee320712513ea6e947914\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini

Filesize
402B

MD5
ecf88f261853fe08d58e2e903220da14

SHA1
f72807a9e081906654ae196605e681d5938a2e6c

SHA256
cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844

SHA512
82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

Download Submit
C:\Users\Admin\AppData\Local\8506be12beeee320712513ea6e947914\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini

Filesize
282B

MD5
3a37312509712d4e12d27240137ff377

SHA1
30ced927e23b584725cf16351394175a6d2a9577

SHA256
b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3

SHA512
dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

Download Submit
C:\Users\Admin\AppData\Local\8506be12beeee320712513ea6e947914\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini

Filesize
190B

MD5
d48fce44e0f298e5db52fd5894502727

SHA1
fce1e65756138a3ca4eaaf8f7642867205b44897

SHA256
231a08caba1f9ba9f14bd3e46834288f3c351079fcedda15e391b724ac0c7ea8

SHA512
a1c0378db4e6dac9a8638586f6797bad877769d76334b976779cd90324029d755fb466260ef27bd1e7f9fdf97696cd8cd1318377970a1b5bf340efb12a4feb4a

Download Submit
C:\Users\Admin\AppData\Local\8506be12beeee320712513ea6e947914\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini

Filesize
190B

MD5
87a524a2f34307c674dba10708585a5e

SHA1
e0508c3f1496073b9f6f9ecb2fb01cb91f9e8201

SHA256
d01a7ef6233ef4ab3ea7210c0f2837931d334a20ae4d2a05ed03291e59e576c9

SHA512
7cfa6d47190075e1209fb081e36ed7e50e735c9682bfb482dbf5a36746abdad0dccfdb8803ef5042e155e8c1f326770f3c8f7aa32ce66cf3b47cd13781884c38

Download Submit
C:\Users\Admin\AppData\Local\8506be12beeee320712513ea6e947914\Admin@PVMNUDVD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini

Filesize
504B

MD5
29eae335b77f438e05594d86a6ca22ff

SHA1
d62ccc830c249de6b6532381b4c16a5f17f95d89

SHA256
88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4

SHA512
5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

Download Submit
C:\Users\Admin\AppData\Local\8506be12beeee320712513ea6e947914\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
1KB

MD5
df63e15a1f9d811cde9ff66c54be92f2

SHA1
3f2c7433e6b5b9dc437279917602d01b758d9def

SHA256
a3237cf897f97ddda0b1c92d3e30133941d98d6f63cecf5a04d63c0f0cc69f3a

SHA512
bebdab279b25d3521fcdb85db035e1c283cd3273c9e1bfe5e585026ada553ed4c920f60d4b84d18a6ee2961320c861dadd2e533d0d2281039992f6886d8f6b3c

Download Submit
C:\Users\Admin\AppData\Local\8506be12beeee320712513ea6e947914\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
4KB

MD5
6ded21982356268b9722e94a06901ab7

SHA1
4d186dfaf78489d653f7874d77eb8a19309db411

SHA256
fea831ce55c530c1bdf85f5e37e16a37270cad6e795e3262ac0aafed2a2efc2c

SHA512
af7de2b72661a95ea005d775326d32c9c0beac034195659abcc6d45b4df7d442d25e527629c66f00a83d6d85721b7a2c045a68650d800cc0be929cbeadd49d33

Download Submit
C:\Users\Admin\AppData\Local\8506be12beeee320712513ea6e947914\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
678B

MD5
abc60da75888b1f70fa29e3315361cee

SHA1
3bab7b1890f676a92b5060d2b0e6d86a1fbd649a

SHA256
4e6e061364947f4e6b5cc8b77a36718d495a863c589c12da28ac7523d837410f

SHA512
e8fa589d9939919f1804fd3d6aa8a4122f096d64efc88be765678b978aff86b7c8dc759f3569d89910b1ec45f337f71a3ce0c5e71a577bc95dfc7e22d712bce7

Download Submit
C:\Users\Admin\AppData\Local\8506be12beeee320712513ea6e947914\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
1KB

MD5
855084f2358ad92f83529025138ad973

SHA1
9008300757df6c0f198fe86ba705fbb86803582d

SHA256
831af1feefb45604c80f695c8967b56b928862e0c664470a642c2f67bd8dd904

SHA512
cfd700d5697dbdf00d69be658627ba710c065694a96a9f7687302bc375a98d2888f2f777222e377225594e87ae211981d3c33e03aa21e421180e302ee41d077a

