asyncrat | 9d9a79f4ae9bf7a992945f6c06c5bec642c05e4e828217c50255dabfa3677006

Analysis

max time kernel
20s
max time network
87s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RebelCracked.exe
Size

344KB
MD5

a84fd0fc75b9c761e9b7923a08da41c7
SHA1

2597048612041cd7a8c95002c73e9c2818bb2097
SHA256

9d9a79f4ae9bf7a992945f6c06c5bec642c05e4e828217c50255dabfa3677006
SHA512

a17f1144a0e3ce07c7ed6891987c5b969f291e9991442c33750028d35e2194794e8a649c397e8afc9f8ce19d485c453600c75cab4fcead09e38414d85819251a
SSDEEP

6144:lOcpeK8lucxAtLNFHUVuI/2zj1z6jZ755NofmWx4PCQL23wBw7R0ljTwrVuAdJKp:QcpSnx0LNFDQ60Ntbo5d7gBw7R7rbdJk

Score

10^/10

asyncrat stormkitty default credential_access discovery persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4400-27-0x0000000000400000-0x0000000000432000-memory.dmp	family_stormkitty

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RebelCracked.exeRebelCracked.exeRebelCracked.exeRebelCracked.exeRebelCracked.exeRebelCracked.exeRebelCracked.exeRebelCracked.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	RebelCracked.exe

Executes dropped EXE 16 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

pid	process
4952	RuntimeBroker.exe
4400	RuntimeBroker.exe
3668	RuntimeBroker.exe
4616	RuntimeBroker.exe
3528	RuntimeBroker.exe
2276	RuntimeBroker.exe
5096	RuntimeBroker.exe
756	RuntimeBroker.exe
4312	RuntimeBroker.exe
2420	RuntimeBroker.exe
3644	RuntimeBroker.exe
4880	RuntimeBroker.exe
2796	RuntimeBroker.exe
3668	RuntimeBroker.exe
2504	RuntimeBroker.exe
2304	RuntimeBroker.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 36 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\cd715dd0cb9123424d92f63e0c63e92a\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\244afb72866c8b52ebeea553725abc3a\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\244afb72866c8b52ebeea553725abc3a\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\67f1f087b0b9cfa24bb66032c6fc12e7\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\67f1f087b0b9cfa24bb66032c6fc12e7\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\48fc5197e2f4f4ede7a9e52c81d7baf7\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\cd715dd0cb9123424d92f63e0c63e92a\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\cd715dd0cb9123424d92f63e0c63e92a\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\48fc5197e2f4f4ede7a9e52c81d7baf7\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\48fc5197e2f4f4ede7a9e52c81d7baf7\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\48fc5197e2f4f4ede7a9e52c81d7baf7\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\48fc5197e2f4f4ede7a9e52c81d7baf7\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\67f1f087b0b9cfa24bb66032c6fc12e7\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\cd715dd0cb9123424d92f63e0c63e92a\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\244afb72866c8b52ebeea553725abc3a\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\244afb72866c8b52ebeea553725abc3a\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\cd715dd0cb9123424d92f63e0c63e92a\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\cd715dd0cb9123424d92f63e0c63e92a\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\244afb72866c8b52ebeea553725abc3a\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\67f1f087b0b9cfa24bb66032c6fc12e7\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\48fc5197e2f4f4ede7a9e52c81d7baf7\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\48fc5197e2f4f4ede7a9e52c81d7baf7\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\cd715dd0cb9123424d92f63e0c63e92a\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\244afb72866c8b52ebeea553725abc3a\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\cd715dd0cb9123424d92f63e0c63e92a\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\67f1f087b0b9cfa24bb66032c6fc12e7\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\cd715dd0cb9123424d92f63e0c63e92a\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\cd715dd0cb9123424d92f63e0c63e92a\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\cd715dd0cb9123424d92f63e0c63e92a\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\67f1f087b0b9cfa24bb66032c6fc12e7\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\244afb72866c8b52ebeea553725abc3a\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\67f1f087b0b9cfa24bb66032c6fc12e7\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\cd715dd0cb9123424d92f63e0c63e92a\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\cd715dd0cb9123424d92f63e0c63e92a\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\cd715dd0cb9123424d92f63e0c63e92a\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\cd715dd0cb9123424d92f63e0c63e92a\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

Processes:

flow	ioc
59	pastebin.com
74	pastebin.com
33	pastebin.com
43	pastebin.com
84	pastebin.com
94	pastebin.com
135	pastebin.com
34	pastebin.com
77	pastebin.com
100	pastebin.com
101	pastebin.com
141	pastebin.com
76	pastebin.com

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 icanhazip.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
23	icanhazip.com

Suspicious use of SetThreadContext 8 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

description	pid	process	target process
PID 4952 set thread context of 4400	4952	RuntimeBroker.exe	RuntimeBroker.exe
PID 3668 set thread context of 4616	3668	RuntimeBroker.exe	RuntimeBroker.exe
PID 3528 set thread context of 2276	3528	RuntimeBroker.exe	RuntimeBroker.exe
PID 5096 set thread context of 756	5096	RuntimeBroker.exe	RuntimeBroker.exe
PID 4312 set thread context of 2420	4312	RuntimeBroker.exe	RuntimeBroker.exe
PID 3644 set thread context of 4880	3644	RuntimeBroker.exe	RuntimeBroker.exe
PID 2796 set thread context of 3668	2796	RuntimeBroker.exe	RuntimeBroker.exe
PID 2504 set thread context of 2304	2504	RuntimeBroker.exe	findstr.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

RuntimeBroker.exechcp.comcmd.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exenetsh.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.execmd.exefindstr.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exechcp.comnetsh.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 48 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

Processes:

cmd.exenetsh.exenetsh.exenetsh.execmd.exenetsh.execmd.exenetsh.execmd.execmd.exenetsh.execmd.exenetsh.execmd.exenetsh.execmd.exenetsh.execmd.execmd.execmd.exenetsh.exenetsh.execmd.execmd.execmd.exenetsh.exenetsh.execmd.exenetsh.execmd.exenetsh.execmd.execmd.execmd.execmd.execmd.exenetsh.exenetsh.exenetsh.execmd.exenetsh.exenetsh.exenetsh.exenetsh.execmd.execmd.exenetsh.exenetsh.exe

pid	process
4204	cmd.exe
2284	netsh.exe
3592	netsh.exe
5376	netsh.exe
5940	cmd.exe
4688	netsh.exe
2720	cmd.exe
2900	netsh.exe
2316	cmd.exe
1384	cmd.exe
4684	netsh.exe
3688	cmd.exe
4816	netsh.exe
4120	cmd.exe
1548	netsh.exe
2288	cmd.exe
772	netsh.exe
828	cmd.exe
2420	cmd.exe
844	cmd.exe
2708	netsh.exe
4576	netsh.exe
2788	cmd.exe
5028	cmd.exe
5304	cmd.exe
4344	netsh.exe
3968	netsh.exe
4428	cmd.exe
1316	netsh.exe
4204	cmd.exe
4512	netsh.exe
1152	cmd.exe
4912	cmd.exe
1916	cmd.exe
1404	cmd.exe
2724	cmd.exe
3652	netsh.exe
2428	netsh.exe
4792	netsh.exe
6136	cmd.exe
1404	netsh.exe
6112	netsh.exe
2576	netsh.exe
2708	netsh.exe
1140	cmd.exe
5060	cmd.exe
4788	netsh.exe
3088	netsh.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RuntimeBroker.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exetaskmgr.exeRuntimeBroker.exe