Download Submit
C:\Users\Admin\AppData\Local\8506be12beeee320712513ea6e947914\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
4KB

MD5
0f64064c4ef9fd25498fb7979edc7b6e

SHA1
be4a912a7370304e8f51fce05c6ad570ab5e8ed6

SHA256
845e52fd060df07215be8e692d5d509e58915714ec2ac5e1530efa6fda74da67

SHA512
3018f1def363119388f1b186136b03e67d0dda03478a191b769c367093aacf14c95e99f13ee47837416987ef80ac6f0f07a6810b18f83b40ef6d9599fad4c528

Download Submit
C:\Users\Admin\AppData\Local\8506be12beeee320712513ea6e947914\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
5KB

MD5
2d354bec8492fddcebaf501d8ea5d682

SHA1
06d41dbbe452cf8fd4f7a33295b89b6402244503

SHA256
bba60b93fee938853f1d85d694c4897fe01b600fecedfb255eb6875a63c36b41

SHA512
8bb5dd16f2146c46ba47421482a797fcda08e8196c948e52a2c2f132cd35bfeaa52ae61b262bff2151122b06d9b3d9c46fa58c5699837834e382c0dba0c3546a

Download Submit
C:\Users\Admin\AppData\Local\99b03d914a1bba9ce39aaa145a795729\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
76B

MD5
12dc17fe2c86f7af912b5a5d10f8a472

SHA1
787bbdde6b23259c2a2c2fee9cb0ec99a4a59268

SHA256
a34ba32f994b016a0378cbd4afe4138ce456e45f7f7bc1ebe85a6b75149005b3

SHA512
16c4533529023b626cf129e12cb17874df42335291e870e56ca21e842ba8c806da33cf3064924d2b6c9714a15be6c2126f6e19f59d7eb9e0f95477d284dc8e12

Download Submit
C:\Users\Admin\AppData\Local\99b03d914a1bba9ce39aaa145a795729\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
139B

MD5
88f972218e8dd59193247b6380c43995

SHA1
13ab74150eaae9598944ff540c25b6acd28ff2f7

SHA256
37477fed4dd7476af53b520213e8a42d099b1e441700e8e6445c7c43daed33fa

SHA512
f45a3ff55dab220da22992f446cc1d9518cda15d6ec6e5114e90bddc1d206dd5931613a15ce992cfd9be8a390acdac2cd140c8d6a0331aef85033e1a8248aa50

Download Submit
C:\Users\Admin\AppData\Local\99b03d914a1bba9ce39aaa145a795729\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
203B

MD5
6ef888d130deba29e4c2390ca2a767f4

SHA1
d8c77fd1098b901c0ea838fab58e2a2f20494dea

SHA256
759f164fe442cf66655528d37b1048da15bcc2e347443461677ab5c4acab9745

SHA512
e1f6f9fddb8c1d41b4fb676cb52e9157c83fff4b44d00ab8f73e7c256dce1bf32542d932a73aa45529ab0848fe27f155c99f2ae9ffe66b43df786ea945a6544d

Download Submit
C:\Users\Admin\AppData\Local\99b03d914a1bba9ce39aaa145a795729\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
278B

MD5
fc179bfed163500973c75eb057c04415

SHA1
808afeea49a7a0c24878cc4dc56bd38e53109210

SHA256
116cc54bf3a3a0f27f3722dfc741be4092ba123d303c46814574af25d06209d7

SHA512
fc99a7bdbb5b3bc3a1e98e6c8d13e8305a3759e1c3f8e9ab0e48c732a626554bb31cffcb7c324f81fca3521cdbca783fc633afb34fe7522e689de0325680d066

Download Submit
C:\Users\Admin\AppData\Local\99b03d914a1bba9ce39aaa145a795729\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
427B

MD5
1fe0762939261efed840f3cf9339be7f

SHA1
88306cbc4a096e699eeaa6148a0a7d3bd3468450

SHA256
bd71ea4b6c76c0dbf0606e8493df757f830f62565d2d5aeba9eedd4c856d489d

SHA512
64fac838eefa2762f3c17201a6df584a222b4435fb59c1c1d4e39a1cc194f0c2d90cb801cd67814e5976fd5cbe6b578144d46c9817165d4a0d76939a90cba20f

Download Submit
C:\Users\Admin\AppData\Local\99b03d914a1bba9ce39aaa145a795729\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
4KB

MD5
c2f1507a54d59cfbad05d9271b9142a8

SHA1
7180b697e31a148a725867081d78704436c46c34

SHA256
b7a08952862d4981ff6334f61d8a325ee7c8e2379ff8adecf2f42b7d61e05e0d

SHA512
d6c5e47bfbb94856e0c32b7f31130bc3a496e15a3467e0f2792ce01a9be2539ac1b07246c445dd6b99a90f1d148201e1e074cec9c8d21381605e6e46b2b7c3e6

Download Submit
C:\Users\Admin\AppData\Local\99b03d914a1bba9ce39aaa145a795729\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
4KB

MD5
109c148c0b29c9310bea15d87633245f

SHA1
ddb58865aa044a40838ec1727225cab02598b7c4

SHA256
41a838b892c1a5d6213f9e2f3da0a4e5961d6fb4543456ec2575a449e500e3b4

SHA512
05cbd1e5f10f10da56aebadbbfcbaccc375305572b9fe7b00bb3ac1415cc625651761b5d8531d627970d7547c8e8e807fd87ce6ac3945078ea352c72550bcd51

Download Submit
C:\Users\Admin\AppData\Local\99b03d914a1bba9ce39aaa145a795729\Admin@PVMNUDVD_en-US\System\Windows.txt

Filesize
170B

MD5
82fcec7943d445c6038491eb692c2a87

SHA1
f4a438c20972cc8d97494c17bc2596fb9504ec24

SHA256
36ab63ad657b224ff0880e8afe72f413f702b83ed6b085637771e28cffed929c

SHA512
64dd5965e590a13a22eff2284835d352c58c466af9ec6cd8d33d32521e9ff5e5f8b6ba831222f9d1ae78f9ebf005860c531ae4fb79ab22216a759bd29c45e385

Download Submit
C:\Users\Admin\AppData\Local\99b03d914a1bba9ce39aaa145a795729\Admin@PVMNUDVD_en-US\System\WorldWind.jpg

Filesize
83KB

MD5
e9cae1b9e24f55eeadcfb2c3d684a9e6

SHA1
47cf0a49524e2f95012ed94bd4ce1a4f7d6b7f10

SHA256
26f910f715fcf1fcd5c9f52da5ae02fef53d915a70f9e0cf974f5fe6449f0dff

SHA512
d25421949a2736fd439496db9f794109f84c0b88d9a2f1628618f9bb3e65dc758351cbae1ea3862b07e992c17965edd459282d54afaa363ce03d6b4731739db1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RebelCracked.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RuntimeBroker.exe.log

Filesize
706B

MD5
9b4d7ccdebef642a9ad493e2c2925952

SHA1
c020c622c215e880c8415fa867cb50210b443ef0

SHA256
e6f068d76bd941b4118225b130db2c70128e77a45dcdbf5cbab0f8a563b867ff

SHA512
8577ecd7597d4b540bc1c6ccc4150eae7443da2e4be1343cc42242714d04dd16e48c3fcaefd95c4a148fe9f14c5b6f3166b752ae20d608676cf6fb48919968e8

Download Submit
C:\Users\Admin\AppData\Local\RuntimeBroker.exe

Filesize
330KB

MD5
75e456775c0a52b6bbe724739fa3b4a7

SHA1
1f4c575e98d48775f239ceae474e03a3058099ea

SHA256
e8d52d0d352317b3da0be6673099d32e10e7b0e44d23a0c1a6a5277d37b95cf3

SHA512
b376146c6fa91f741d69acf7b02a57442d2ea059be37b9bdb06af6cc01272f4ded1a82e4e21b9c803d0e91e22fc12f70391f5e8c8704d51b2435afc9624e8471

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
199d82d11c3c57b35976685dd2c6135f

SHA1
b95c80c6766745ca4049acd19d25e9e60d55871c

SHA256
d1e83b9f571cdd8087d0ba5e2de31ad98ebf2c1156eea86de6ef8dea5fc2adcb

SHA512
972db73c22a683a2a68043f53a388978b72f20b2c1411bc69b662b1e66c31dbcb60f142748c6960242da7c58dcabac46b056f6c612612d062b54e38dbf44c14b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD5BF.tmp.dat