pid	process
4400	RuntimeBroker.exe
4400	RuntimeBroker.exe
4400	RuntimeBroker.exe
4400	RuntimeBroker.exe
4400	RuntimeBroker.exe
4400	RuntimeBroker.exe
4400	RuntimeBroker.exe
4400	RuntimeBroker.exe
4400	RuntimeBroker.exe
4400	RuntimeBroker.exe
4616	RuntimeBroker.exe
4616	RuntimeBroker.exe
4616	RuntimeBroker.exe
4616	RuntimeBroker.exe
4616	RuntimeBroker.exe
4616	RuntimeBroker.exe
4616	RuntimeBroker.exe
4616	RuntimeBroker.exe
2276	RuntimeBroker.exe
2276	RuntimeBroker.exe
2276	RuntimeBroker.exe
4616	RuntimeBroker.exe
4616	RuntimeBroker.exe
4616	RuntimeBroker.exe
4616	RuntimeBroker.exe
4616	RuntimeBroker.exe
4616	RuntimeBroker.exe
2276	RuntimeBroker.exe
2276	RuntimeBroker.exe
4616	RuntimeBroker.exe
4616	RuntimeBroker.exe
2276	RuntimeBroker.exe
2276	RuntimeBroker.exe
2276	RuntimeBroker.exe
2276	RuntimeBroker.exe
4304	taskmgr.exe
4304	taskmgr.exe
2276	RuntimeBroker.exe
2276	RuntimeBroker.exe
2276	RuntimeBroker.exe
2276	RuntimeBroker.exe
2276	RuntimeBroker.exe
2276	RuntimeBroker.exe
4616	RuntimeBroker.exe
4616	RuntimeBroker.exe
4304	taskmgr.exe
4304	taskmgr.exe
2276	RuntimeBroker.exe
2276	RuntimeBroker.exe
4616	RuntimeBroker.exe
4616	RuntimeBroker.exe
756	RuntimeBroker.exe
756	RuntimeBroker.exe
756	RuntimeBroker.exe
4304	taskmgr.exe
756	RuntimeBroker.exe
756	RuntimeBroker.exe
4304	taskmgr.exe
4616	RuntimeBroker.exe
4616	RuntimeBroker.exe
756	RuntimeBroker.exe
756	RuntimeBroker.exe
756	RuntimeBroker.exe
756	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exetaskmgr.exeRuntimeBroker.exeRuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	4400	RuntimeBroker.exe
Token: SeDebugPrivilege	4616	RuntimeBroker.exe
Token: SeDebugPrivilege	2276	RuntimeBroker.exe
Token: SeDebugPrivilege	756	RuntimeBroker.exe
Token: SeDebugPrivilege	2420	RuntimeBroker.exe
Token: SeDebugPrivilege	4880	RuntimeBroker.exe
Token: SeDebugPrivilege	4304	taskmgr.exe
Token: SeSystemProfilePrivilege	4304	taskmgr.exe
Token: SeCreateGlobalPrivilege	4304	taskmgr.exe
Token: SeDebugPrivilege	3668	RuntimeBroker.exe
Token: SeDebugPrivilege	2304	RuntimeBroker.exe

Suspicious use of FindShellTrayWindow 19 IoCs

Processes:

taskmgr.exe

pid	process
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe

Suspicious use of SendNotifyMessage 19 IoCs

Processes:

taskmgr.exe

pid	process
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

RebelCracked.exeRuntimeBroker.exeRebelCracked.exeRuntimeBroker.exeRebelCracked.exeRuntimeBroker.exeRebelCracked.exeRuntimeBroker.exeRebelCracked.exeRuntimeBroker.exe

description	pid	process	target process
PID 4456 wrote to memory of 4952	4456	RebelCracked.exe	RuntimeBroker.exe
PID 4456 wrote to memory of 4952	4456	RebelCracked.exe	RuntimeBroker.exe
PID 4456 wrote to memory of 4952	4456	RebelCracked.exe	RuntimeBroker.exe
PID 4456 wrote to memory of 4508	4456	RebelCracked.exe	RebelCracked.exe
PID 4456 wrote to memory of 4508	4456	RebelCracked.exe	RebelCracked.exe
PID 4952 wrote to memory of 4400	4952	RuntimeBroker.exe	RuntimeBroker.exe
PID 4952 wrote to memory of 4400	4952	RuntimeBroker.exe	RuntimeBroker.exe
PID 4952 wrote to memory of 4400	4952	RuntimeBroker.exe	RuntimeBroker.exe
PID 4952 wrote to memory of 4400	4952	RuntimeBroker.exe	RuntimeBroker.exe
PID 4952 wrote to memory of 4400	4952	RuntimeBroker.exe	RuntimeBroker.exe
PID 4952 wrote to memory of 4400	4952	RuntimeBroker.exe	RuntimeBroker.exe
PID 4952 wrote to memory of 4400	4952	RuntimeBroker.exe	RuntimeBroker.exe
PID 4952 wrote to memory of 4400	4952	RuntimeBroker.exe	RuntimeBroker.exe
PID 4508 wrote to memory of 3668	4508	RebelCracked.exe	RuntimeBroker.exe
PID 4508 wrote to memory of 3668	4508	RebelCracked.exe	RuntimeBroker.exe
PID 4508 wrote to memory of 3668	4508	RebelCracked.exe	RuntimeBroker.exe
PID 4508 wrote to memory of 3964	4508	RebelCracked.exe	RebelCracked.exe
PID 4508 wrote to memory of 3964	4508	RebelCracked.exe	RebelCracked.exe
PID 3668 wrote to memory of 4616	3668	RuntimeBroker.exe	RuntimeBroker.exe
PID 3668 wrote to memory of 4616	3668	RuntimeBroker.exe	RuntimeBroker.exe
PID 3668 wrote to memory of 4616	3668	RuntimeBroker.exe	RuntimeBroker.exe
PID 3668 wrote to memory of 4616	3668	RuntimeBroker.exe	RuntimeBroker.exe
PID 3668 wrote to memory of 4616	3668	RuntimeBroker.exe	RuntimeBroker.exe
PID 3668 wrote to memory of 4616	3668	RuntimeBroker.exe	RuntimeBroker.exe
PID 3668 wrote to memory of 4616	3668	RuntimeBroker.exe	RuntimeBroker.exe
PID 3668 wrote to memory of 4616	3668	RuntimeBroker.exe	RuntimeBroker.exe
PID 3964 wrote to memory of 3528	3964	RebelCracked.exe	RuntimeBroker.exe
PID 3964 wrote to memory of 3528	3964	RebelCracked.exe	RuntimeBroker.exe
PID 3964 wrote to memory of 3528	3964	RebelCracked.exe	RuntimeBroker.exe
PID 3964 wrote to memory of 452	3964	RebelCracked.exe	RebelCracked.exe
PID 3964 wrote to memory of 452	3964	RebelCracked.exe	RebelCracked.exe
PID 3528 wrote to memory of 2276	3528	RuntimeBroker.exe	RuntimeBroker.exe
PID 3528 wrote to memory of 2276	3528	RuntimeBroker.exe	RuntimeBroker.exe
PID 3528 wrote to memory of 2276	3528	RuntimeBroker.exe	RuntimeBroker.exe
PID 3528 wrote to memory of 2276	3528	RuntimeBroker.exe	RuntimeBroker.exe
PID 3528 wrote to memory of 2276	3528	RuntimeBroker.exe	RuntimeBroker.exe
PID 3528 wrote to memory of 2276	3528	RuntimeBroker.exe	RuntimeBroker.exe
PID 3528 wrote to memory of 2276	3528	RuntimeBroker.exe	RuntimeBroker.exe
PID 3528 wrote to memory of 2276	3528	RuntimeBroker.exe	RuntimeBroker.exe
PID 452 wrote to memory of 5096	452	RebelCracked.exe	RuntimeBroker.exe
PID 452 wrote to memory of 5096	452	RebelCracked.exe	RuntimeBroker.exe
PID 452 wrote to memory of 5096	452	RebelCracked.exe	RuntimeBroker.exe
PID 452 wrote to memory of 1336	452	RebelCracked.exe	RebelCracked.exe
PID 452 wrote to memory of 1336	452	RebelCracked.exe	RebelCracked.exe
PID 5096 wrote to memory of 2232	5096	RuntimeBroker.exe	RuntimeBroker.exe
PID 5096 wrote to memory of 2232	5096	RuntimeBroker.exe	RuntimeBroker.exe
PID 5096 wrote to memory of 2232	5096	RuntimeBroker.exe	RuntimeBroker.exe
PID 5096 wrote to memory of 756	5096	RuntimeBroker.exe	RuntimeBroker.exe
PID 5096 wrote to memory of 756	5096	RuntimeBroker.exe	RuntimeBroker.exe
PID 5096 wrote to memory of 756	5096	RuntimeBroker.exe	RuntimeBroker.exe
PID 5096 wrote to memory of 756	5096	RuntimeBroker.exe	RuntimeBroker.exe
PID 5096 wrote to memory of 756	5096	RuntimeBroker.exe	RuntimeBroker.exe
PID 5096 wrote to memory of 756	5096	RuntimeBroker.exe	RuntimeBroker.exe
PID 5096 wrote to memory of 756	5096	RuntimeBroker.exe	RuntimeBroker.exe
PID 5096 wrote to memory of 756	5096	RuntimeBroker.exe	RuntimeBroker.exe
PID 1336 wrote to memory of 4312	1336	RebelCracked.exe	RuntimeBroker.exe
PID 1336 wrote to memory of 4312	1336	RebelCracked.exe	RuntimeBroker.exe
PID 1336 wrote to memory of 4312	1336	RebelCracked.exe	RuntimeBroker.exe
PID 1336 wrote to memory of 4428	1336	RebelCracked.exe	RebelCracked.exe
PID 1336 wrote to memory of 4428	1336	RebelCracked.exe	RebelCracked.exe
PID 4312 wrote to memory of 2420	4312	RuntimeBroker.exe	RuntimeBroker.exe
PID 4312 wrote to memory of 2420	4312	RuntimeBroker.exe	RuntimeBroker.exe
PID 4312 wrote to memory of 2420	4312	RuntimeBroker.exe	RuntimeBroker.exe
PID 4312 wrote to memory of 2420	4312	RuntimeBroker.exe	RuntimeBroker.exe