Filesize
114KB

MD5
f0b6304b7b1d85d077205e5df561164a

SHA1
186d8f4596689a9a614cf47fc85f90f0b8704ffe

SHA256
c3aa800492bc1e5ff4717db8c82d1f3772b24579cde51058bdd73a9cc9822dc7

SHA512
d672ea182ddf56a331d3209dcf7b9af8c3ffad0b787b224fe9e3e4c80205e474a66914358fa253c170c85a8366da2f2c3aa9d42e1f6f3291a9e6bdd9ba51fb0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD5C1.tmp.dat

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD5C4.tmp.dat

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDE99.tmp.dat

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDEAF.tmp.dat

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDEB0.tmp.dat

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDEB1.tmp.dat

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDEC1.tmp.dat

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\a0e2b125bf4472ee3a6d3e2674bf0927\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
4KB

MD5
be4831386a8ee2d0eb5b3dc555ade6fd

SHA1
c53ec3dde6989b1a3cf334bd5c8daa3d76a62e05

SHA256
a9ce20ca917d062809c553a46df631f113d3701bdcfcaa86857d53f4accc2ade

SHA512
4569327b6caa0871c00418cf5108806b99861230778ab2b6611d14a24763f330da419c647802b89803905519ce2641590523dcf0a255dd64337814fe76fe7307

Download Submit
C:\Users\Admin\AppData\Local\a0e2b125bf4472ee3a6d3e2674bf0927\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
626B

MD5
78cf5e2143bf9b9a9e9c8dc69665f43c

SHA1
e1eae46cf09f4181df783983c2357a74f538b473

SHA256
7416b9f98ace42d2a47b31682e49e27fc938420fdb257060e90b00b7ae8a0e7d

SHA512
43f40d934605b6e4f3852551afb96a93a1c0999c55c32c5f9107d34c31b26bea094eb5c737afac4f9d13a93b7c80dd209a1ef6f6716067dfdf8de18df39247ef

Download Submit
C:\Users\Admin\AppData\Local\b82b87cf34c3ca2d2a0b6fd09646285a\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
2KB

MD5
29b38218aa69ca5be9a642a90bfeeea2

SHA1
a69ef9a81f4a8d8a711e8570dd44055a87534009

SHA256
eefd0c24eaba74f2db172e6c7b21894080ca935001c92519ffb4eb4888445bcd

SHA512
4847e25410cd51e85fe18eeba8e4937dc88d9079ca152fb7229e86a8bd6ae25d7cc4046dd8f01be0cf46a1ff2feaf1e1ab9d0993908845421835a51827a045a3

Download Submit
C:\Users\Admin\AppData\Local\b82b87cf34c3ca2d2a0b6fd09646285a\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
4KB

MD5
08361238054e37437a938bd3d447c976

SHA1
7e97e931db6b94429336d173138742689a83899f

SHA256
4029454405238f08c831ee36c0a3904fc3a5659a714330aa147a0b940618f9d7

SHA512
c91ff0412066382941a79019672da119418ca79536dcd9486756d91cefba6d146f5b4d8ab76690fea5ab1df0d2fa5637c479c0ac7cc9096fb65e6f54b693b32e

Download Submit
C:\Users\Admin\AppData\Local\b82b87cf34c3ca2d2a0b6fd09646285a\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
530B

MD5
df00b8c8331af481e32aa113e187020c

SHA1
4c495460937e2fdb5c7ed300321a9f4a1e0226d5

SHA256
e9e21e7981ae8c8ebf73e4f562e8c11bae8b98345f1ad7e7cf021f90f70ab9fd

SHA512
10eabbf1f22458d861478cebef27bd719adf70b182700fade92401bd2fe5fa6def8b36b6110eb4e4ede1cc38cd47ab4ac7cee95c689f57a883525a5bd2904462

Download Submit
C:\Users\Admin\AppData\Local\b82b87cf34c3ca2d2a0b6fd09646285a\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
824B

MD5
a527fda65bc7e08d7515b894f43eb005

SHA1
0254c6c023aa8cfef2fba74b59a027bcd6e65f68

SHA256
e8a41fb02c1ea7a770062c3aabe06d2a1ea6f9fe67cb0023673db8b9e46af62f

SHA512
8a358649848af2063cc7c0195e70cecadf83088e7eec16685ae56bbfdd9c12a36e15142b30dd0959b8844736eccc5bb928af9521af95efe2e13cd2b23f827bd9

Download Submit
C:\Users\Admin\AppData\Local\bd837c7f1e2cc15479a647660ea146d1\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
381B

MD5
35d3822d2883eb9f6315b8a72937cf6e

SHA1
448c9e3fd7c903a9042a68d5619f8585aa7dfe6e

SHA256
bc92de6a1939ddf194d4fff31d1d9445898157ec33409d0a3ccebf2f721a22ba

SHA512
d0bfd0242b6c98192dbbf1fd1e975be9a24bd62b5c993dfb707d6d21fef5b7d1406b0508477248fe79b990e9677b5e7269be64715d21d7d188a02fedfcd54c80

Download Submit
C:\Users\Admin\AppData\Local\bd837c7f1e2cc15479a647660ea146d1\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
562B

MD5
deffb8768e4b290511b03b9666ea2f64

SHA1
258e644e57bc04f31a894a6840037cf14246a3cb

SHA256
5dbb9dfb87e26f6fd346a92136c4840c2d908c8a634bc4f9c535b88054300b30

SHA512
adc6c000f5b374880b55b8e622b998430d5822d2c9e60fb38aee91639a688266cb4ba2541c9d741b36e16147e8526003fc7aec9377e61e62d65221e4d6710a95

Download Submit
C:\Users\Admin\AppData\Local\bd837c7f1e2cc15479a647660ea146d1\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
626B

MD5
fa9495fcafc000c0a1828a6ac914859b

SHA1
d6ad46d48840d23a2ede42fbbcef752b43a54ece

SHA256
d682053dc40b9eeff795183d6d246b6f64a1512fbb677c8863f7e87af22f5314

SHA512
bab7bd62675714910fa4b0eb44f0f2569f80c0fcdc61c1e8c1a0b1c869eca5e76d38392d272e27188c854333ed0c2a53279f206da66eadd18f24e23a7667470b

Download Submit
C:\Users\Admin\AppData\Local\bd837c7f1e2cc15479a647660ea146d1\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
690B

MD5
9b0f4695abc0f97cd147899f01e8789e

SHA1
4138e6ae78920b00e23dab28d81adadd6c7f1284

SHA256
ffa6fe51863c219d85d31536671af8e9d13e78e7fc4e6e75cabe7025537674d7

SHA512
b14b760e11c846d84b8832001da05beaf18c717543cf651f0297288fba64ecf423539e7f0cedacdfb849db6964ffd840009befa42d2e8e10395e4bfaebc691e4

Download Submit
C:\Users\Admin\AppData\Local\bd837c7f1e2cc15479a647660ea146d1\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
593B

MD5
6903f8da90acdf1f971cc38c7d5e39b8

SHA1
abeb7c556515ed71ee3ed3142a63ea8164da8791

SHA256
f3245b19048037eaf9394a7b6ee56cea31b80c804a47b7a3351ba33f8211976a

SHA512
65e56c13816a10539c108a33354614a50229036f905c4ee0839915ad3051b268a278de533636bc770f182e59c63817d13feab97ff2af14ed111d27184bf5e708

Download Submit
C:\Users\Admin\AppData\Local\d96d8b50c07a65ecc182961d57cfcf5d\Admin@PVMNUDVD_en-US\Directories\Temp.txt

Filesize
6KB

MD5
89db5c841f997911f731f36cf8ebbfa9

SHA1
32543cdc131074a2f45d89572566e7e6b8ef6852

SHA256
0b233ad8417abfe83848b8fea638d82a614bc2f6594680cd001f94e191aabce8

SHA512
311cfa0e032cc6655782244a1c0c1a2b2d8568fc9f8a193bf3279a5956d594a4415a177f1a46901ff0650d45fb264cd1a7cb7e4cffcfc531d94a12b24e28fb0c

Download Submit
C:\Users\Admin\AppData\Local\d96d8b50c07a65ecc182961d57cfcf5d\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
575B

MD5
e4f043a1de7113a726b9240d4d8ba21a

SHA1
52941ab5b6250ab9c9a8bc1a9803ea2ee6d55370

SHA256
1016058e9d3754d44ec7d44530da01ddaf9c5bb3f4264ed44da9cccd47dfe70c

SHA512
9018b958dc2d31c87e2a877c021c0d12614ff577a8ff6a210900bf47bdd6812fd37897d66adac4a330a09d88828ff3a40623033574c2cfccae5ed582d098eff3

Download Submit
C:\Users\Admin\AppData\Local\d96d8b50c07a65ecc182961d57cfcf5d\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
1KB