C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
"C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Users\Admin\AppData\Local\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4400
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4912
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3036
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4684
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2428
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      4⤵
      System Location Discovery: System Language Discovery
      PID:3512
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3832
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2980
- C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
  "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3668
  - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      Drops desktop.ini file(s)
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4616
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1916
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2696
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3968
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        6⤵
        
        PID:1396
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        5⤵
        
        PID:452
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4552
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        6⤵
        
        PID:2576
- - C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
    "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3964
  - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3528
    - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1404
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4788
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        7⤵
        
        PID:3672
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        6⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        7⤵
        
        PID:2796
  - - C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
      "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:452
    - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5096
      - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        6⤵
        
        PID:2232
      - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4428
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        8⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4688
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        8⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        7⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        8⤵
        
        PID:1384
    - - C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1336
      - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        7⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        8⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4204
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        9⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        9⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        8⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        9⤵
        
        PID:4500
      - C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        6⤵
        Checks computer location settings
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        9⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5060
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        10⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        10⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        9⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        10⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        7⤵
        Checks computer location settings
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        10⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3688
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        11⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4816
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        11⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        10⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        11⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        8⤵
        Checks computer location settings
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        10⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        11⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        12⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1316
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        12⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        11⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        12⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        9⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        10⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        11⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        12⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:828
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        13⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        13⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        12⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        13⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        10⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        11⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        12⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        13⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4120
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        14⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3088
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        14⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        13⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        14⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        11⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        12⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        13⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        14⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        15⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        15⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1548
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        15⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        14⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        15⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        12⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        13⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        14⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        14⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        15⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        16⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2576
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        16⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        15⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        16⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        13⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        14⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        15⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        16⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1384
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        17⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        17⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3652
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        17⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        16⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        17⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        17⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        14⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        15⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        16⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        17⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:844
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        18⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2708
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        18⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        17⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        18⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        15⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        16⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        17⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        17⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        18⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        19⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        19⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        19⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        18⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        19⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        16⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        17⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        18⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        19⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2788
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        
        PID:756
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        20⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4792
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        20⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        19⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        20⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        17⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        18⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        19⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        20⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        21⤵
        
        PID:828
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        21⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2708
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        21⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        20⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        21⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        21⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        18⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        19⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        20⤵
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        21⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4204
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        22⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3592
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        22⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        21⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        22⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        19⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        20⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        21⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        21⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        22⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1140
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        23⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4576
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        23⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        22⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        23⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        23⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        20⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        21⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        22⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        23⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5028
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        24⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4512
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        24⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        23⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        24⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        21⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        22⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        23⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        24⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1152
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        25⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:772
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        25⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        24⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        25⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        25⤵
        
        PID:5296
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        22⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        23⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        24⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        25⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6136
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        26⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1404
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        26⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        25⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        26⤵
        
        PID:5624
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        23⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        24⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        25⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        24⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        25⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        26⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        27⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5940
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        28⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6112
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        28⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        25⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        26⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        27⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        26⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        27⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        28⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        28⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        29⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5304
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        30⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5376
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        30⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        29⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        30⤵
        
        PID:5852
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        27⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        28⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        29⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        28⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        29⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        30⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        29⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        30⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        31⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        30⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        31⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        32⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        31⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        32⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        33⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        32⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        33⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        34⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        34⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        33⤵
        
        PID:736
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        34⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        35⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        34⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        35⤵
        
        PID:5668
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        36⤵
        
        PID:5764
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        36⤵
        
        PID:5772
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        35⤵
        
        PID:5708
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        36⤵
        
        PID:5504
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        37⤵
        
        PID:5552
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        36⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        37⤵
        
        PID:5368
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        38⤵
        
        PID:5360
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        38⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        37⤵
        
        PID:5196
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        38⤵
        
        PID:5832
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        39⤵
        
        PID:5136
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        38⤵
        
        PID:5500

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4304

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\22ac2ece95c97c0de7471088d99ebf1d\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
533B

MD5
40164720060e192f12989f79a94ea6d2

SHA1
55314c506f7e9970159feb052416cdf709963b39

SHA256
ae4e65b6aad79ac1581ec054a75ef152044dc6824042c6c94fb5e1cd3dd69cc5

SHA512
35c76170af0f93f56d5a2e1ef7c6434691f6a26ed130da2319f1d10a0b50651bad261e52febcffa597fc7db23ad890a010ae5012f452c6848802a24679bbf017

Download Submit
C:\Users\Admin\AppData\Local\22ac2ece95c97c0de7471088d99ebf1d\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
4KB

MD5
bb6e0736e37a7e903d8c3604feb1fc4c

SHA1
30a47e4045a4556b6742f419c7a29d78e9286ff7

SHA256
9114aa22d624fa8d2772d321cf7ed0dc7f169aa5f6e24654df99101662ff00c8

SHA512
5559c47b1464323737a6bb86f29b39e798ff065d36b970f3f4dc6dcc8d9e3a62dfbe2f79245f97668e677d83cb7e898879356b9f893008663a7cde12d47c6412

Download Submit
C:\Users\Admin\AppData\Local\244afb72866c8b52ebeea553725abc3a\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
705B

MD5
75dc7ffa40c5fd3203db5678bc128a6c

SHA1
6f5bf112f36be095f6558ebf66a6c357d6de20df

SHA256
8469b5744a14404504c5c92fc61c994660a19a3c60014398e2ca2f1019f93a2d

SHA512
a943b5e43a842446b3c40846ad96b287b52ff52ce07a0e3c32779b2be12d13863fa19ebed5908d2e32f2caa19225dcefacbbe95f3a46611b0f99c1408146d62f

Download Submit
C:\Users\Admin\AppData\Local\244afb72866c8b52ebeea553725abc3a\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
768B