MD5
d6d37c5d7d94e49a18b6de315ba47be4

SHA1
e0637d6a0ba57535de75ee3b71c6236b0525f052

SHA256
6b7ec7f24019bd2f21ea8b37ae9d9536de9ea966043e55c92eae0a0ad8a21d9d

SHA512
fe9c6c08b6755e2d1128b55eb286b332e9a076d6724f1395728ab108a32637c04d30d8349d96ebe89f1407f748bdeec4e127d1616e36a4f02c78cb319545feeb

Download Submit
C:\Users\Admin\AppData\Local\d96d8b50c07a65ecc182961d57cfcf5d\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
1KB

MD5
2ed3cafb384a420e837059b1a09029a8

SHA1
2873f2a122a450b5b6c9ea21dfa1b3a4f0af001e

SHA256
b6599df63193b00a598b14c6f8848f36a6587ddec0dcaa0e8379845f8470bfb4

SHA512
090a7975c922bc5c19c3a0fb586b0683fbb9b2d25b94afbfbea8b83133b673830aa81b4c44ab6f6f1775833606b894395e4dab13abbb49d979799340df58aeb8

Download Submit
C:\Users\Admin\AppData\Local\d96d8b50c07a65ecc182961d57cfcf5d\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
1KB

MD5
d5519d3a18ef1fe2c31842abb372739e

SHA1
0ed9f0ec0fafa1d4b94c826041208e55403c2900

SHA256
b55c13756a41eef49f4b23a7514a95f502d461f7407030c32955cb00716b3f21

SHA512
c7611291873c630c64a419206b939f39e7e6b5ecb5373828fc6795cc5942ce0695fe3834a227fc008e42e6b4e3433e3e823f31b392ef7e82ddeb89d3b08bf4de

Download Submit
C:\Users\Admin\AppData\Local\d96d8b50c07a65ecc182961d57cfcf5d\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
1KB

MD5
a59aeae1875e6f99e7813fad3336f003

SHA1
bfa87b8d11e0f85b092d84df2216f0246caaa812

SHA256
9615bf78c43515766dece9d74141feb1ca6f0d5ddf0f86dce8fc632a7e7f3aa0

SHA512
ac523f70fe3bbf2cd6a52e6cea398ead01bc602182c11f2e7313eed2e4c90c611538c94a01568ac24467bf3e476a9a3ac4cbb606c61b839c2ba27d2cc4b7aba6

Download Submit
C:\Users\Admin\AppData\Local\d96d8b50c07a65ecc182961d57cfcf5d\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
1KB

MD5
9403c8a07c38cacd93a7c547249fe267

SHA1
24199aa5cc8ce8c2a7e36741972e49fbb9522ab4

SHA256
6fa54aeca8e409a1f4f173404c68658018715f65daedb6e399a3083f3311c56c

SHA512
c84ebaf1f877f891e36615867b69a8023d9b15f45262e964c077a345571cae1c6395fe2596d43d8c1b2bada5ad0cc99c6959591880379ff881e4701559fb9544

Download Submit
C:\Users\Admin\AppData\Local\d96d8b50c07a65ecc182961d57cfcf5d\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
1KB

MD5
6e657a2737dc2af6f02468249162dd2b

SHA1
e27a36a5362f11ef3a71e8875549ec1ba1cb660b

SHA256
fc40e3d95c8a58eb2784a85f0d405cdf3ed06b937c4ca6f3cc8824e8d72b6883

SHA512
ba08790830f5e161e57925782fc4ad5c96aff3f8df2327d03f980d3ebfe9b2eaa114ee8aa77a0e787281ba94000590049c4145fb5e4cd90b0d564d7409831543

Download Submit
C:\Users\Admin\AppData\Local\d96d8b50c07a65ecc182961d57cfcf5d\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
1KB

MD5
de90a2d690abf6c9a4e37b55c8587456

SHA1
9b0bb852fe93fad14daa585b583fc230c549c56f

SHA256
01297e51c752b626b0d6be07f872445fa1173db4dbe6ac8f71f353dc85ceeb0c

SHA512
041f4ceece8dca28d7874e7ae0086ce743bd7b149e27ffc06e786d9802e82bdc4716a093c020fefecda62e1d3e2e13554216f830ae1ace48ee449d7fae1c5bae

Download Submit
C:\Users\Admin\AppData\Local\d96d8b50c07a65ecc182961d57cfcf5d\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
1KB