MD5
d3de8657390d1090482f2e43c023a64b

SHA1
769e27c686e01bd2b2cd86fdb9c8b5604cd2a662

SHA256
ec3458e7a0c247c61f52fc62a71e8a44ffd6eef02d7e9508ffd7893c46d0e614

SHA512
35cddb19b216c5dd7de4f21d22258b3a4975d27415dbc2e03b9b5ceac4c8e7d575f4fc1d0c89c55159318ae7fb39dca584c2882527fdc434a609ecc305cc77f9

Download Submit
C:\Users\Admin\AppData\Local\244afb72866c8b52ebeea553725abc3a\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
832B

MD5
f42390429386652410b46fdbd30e3bbe

SHA1
b2f38c57830860679a9af4e0a7480a7950bf31f1

SHA256
e1cff6aa32da44ab2b1927accde6b20298f1f46837f40ec0097a43597bdb47c7

SHA512
330b1fb3c5dce2dc07dbf1e6b56241b8eacef7b2a3ec261e3ff2545692c125dd3ada0241a9beecaeee2c6990f6b5f0da9bdc7e73ae9e119c979db0538a9eae2c

Download Submit
C:\Users\Admin\AppData\Local\244afb72866c8b52ebeea553725abc3a\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
896B

MD5
58f8b42615425d02ad4d6151b360613e

SHA1
b17b08ec5b52faeeba90b0f0417a44d5de14d433

SHA256
26ba07a767c694ec9fb4acdf38a36835024179f4d9fbb2ee3c8bd5a08100f9e6

SHA512
8b8c256666a700cb1e9eaa7de68bb3f6070df6f10833d6aca4f8d60969d84196fe1abd2ff8ce493809487f2a5fe17c32b6f79801fa9b1bfc10c83f058ffcd106

Download Submit
C:\Users\Admin\AppData\Local\244afb72866c8b52ebeea553725abc3a\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
935B

MD5
4402785a30adaf0c8f78af7499201b77

SHA1
aec597ac45db1a5e40192d51d3ca01466ab0b657

SHA256
fc34a2cdbf33dac59d73f448bf20f86e02760c96539633c96776722e448c8f54

SHA512
2c1cf08e5bb94c478f027de14ab5345c74e133a88dcfa69730170a8273235b1adf2c81a31aa1d6d611700413db2a102b83bd2ba2fc63634ae2936a9062dcd02d

Download Submit
C:\Users\Admin\AppData\Local\244afb72866c8b52ebeea553725abc3a\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
968B

MD5
e38d6388b76408b03be2e0ecc18d42b7

SHA1
0c8af364015d75913d40891f307ed98107a4aa05

SHA256
fcf2b10da49d6b05659ef6ec20e3356e41b36c050ed7f0fb243bbb13aaf61b24

SHA512
90afc9505dc2251f825ad51fb753899b5c3be151b5542a5018da2c90eff259fb8b3da5f94322eb74491c29ad7ac43d382fadc1d6a9efd241998198f8649bca61

Download Submit
C:\Users\Admin\AppData\Local\244afb72866c8b52ebeea553725abc3a\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
1KB

MD5
8a00ed84e6d1e82b4ae56d0ed8c5965f

SHA1
6991d4df00db8fad01067c5a272024aa9bee1118

SHA256
d91f663c9076503804c461e7ec098d9610b94c1a12f6d43fbe0eceabd21ae7d6

SHA512
03f7e6a9604f306e4301652bca3f643101c9ed035fe704005e37d9f9462a7c693d6baeb9efa49ca7302fb81731253126ff6b71c43f0a8500a0d72c3a44057c57

Download Submit
C:\Users\Admin\AppData\Local\244afb72866c8b52ebeea553725abc3a\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
1KB

MD5
0107720f19b856226c605685b5bd1247

SHA1
09a9b8deea8863a231992ce3541d6ede9b7b35cd

SHA256
5c2e4909ed025a80659013fb4ee55181af5406ba0b65a183a8486424d5c44e2d

SHA512
491c4ec71f1c51d7bc20760100ac11c6dde63d5749061cf65106d06459c57114f2cce951a1e96e4ee2957db1ab4af07e7c96ff2b009aa644d37290f220e26dc4

Download Submit
C:\Users\Admin\AppData\Local\244afb72866c8b52ebeea553725abc3a\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
4KB

MD5
c4752589e7d960a8a0d86abd643016c2

SHA1
9d3180f2d3c332f911712bd32c2f216e7eaa8800

SHA256
796ce44fd6e7fbbfa49ebbd432bfb5c98554d7e90244ad6b00029b607e56e17c

SHA512
6debe087c39ceae9ce6e2a7d84489e73379f7ec0916d8473a9f1ece0045aa3af0600e659b1b7ad8cc72e7a49eeb897babd657848d0f5f050096276882c1be836

Download Submit
C:\Users\Admin\AppData\Local\244afb72866c8b52ebeea553725abc3a\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
1KB

MD5
1d6af9391fddc642209fdd74aa572f29

SHA1
bed3eabd371d1ad7472ce89b46931004233cc24f

SHA256
116740e3ce400e2fb71fd332fa8eb0dc54edc79dd404d527cbf2dfa4374fa816

SHA512
7e91b32e22b0d7992d514bfe5d0b8cb9b21b39b32595981144f8577cddca06f189b984cd6ee77248a9a0f507f524c3df3fe4b11a81ea36c5e36792d2cf711c8c

Download Submit
C:\Users\Admin\AppData\Local\244afb72866c8b52ebeea553725abc3a\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
1KB

MD5
f0a9e1dbbcc7e3b88b78e5b6b9901444

SHA1
b37573a597bdbbb4b1e45e241123e2b130b77256

SHA256
07e208cb92ecb7d1725590fa68e27df763a6769ad0a70bf95c8e2821b08be227

SHA512
b7af5b9693eabe9ab751191c65bebdc8d77294d055b2dc85562f878b3905bbdf90be2ea439c74a9251a77975f5503c4e53e5ad3ceca8590332a0ca204f3d9bf3

Download Submit
C:\Users\Admin\AppData\Local\244afb72866c8b52ebeea553725abc3a\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
4KB

MD5
f4cb1ee718aff72f4f438a3ff0d98941

SHA1
b781cd7859b3194e7c27f4b23c8b2d7e77ea87e1

SHA256
606f341554e594f14c8f6869025e0edb5bfbf84087f89ea4dc3a45188af683c9

SHA512
c88d1def345efe70560822408df8d5a03f612dc55c0de1af78bb9f9eb579f81f094d2e42c90f777e857f2f78aac7d7d39c7d6801cfa74935f3478c085486a9cc

Download Submit
C:\Users\Admin\AppData\Local\244afb72866c8b52ebeea553725abc3a\Admin@KZYBFHMK_en-US\System\ScanningNetworks.txt

Filesize
84B

MD5
58cd2334cfc77db470202487d5034610

SHA1
61fa242465f53c9e64b3752fe76b2adcceb1f237

SHA256
59b3120c5ce1a7d1819510272a927e1c8f1c95385213fccbcdd429ff3492040d

SHA512
c8f52d85ec99177c722527c306a64ba61adc3ad3a5fec6d87749fbad12da424ba6b34880ab9da627fb183412875f241e1c1864d723e62130281e44c14ad1481e

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
4KB

MD5
c6b35b1a02d731974f309cfda933f032

SHA1
ab3bcea40471f45fcb24acd38538096661d49159

SHA256
60469f888785dfbd9e96d2120c73282b519e1d72ac91c9fd6c788fdf7711c573

SHA512
9143ddeb04976d0e548f3df9aac4bf34f6f9dff7fe580c7b8ef8321ddda036f3deee18aa50b6ebed694962d7c6d470efa7c560f4c4da2237f3f6cec7e3319f15

Download Submit
C:\Users\Admin\AppData\Local\48fc5197e2f4f4ede7a9e52c81d7baf7\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
4KB

MD5
b72acc3b6f08ddfdc985a795a81090de

SHA1
6fafbd4604e97ac316b884196695957db4495452

SHA256
d421d05b89d53aa4ee38a966cdaf9926fca1eb368df7e1fdf0ab427f91ff1930

SHA512
1762a7145ec9d77b582bd20c5d8329f9a113e79836118e444f80bb4484b58bc975712504d9e0d001020f30af60d8aa9bab50f0b2c99fd77e00512325aa4593ee

Download Submit
C:\Users\Admin\AppData\Local\578c922e4f408aa9c60df693cf2b2807\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
4KB

MD5
0b3a787913fb86cad0f28004721b59b4

SHA1
d7f5ebdbd54d1be4887075e763650f363a8fcbe7

SHA256
3f3cc13b595ad00b6928ecb88608e3a91abd50c02c0006f08b4fabef764250ec

SHA512
9ca20c9e4a3d99939addd6d8d72fde80e2f5f02fd2a3aab8d73df9f7ade99b61954e7ee04f1fe061a71bd3896d8b2fbfab907a8e7e4c922b7e47ce6082c9b3dd

Download Submit
C:\Users\Admin\AppData\Local\578c922e4f408aa9c60df693cf2b2807\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
4KB

MD5
01e8df9914ff6a17de58b8a888530fea

SHA1
febf47ef60f20cc61d58c4fa90e2205919608d16

SHA256
412bd1bb887d8a9270f4adaf63938ca90791fccd03eb09967d49ab2ee752d2c6

SHA512
ec8219ed7311f54a43f1a2eb6504f8224ccc53564793e25f9bd07567401f666a2bb3ee472cbdf1d06c149c524c0d012bcefb2f7258915a9e7b7b5f7ba0a60709

Download Submit
C:\Users\Admin\AppData\Local\578c922e4f408aa9c60df693cf2b2807\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
4KB

MD5
38d9b7062e0756c05a83986aacc57c72

SHA1
57b238b2a28b3944bd3b1647748b3dacdfcbe52f

SHA256
3815885ab744002b05fc1b56f76ff41abf8ff6f4c008cb0de2839d0760f21744

SHA512
3969a8c5c61eaab03b5ecc04dbf82aaa0f7a968267578ae056f0783f398e4ef144e46cf34cac30e296456764fbaccb4428750e747e25da897cbc7a5643c03abc

Download Submit
C:\Users\Admin\AppData\Local\578c922e4f408aa9c60df693cf2b2807\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\67f1f087b0b9cfa24bb66032c6fc12e7\Admin@KZYBFHMK_en-US\Directories\Temp.txt

Filesize
5KB

MD5
242e70b92569501d66d4bc6a937e0cc3

SHA1
f419c5ba0fcad275a1aa8dd411f5fd6a72d202f1

SHA256
3aa0308a148a9cd2a0772daab5b19d01357a2b37660d6edbbf5d462a2a48d0bc

SHA512
d12b6cdf4140d2af21c8435a78b695b28e04a5e27d4baea0a4baae6f405216303556ac8a63f0d40615d996800357506f0482657040203e57067de20279523668

Download Submit
C:\Users\Admin\AppData\Local\67f1f087b0b9cfa24bb66032c6fc12e7\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
324B

MD5
f6e814c0a05512365cdd5d49e3ba1475

SHA1
7107b7f837684ce20f0e0f4e0d7326e95f529df4

SHA256
17cd21533081352710ca3b313d929f052d06aa745e3d5f011cb8c89b5bc7f5dd

SHA512
bd464db27aa81af93f02645108d02038f2fe31dea2f51176894e60cf38ac2c115f16ff7cc265f686dfac6710b49d4b6d8b0adb245a5703d3861f51644a1ee4df

Download Submit
C:\Users\Admin\AppData\Local\67f1f087b0b9cfa24bb66032c6fc12e7\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
4KB

MD5
f7f0199d3653c5311c01878ef2608435

SHA1
e0d9f6a8ebaa4baca8c5595c556d127292a3d96d

SHA256
71193a6d193e3525ae5267d86d1b3db7f25da72ce4fe419339f95e1380c66780

SHA512
c266bf1b33485d9dace3e96a3abf814fff545b14c13d3fe8e50fa1e71d92039b90ed8a894cef0d7dfc85250ad0f44dbc28c2383e81a72e1867f1f1ad23bfda3e

Download Submit
C:\Users\Admin\AppData\Local\67f1f087b0b9cfa24bb66032c6fc12e7\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
4KB

MD5
7fa97e7e69d17449e97150528d3cc83f

SHA1
b47a6dc8027ce7dc8a9dedb3d06d34e0e1af90c2

SHA256
cb050281430098a479be547c907579b246b7143d74d99dcb4f16e5f1945128dc

SHA512
5b866c77af4209ea8d086640e6abf542fe327511e6ce9bd3dd3c15b2ca3aa8d4db6636562948aef0af70535779f40092c7a5db1aacb7d059fcb53693b8cc3cd3

Download Submit
C:\Users\Admin\AppData\Local\67f1f087b0b9cfa24bb66032c6fc12e7\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
4KB

MD5
4328b3bedcae72969e1773ec66c386cc

SHA1
592f94556c76e14f7e5f5d4ae9e6ad96d517a4df

SHA256
6a5e3d6242a3baa7de5bbe9155865add163ff4c3f2910737d46a37578830a880

SHA512
019c33018a35f9613906016797153899ca0fcdc536c54fb62d75e9adef65a61c70db47b96821c5e50eed9e9ee75ad9d8a3806bcacb9cef89ad35d22bdb427b82

Download Submit
C:\Users\Admin\AppData\Local\67f1f087b0b9cfa24bb66032c6fc12e7\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
4KB

MD5
4a8e573c3b2aa808b1280ede4f81b582

SHA1
ea12637c4eafcf3f880d49897307e1e6bfe95837

SHA256
4c73b2d0ebe4356e5cc094a28760de2961ffae08ca64f6d2ddcaa311a26b1a89

SHA512
e5dc5d64bff636d2d7d48b6194c70d6c5379bf4fd05895a249cc33c5656eb09cc06a87380bdd7711302e85a2904141d5ac5de8e1bf1698c6d2c6500961d5d04c

Download Submit
C:\Users\Admin\AppData\Local\67f1f087b0b9cfa24bb66032c6fc12e7\Admin@KZYBFHMK_en-US\System\ScanningNetworks.txt

Filesize
168B

MD5
9f11565dd11db9fb676140e888f22313

SHA1
35ae1ce345de569db59b52ed9aee5d83fea37635

SHA256
bd652c6bfa16a30133dd622f065e53aee489e9066e81ecb883af1c3892af727d

SHA512
d70edbd84693afbdb90424b9f72a4bd4a51bd27c719506e17a58b171c251046aea23ca7228ccd8b98b47cd8eb1227bc2d90a07c4f50e8b080f9a41d253935ace

Download Submit
C:\Users\Admin\AppData\Local\67f1f087b0b9cfa24bb66032c6fc12e7\Admin@KZYBFHMK_en-US\System\WorldWind.jpg

Filesize
72KB

MD5
d43f5f4fff1aea17f2b671f33b711756

SHA1
f9c7e707d111f5e0955c60c74b440960a4569aad

SHA256
61bce39a9432d3058ed288c9af9c90bf0936b704f760374d5754fe91fba529cc

SHA512
f1b2060de09d3f721b3dfa639c181c88e817558db8306f993d67c96a3dbcf6f9f3ce00c555dc5d1391ff55bf935c136494a7012877b51de03ec2a721ee43f2c4

Download Submit
C:\Users\Admin\AppData\Local\8a3972323b525bba344ad1d0f9f91669\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
4KB