MD5
75c80779f0e464d4125547a8a1efe14d

SHA1
be2ad5a4c4bbbae43ac4787fcb9e789ff0646cdd

SHA256
4560e13bd71e71c38599e5fed64d1658be5466c08af2a17909456d6ce32399ad

SHA512
465302fb613056fa7c37bb2e93e5383dcf66db92ee5224639891f06d77756e1521baed68f098a5ecccac427d836bcd27d8522e2e04cb10c6e4ec1e8984097a29

Download Submit
C:\Users\Admin\AppData\Local\d96d8b50c07a65ecc182961d57cfcf5d\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
4KB

MD5
2fb80c7e2e8134be987c16a9db307de9

SHA1
659af021da2c82d9bddea4d14018505925dc5362

SHA256
295e82a154d64b0b3d5d6ff78e7cd46d59302520ba4e5975c0db4c40ef67ec84

SHA512
a4707c0b18d91776a10fb779e8b51ecd1ee25bcc4178c33111fa23e5846129b38b73fbe86ae6196bcc399ccdafa146946a9d1d7d781cb385aea903b6e281e75b

Download Submit
C:\Users\Admin\AppData\Local\d96d8b50c07a65ecc182961d57cfcf5d\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
608B

MD5
8e4eaf3c42e041eb0a66ec3875cadb12

SHA1
f06f524d16f21aa343604caf428869289393dfe5

SHA256
5125bcff0a002ce1165805192347502435ebd42f52b577f7f948aad3f24b5edb

SHA512
f4364b6b71f8440d4d00401a63090631b2ca6d5b7700f8cfb0525ff1c2c5a9ff481aebc6222958b8191cc2d7d3ad129319a54eb2897b7e9085466655f11ce13a

Download Submit
C:\Users\Admin\AppData\Local\d96d8b50c07a65ecc182961d57cfcf5d\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
672B

MD5
4aedabb63f635b1bc6474bac95276b2c

SHA1
816fddb92316d9228cff3bf94b477566c93844e3

SHA256
36ffa96660fd5397ca727fdd05378db4eba7960e708869fb37f77f8feef623ec

SHA512
8397501800f15d7ac4c02a2f56be4da26abbe07a3eca150dc37573e1781004e46bb56cd0e79e523dc84e91904c5f489829361cac30ab22262aaebd76fcbacb29

Download Submit
C:\Users\Admin\AppData\Local\d96d8b50c07a65ecc182961d57cfcf5d\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
736B

MD5
2fe21ed289c38a31e028cadf945ff70c

SHA1
59356581983592a0020608b8cf8b664f36bd92c6

SHA256
cf13edf891144e66d24c9044f3dbfaa3dd059d7ff68b1d59b42cb0ed4104dd94

SHA512
572451d6f075ba1288643e825bcf4d2a8681c12db45d90c95ac28c82d80dfd676cf18282e6e8ad0aaf2925248899f22f1d895b2735625989ec6e9fbf07263727

Download Submit
C:\Users\Admin\AppData\Local\d96d8b50c07a65ecc182961d57cfcf5d\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
807B

MD5
8666d8f22ab35ef9aede7817216a844e

SHA1
0e15dd3ae629e6c83caea91003d6f4c18c9e1dd8

SHA256
13021fddf803c125f1fafb1de50161d23eac207eb69c19f451dec4780fc8b78b

SHA512
e947cac73e9221f4e77bef6046e00a68cd936e625ab187887cf968c025692e3b91265c7f1414cb762e87e211a098987d11154a1bf3181ad4bb38be2a9ea387a5

Download Submit
C:\Users\Admin\AppData\Local\d96d8b50c07a65ecc182961d57cfcf5d\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
871B

MD5
6875e3536a8353da60a81de8497b39de

SHA1
5ef6a2d1f5a9230f74e32542fac22b030dc13b23

SHA256
d3f78732bea89d25dc863460ac5f9a9bce0d0fa051740c015584afb9116a4a2d

SHA512
36091fe2422a86980cf6c0416111c54e1be138f5f12fc19458a97cc3e8e717202661b14289251629b2ba437c0eb9943a8f193a4379e59ee6bbca289827fcea57

Download Submit
C:\Users\Admin\AppData\Local\d96d8b50c07a65ecc182961d57cfcf5d\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
942B