MD5
eee59ba5faf329aa48d6c9b04cc401a2

SHA1
6cb62afc580677b40a3a69e6781ac097695525dd

SHA256
f819f554a71d3066efa6bc5ec315ae5179accc9e580032d586b151c0ab50bdf1

SHA512
8b86abf1934d7d14a8a2fd877ad2f6fd63839b3149d8240d825443fda9854b954e4bce11fdc6c29a3abdc005e21b58622534a6d6751e373564a373aa1a3a570c

Download Submit
C:\Users\Admin\AppData\Local\9f14789e79876668fdc6516ab714a73e\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
39B

MD5
fc3c7ead5aa478167ac8084be81d0dbf

SHA1
84879af095328bd777a6f1e293cba2bd19d20153

SHA256
f4282bbcdf4a6852aea160f9f931143d550e20cb09afa282a6dc6a68202f34f3

SHA512
6545b47dc0bc02781639f04f185ee1c3b97b5ac1bb667d235bb5540d1b2e1cbac46f084a12cb007d511d25868109e10170e37ce9fcf0118ffd4aa5323406777a

Download Submit
C:\Users\Admin\AppData\Local\9f14789e79876668fdc6516ab714a73e\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
103B

MD5
2878c244baeb101b67fe1f898d1b2bf0

SHA1
efda9fe8c9bf3fe7d8cb96b62d98c5117cc76b0d

SHA256
7a7e5e24b241b4c3191292abdc445d9b6af922d81bc5269471eb7f27a3e901eb

SHA512
3eb0e11888d2954a26194f16095b4c083188126e58fa60d3c25458b2eb60e3475063750bd84534c011ca5c3bec944cf473626cd05ed30b5112fa9bf9af08f188

Download Submit
C:\Users\Admin\AppData\Local\9f14789e79876668fdc6516ab714a73e\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
167B

MD5
c49fb4e92e205dc4a1c3563186531b0c

SHA1
4ec5494cf256673dde02434f3eb02b76a64e62e6

SHA256
925c877cba05fa6fc1f05387593cafd42c3edc5c2557125940c3cf5b24fb8f31

SHA512
2b0968b5d464e38af2645f5640e6007fa650d7a400652cd8c840b1b6977095b47496c771036616f1a6c337fe7d38f16b685ecf2f2a7f961b82186fdacd2d8a3c

Download Submit
C:\Users\Admin\AppData\Local\9f14789e79876668fdc6516ab714a73e\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
231B

MD5
3dec41d2308f3de3792d1ebd13ae7976

SHA1
31629332ff9092b4bf38f397eb46e93f47ddabda

SHA256
2f5488ecb899932cc0f760ffae11242f7c372eda7f1c9cec50d6c4f0b1e25101

SHA512
3bf90d7833315381fe0dc9cc45c129ad093d64174281c5e12b5808a3ad9f7695753dc20f4685cc6ed345b713706990ce53bcfab7632cc2ed55f909dfbe741eb9

Download Submit
C:\Users\Admin\AppData\Local\9f14789e79876668fdc6516ab714a73e\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
299B

MD5
eee65360b7cb76cd5fbbc83d2abab68f

SHA1
8d1cfda6fc000fe92afe19f3f53780c82e519081

SHA256
8fc52098d4eba009bd79aca568869ac99bbf679ae1b4df05a5e84e8c0305863a

SHA512
2dd1cab96f67df725f13777dad2128cdb78a37babcf7f38e559cef9325e726e69a09728bf464ab291600616c4f485928859b57aa33a69347f243c6ef432fa1b2

Download Submit
C:\Users\Admin\AppData\Local\9f14789e79876668fdc6516ab714a73e\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
448B

MD5
e51be8370aff4e0deb85c69596d6a887

SHA1
612f1cddfbb49f62d3648e6214fb74bb6041a48b

SHA256
5f4c20760f9e0cd377aab487da3607e1a6b383714d575915b671a9e21cf47d94

SHA512
e02e2036231f663bf9526255f0ae140a03a8e67fa397562c70f976794f1ec5ef6208deb8edecb9fd55503bab243fddb59819ea9e81436419c74db193f856408a

Download Submit
C:\Users\Admin\AppData\Local\9f14789e79876668fdc6516ab714a73e\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
4KB

MD5
8f7e49acf7d857786ca3b885b525df81

SHA1
8414c995e471c0085ae07747c9562b1281467d28

SHA256
fa5c68afee268f306e7d1d54f79c712aa2374d1c1b698cfef9569d5608a63e7f

SHA512
02007fbac9a05ffae35501db5b37b4b8f01b5e271b2b333b18a89d75622095977b5e6724d8393ab6441fa500ad13a6cc495b9eda6ced13eb3f30c94fca2ab122

Download Submit
C:\Users\Admin\AppData\Local\9f14789e79876668fdc6516ab714a73e\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
4KB

MD5
ba3136539f019f16462b597f7cb98c09

SHA1
4906e0429704c23e5be3010de62d2611b915779f

SHA256
24d48d0fec7f21badc2cabdfb0aef615d6461541e67cb5708e443c15db09eaad

SHA512
f6cc0d7c9abbe6eb72c096737d0fcf2f44fd89565d9d44757a9d4767b7051de3c7a2688d7a325886f712fdaae9a66065bd7c1434527d8a519e4b47aab2e324f7

Download Submit
C:\Users\Admin\AppData\Local\9f14789e79876668fdc6516ab714a73e\Admin@KZYBFHMK_en-US\System\Windows.txt

Filesize
170B

MD5
2dbbc60f42153d1f50ac8857fc07d9a8

SHA1
8ddaaafa27da255514893ec6444bb39701a14c11

SHA256
1263b2671f377dfb89806db33531f58c9fe55b9d9dd83f9930b1451a42dbd502

SHA512
4e86d909f0fb8492d4f14a11bd8e2cf6ef492bd29ccfdfb7c17c9a27827c86b89bdb0388e9d26bf1ea189bee599328c784d159a1ac88f1459eb865b8d36b731b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RebelCracked.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RuntimeBroker.exe.log

Filesize
706B

MD5
9b4d7ccdebef642a9ad493e2c2925952

SHA1
c020c622c215e880c8415fa867cb50210b443ef0

SHA256
e6f068d76bd941b4118225b130db2c70128e77a45dcdbf5cbab0f8a563b867ff

SHA512
8577ecd7597d4b540bc1c6ccc4150eae7443da2e4be1343cc42242714d04dd16e48c3fcaefd95c4a148fe9f14c5b6f3166b752ae20d608676cf6fb48919968e8

Download Submit
C:\Users\Admin\AppData\Local\RuntimeBroker.exe

Filesize
330KB

MD5
75e456775c0a52b6bbe724739fa3b4a7

SHA1
1f4c575e98d48775f239ceae474e03a3058099ea

SHA256
e8d52d0d352317b3da0be6673099d32e10e7b0e44d23a0c1a6a5277d37b95cf3

SHA512
b376146c6fa91f741d69acf7b02a57442d2ea059be37b9bdb06af6cc01272f4ded1a82e4e21b9c803d0e91e22fc12f70391f5e8c8704d51b2435afc9624e8471

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
81412f7f844b75a6c65ed71eac0b9e61

SHA1
39b14eb48e13daaf94023482666fc9e13118ba72

SHA256
e37ca7753860c60248b70828432c8e018a3788479808fdfdbc4d3b369b381019

SHA512
63f2f6af6974091fb8de9dae945b392bb5f68abe66f7d9e3906089bb31f8e7ae2be03fcce44288514678b2b79eb309667b4607e9132183d1bb9a631ad65a983a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE484.tmp.dat

Filesize
114KB

MD5
242b4242b3c1119f1fb55afbbdd24105

SHA1
e1d9c1ed860b67b926fe18206038cd10f77b9c55

SHA256
2d0e57c642cc32f10e77a73015075c2d03276dd58689944b01139b2bde8a62a1

SHA512
7d1e08dc0cf5e241bcfe3be058a7879b530646726c018bc51cc4821a7a41121bcda6fbfdeeca563e3b6b5e7035bdd717781169c3fdbd2c74933390aa9450c684

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE486.tmp.dat

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE498.tmp.dat

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpED01.tmp.dat

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpED16.tmp.dat

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpED17.tmp.dat

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpED18.tmp.dat

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpED29.tmp.dat

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\cd715dd0cb9123424d92f63e0c63e92a\Admin@KZYBFHMK_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\cd715dd0cb9123424d92f63e0c63e92a\Admin@KZYBFHMK_en-US\Directories\Desktop.txt

Filesize
577B

MD5
b7df105de0f70313d6bb6afcdb37ef92

SHA1
e264a6b3de7add56b2cc753e8ff0bd8df34fcfee

SHA256
e967e0e7ed85ee8687e7afbe301ae2c738352175cc1508c1e02ebbbd56c8db1d

SHA512
3418edd57ea24a4881d721e641e21cb5bd5077f9890215536e597d734c6eed7296966a8a691dd0e9c0b299ab5253d084fbe2491d96d8bfe2315ca4ac8f513e16

Download Submit
C:\Users\Admin\AppData\Local\cd715dd0cb9123424d92f63e0c63e92a\Admin@KZYBFHMK_en-US\Directories\Documents.txt

Filesize
688B

MD5
ebc110a1d2301f47ea4e1499ea89737d

SHA1
0aed61258b622ccdb2cafc13085e89a98818b04b

SHA256
83077f0740c0beee3aab0bdb46f9a186f9bd86ebdd314e2fc24f1b1b9266caee

SHA512
35b3b9c533c7026fbe8e5d018d96c04fab8d35fb8e1a72a6852deb2de1e7c90b9b06e0bd64a4be2668f0fcae31d0af904e35ef59cfe299e806836fb5f192c2a0

Download Submit
C:\Users\Admin\AppData\Local\cd715dd0cb9123424d92f63e0c63e92a\Admin@KZYBFHMK_en-US\Directories\Downloads.txt

Filesize
636B

MD5
6e31d2473b5ff4c0225a8dffa1615725

SHA1
69902d9b91c1d1d71662609d20b3d20b3d66d4ef

SHA256
339dd734f62ffd0536e5c047102184c8d77b625583dbba35db6765b0347bf8cc

SHA512
9d3055bfa2c0a842bd369b3b964f8adb836630714fd2c33ea4ef8d31d454f856404598e71ea3a9a3274ec3cbd8dd8f421e15a5db86a62154db963d69812a0e21

Download Submit
C:\Users\Admin\AppData\Local\cd715dd0cb9123424d92f63e0c63e92a\Admin@KZYBFHMK_en-US\Directories\OneDrive.txt

Filesize
25B

MD5
966247eb3ee749e21597d73c4176bd52

SHA1
1e9e63c2872cef8f015d4b888eb9f81b00a35c79

SHA256
8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e

SHA512
bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

Download Submit
C:\Users\Admin\AppData\Local\cd715dd0cb9123424d92f63e0c63e92a\Admin@KZYBFHMK_en-US\Directories\Pictures.txt

Filesize
502B

MD5
2ce9abe9bb6041c23b022f8c2ea9e9f2

SHA1
670e48273b23cc2620fbf4d2d7a2d0080cdcf2f7

SHA256
ef1be386126c6356f963f0e5f57bc671565404f88892d178cb4d8c5069d7962c

SHA512
afd55fca4139fc6a424cac6f16272873321cfcada8015bf889ce0180fd42bbc92d7d83b2fc230fe6086af2d17d2fc2e99dd87cb0d8e089685ef43c6e850cfa2f

Download Submit
C:\Users\Admin\AppData\Local\cd715dd0cb9123424d92f63e0c63e92a\Admin@KZYBFHMK_en-US\Directories\Startup.txt

Filesize
24B

MD5
68c93da4981d591704cea7b71cebfb97

SHA1
fd0f8d97463cd33892cc828b4ad04e03fc014fa6

SHA256
889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

SHA512
63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

Download Submit
C:\Users\Admin\AppData\Local\cd715dd0cb9123424d92f63e0c63e92a\Admin@KZYBFHMK_en-US\Directories\Temp.txt

Filesize
3KB

MD5
f249e2b2f6b7bc95308701f0bf18d23c

SHA1
49e3d058009197a4b24eae582e15b79de9394d7a

SHA256
1e8618aeea0b8dd2d8d7773d7bbf43606be950ef798869f6bd8ba6e4e8b58259

SHA512
3878473078b2b32e8de6bfedc0ec7611598b8f7f72d3694b5fafad284895c1d111ba27bcd8cab1cda727a1fa8778e57ffe294a437ce3d668f79419616f0a6df9

Download Submit
C:\Users\Admin\AppData\Local\cd715dd0cb9123424d92f63e0c63e92a\Admin@KZYBFHMK_en-US\Directories\Temp.txt

Filesize
3KB

MD5
b573ce38f233182fc3edda0d194b719a

SHA1
82876237eca1a5193362094741f7cf69785e89b5

SHA256
d17f0ce3998610525c6584d531afaaeafb3bd8a6a42a8b72e87d4d39ef01990d

SHA512
2015286a833aa9733f8c17909bf0758986bf0704ddff33c113cb208832656256a085269a5657687d10be74b3282e88be18d9a2732c11c8982f81ebd92321c3d1

Download Submit
C:\Users\Admin\AppData\Local\cd715dd0cb9123424d92f63e0c63e92a\Admin@KZYBFHMK_en-US\Directories\Videos.txt

Filesize
23B

MD5
1fddbf1169b6c75898b86e7e24bc7c1f

SHA1
d2091060cb5191ff70eb99c0088c182e80c20f8c

SHA256
a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

SHA512
20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

Download Submit
C:\Users\Admin\AppData\Local\cd715dd0cb9123424d92f63e0c63e92a\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini

Filesize
282B

MD5
9e36cc3537ee9ee1e3b10fa4e761045b

SHA1
7726f55012e1e26cc762c9982e7c6c54ca7bb303

SHA256
4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

SHA512
5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

Download Submit
C:\Users\Admin\AppData\Local\cd715dd0cb9123424d92f63e0c63e92a\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini

Filesize
402B

MD5
ecf88f261853fe08d58e2e903220da14

SHA1
f72807a9e081906654ae196605e681d5938a2e6c

SHA256
cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844

SHA512
82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

Download Submit
C:\Users\Admin\AppData\Local\cd715dd0cb9123424d92f63e0c63e92a\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini

Filesize
282B

MD5
3a37312509712d4e12d27240137ff377

SHA1
30ced927e23b584725cf16351394175a6d2a9577

SHA256
b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3

SHA512
dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

Download Submit
C:\Users\Admin\AppData\Local\cd715dd0cb9123424d92f63e0c63e92a\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini

Filesize
190B

MD5
d48fce44e0f298e5db52fd5894502727

SHA1
fce1e65756138a3ca4eaaf8f7642867205b44897

SHA256
231a08caba1f9ba9f14bd3e46834288f3c351079fcedda15e391b724ac0c7ea8

SHA512
a1c0378db4e6dac9a8638586f6797bad877769d76334b976779cd90324029d755fb466260ef27bd1e7f9fdf97696cd8cd1318377970a1b5bf340efb12a4feb4a

Download Submit
C:\Users\Admin\AppData\Local\cd715dd0cb9123424d92f63e0c63e92a\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini

Filesize
190B

MD5
87a524a2f34307c674dba10708585a5e

SHA1
e0508c3f1496073b9f6f9ecb2fb01cb91f9e8201

SHA256
d01a7ef6233ef4ab3ea7210c0f2837931d334a20ae4d2a05ed03291e59e576c9

SHA512
7cfa6d47190075e1209fb081e36ed7e50e735c9682bfb482dbf5a36746abdad0dccfdb8803ef5042e155e8c1f326770f3c8f7aa32ce66cf3b47cd13781884c38