MD5
c2de9a9bf3512327ede0572d26ae15d4

SHA1
e3ac32eeb564a058fc0580082dd74a19bf1ee84a

SHA256
940742c02a058a10975a9964c5ace03c10a17746c1d3a88c78ef031d9cb8c2d2

SHA512
4edf85e50a70febbdb59f49eef8fc9050817223d12809a8067d35e36dfd0987dcea8f1f2c45110fab774e735ecd44e8cddcc73a7ba96154f1ec954c14fb5396f

Download Submit
C:\Users\Admin\AppData\Local\d96d8b50c07a65ecc182961d57cfcf5d\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
1006B

MD5
5bc58e425b006abdf55bda791093a610

SHA1
7fe99d216d3af3738d92233d2f81339899eaa083

SHA256
cf61ab5b1b54e1e2e5073b8f59a4c8e69034219bd68551f77a4c5d08f9c0c71c

SHA512
99e08819c6990c62dafe1ce26a7214e6a469cfe9881a868d01bc004c5da70d24f4465bf437c07259942187f384a5b5d1f41ef3ac94be21faf54685ba2e9c8bc1

Download Submit
C:\Users\Admin\AppData\Local\d96d8b50c07a65ecc182961d57cfcf5d\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
4KB

MD5
b2d36fac03cee09db8f98e79c8d88163

SHA1
31e27ffbce752671468dc35b614f3fed2c718c72

SHA256
15794292af1bb499b0849a244f105074a06d348ad2d6cdcbc4e9aab714973101

SHA512
87b5d19d3a1abc9281e48ad270b96e62df5c12cf5b75669a8c34f19c4d0f988c50f4d2bb10b5c453b252a737b29f3cd1ea870f301c7af37f26c999c551a28f1d

Download Submit
C:\Users\Admin\AppData\Local\d96d8b50c07a65ecc182961d57cfcf5d\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
4KB

MD5
4d324a35ef1d0ca05f2a5c6f9fde073c

SHA1
1120fef94eca31ce7ffae676ca50751a362fca84

SHA256
5da6c95dd30761a366b6e45f86b22979dca8c4dceca022be210681a898fcea44

SHA512
a3671c6280347c473732d68e39d7d9add0d73adb2ff0a96a3c8efe4862382e9b8f26d645fc79338552d38df646d611a27e4712056fc40b6170ed42b23c47c9ff

Download Submit
C:\Users\Admin\AppData\Local\d96d8b50c07a65ecc182961d57cfcf5d\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
memory/2596-24-0x00000000057E0000-0x00000000057EA000-memory.dmp

Filesize
40KB

Download
memory/2596-20-0x0000000005FB0000-0x0000000006554000-memory.dmp

Filesize
5.6MB

Download
memory/2596-19-0x0000000000980000-0x00000000009D8000-memory.dmp

Filesize
352KB

Download
memory/2596-21-0x0000000005A00000-0x0000000005A92000-memory.dmp

Filesize
584KB

Download
memory/2596-17-0x0000000074E4E000-0x0000000074E4F000-memory.dmp

Filesize
4KB

Download
memory/2596-22-0x0000000005AA0000-0x0000000005AEA000-memory.dmp

Filesize
296KB

Download
memory/2596-23-0x0000000005B90000-0x0000000005C2C000-memory.dmp

Filesize
624KB

Download
memory/3644-33-0x0000000005D80000-0x0000000005DE6000-memory.dmp

Filesize
408KB

Download
memory/3644-25-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3644-698-0x0000000006F00000-0x0000000006F12000-memory.dmp

Filesize
72KB

Download
memory/3644-405-0x00000000069E0000-0x00000000069EA000-memory.dmp

Filesize
40KB

Download
memory/4060-18-0x00007FF95FFB0000-0x00007FF960A71000-memory.dmp

Filesize
10.8MB

Download
memory/4060-10-0x00007FF95FFB0000-0x00007FF960A71000-memory.dmp

Filesize
10.8MB

Download
memory/4060-0-0x00007FF95FFB3000-0x00007FF95FFB5000-memory.dmp

Filesize
8KB

Download
memory/4060-1-0x0000000000F90000-0x0000000000FEC000-memory.dmp

Filesize
368KB

Download
memory/5012-16-0x00007FF95FFB0000-0x00007FF960A71000-memory.dmp

Filesize
10.8MB

Download
memory/5012-30-0x00007FF95FFB0000-0x00007FF960A71000-memory.dmp

Filesize
10.8MB

Download