Download Submit
C:\Users\Admin\AppData\Local\cd715dd0cb9123424d92f63e0c63e92a\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini

Filesize
504B

MD5
29eae335b77f438e05594d86a6ca22ff

SHA1
d62ccc830c249de6b6532381b4c16a5f17f95d89

SHA256
88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4

SHA512
5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

Download Submit
C:\Users\Admin\AppData\Local\cd715dd0cb9123424d92f63e0c63e92a\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
1KB

MD5
2f4e5a5d911c3176535be35d779f7c80

SHA1
e4af2370baace8e74744af61dd54c4a117638b6a

SHA256
dd8f3752c93abb16bce6619a9f48c3a0875d44924dbe3c719422c489067511f0

SHA512
aa0d874db9c44de6abd1be45a84eeac4c78db5e2a3e9040a0898052a173cb0b7e44d0297d05beed4cd997fc00159c8bafcb96e31b422678471c1a0c980e761ba

Download Submit
C:\Users\Admin\AppData\Local\cd715dd0cb9123424d92f63e0c63e92a\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
4KB

MD5
308e7201dd093cd4d5399818ed3068cc

SHA1
beda9696e3ff798b0fa865ead4c5d4ed647f3101

SHA256
c420b2e98e7576fb998aecfc31c03b2db57151a8b5edd74c1da0c10e19ca8993

SHA512
6728f557788656d890f8466b3dede64f05b11bf7de999eedeb835576e5b52b340770d88b86fa35c658e94659720a1c2aa1809c1959b39eaa572bbfd1ce086474

Download Submit
C:\Users\Admin\AppData\Local\cd715dd0cb9123424d92f63e0c63e92a\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
5KB

MD5
ecec12fc17e4b60ede6caa3d80ee843e

SHA1
9d01b74ece2322b8d6fea58401174522cae98624

SHA256
ba6cafa332ff45c9ee12e33a1eb57e2577e433620719b86bceac18f402b50a8e

SHA512
84ce189d69ec39c8d1b62338586ed61659b0ab863e3b55ce72afb41af14f91be9244d87158f84a4386c482fc9654559806fb2c602471eb3998f4226de4c5a840

Download Submit
C:\Users\Admin\AppData\Local\cd715dd0cb9123424d92f63e0c63e92a\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
4KB

MD5
8d0df8dbef43e9161af38ee719c18010

SHA1
04ebf0d0cfb776c6f91da62f0ae8d3e4308d29bb

SHA256
d6adbf3d3ecddf05229b4305d2af94aaeb050567457c2b2104ee565e30738e13

SHA512
47cce3e3e611db9e9e190f23119a708fe9b7e74c8c0962fac15da4aad256b7b859d2a1c635f4b602c23a9709a4d0a0f24cf6f042243684f8d10395b4a57599ed

Download Submit
C:\Users\Admin\AppData\Local\cd715dd0cb9123424d92f63e0c63e92a\Admin@KZYBFHMK_en-US\System\ProductKey.txt

Filesize
29B

MD5
71eb5479298c7afc6d126fa04d2a9bde

SHA1
a9b3d5505cf9f84bb6c2be2acece53cb40075113

SHA256
f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3

SHA512
7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

Download Submit
C:\Users\Admin\AppData\Local\d529447d9052f8004e9665243f2ab53d\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
85B

MD5
1e5a58ffffcfe5f89bcbe3211a3b580a

SHA1
4cf6e0503b7f57418610851c5c9a9e504ae17829

SHA256
0eb7ebde4115f2421939e895a7aee07b7ae23f2a844bf08e04d0ca82e09b9eda

SHA512
fe67d960a8bd6ec3ee4e87b4901519244f9fcb3aec39dd576592ce7697e324afa2454603c3063d483690606208dab355c2da15a29605a899bae07158834d719a

Download Submit
C:\Users\Admin\AppData\Local\d529447d9052f8004e9665243f2ab53d\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
124B

MD5
1a06600fe717bff4f6ae3b182c8636d5

SHA1
3ffff6572a085dcc30e60c0b7dbcc6d00c276084

SHA256
78ae0ebcca57738a16e3be9e20779b916c000f93ebdc6a56fe43f58497893d85

SHA512
3ce009292d31cf4291c645c872d44d695a9c6c055947fc0a75ecf00049dc6c4c050e7d682f76f5ae2325664a0be06afde2ad7eb39fdec40de40c4a97322b3f40

Download Submit
C:\Users\Admin\AppData\Local\d529447d9052f8004e9665243f2ab53d\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
188B

MD5
53deefbbfd84ca9bbe18f21fdba9bbfa

SHA1
094934e01bcecbc8da5e881ce936391cae55b981

SHA256
e16653cfadaa0f349be3bd30c577ffc73764321c71b0b27f008df99ae9446a2c

SHA512
a1f70c83418e624cfc963096bff46b300cb2a8f276cd7466f28948239eef1c3fabab70a182d962946b7e60f052891f7cea5873ad8c4a59476a3e3832bd3089ee

Download Submit
C:\Users\Admin\AppData\Local\d529447d9052f8004e9665243f2ab53d\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
252B

MD5
08927779607e1e9366d6805ea865f8eb

SHA1
87bfe3d94962835fdeda98d615a8b9b63c530ed2

SHA256
d9488e74141751fa3de890fa47e75ae9aca068a080d151f3cd0b68de12634532

SHA512
115c5cc386d951927ccffa0e2802e65cd86595514736aa17549c98e983adca3599448191e896c606bb5eb1df4e83f701759fa12bfaea33a893438b9604cdf3ec

Download Submit
C:\Users\Admin\AppData\Local\d529447d9052f8004e9665243f2ab53d\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
316B

MD5
784608ee4930afaa40cb4bb6d80c6e00

SHA1
c116fc5e7ee582256104c8e87f22890fa317452a

SHA256
675888899f467c4142b5fd8d7171f129f6f97a163cccdffe6675de93c367fa94

SHA512
76940810ba16422e07ef82408203321eebde330cadbb5b027fc8b72f61e3ea594021345ae1702a2bbdc098c5925a0e4b50003425dd3efb81c4b6b759720e449b

Download Submit
C:\Users\Admin\AppData\Local\d529447d9052f8004e9665243f2ab53d\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
384B

MD5
cc8b9c45c458a5f9e493e6bf6fcf0a77

SHA1
071895b2ca0c58662e76c8f320797ab7cb86cfe1

SHA256
7804fd8ff696e1ae320b6d2b40c39fb13fe2e36251b1472d5501c548bdeffb89

SHA512
0ffa87402d078da44b70d934b43efb9745906a32c9c8a08260d44827f22e3a5982f3883c501b2fd22d0bbc6d642f950b6341f77dcc1729066c34bbcc2f77dfcd

Download Submit
C:\Users\Admin\AppData\Local\d529447d9052f8004e9665243f2ab53d\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
642B

MD5
c23a994ec1c720e143870320e478f934

SHA1
3468eb4ea6d630a927e53f0235e2bc8b567addac

SHA256
3ad82cb3c70f271779587b481c66888c31fb1da01feb2dbb9afbeb2d19ee9d2e

SHA512
730870e2dbc95f15d678cba703035bdb474b4fc8493169b56688634946f5f076082b93b681fd6cf1ec4b3d55d16518e5cb001edbcdd12c98da6acb5e9dc6ef2b

Download Submit
C:\Users\Admin\AppData\Local\d529447d9052f8004e9665243f2ab53d\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
4KB

MD5
c0dce982356ba726b5a54f9d29846ffb

SHA1
40f00e68a3786bee8f6bdf485247ddab467db82c

SHA256
956e95e7e22a623c94498883703bdcf3815e4d832cc377e9f3c6427917b66204

SHA512
648ce0aa1fd62665cf553e4954976a7c309aeb1037061a2c7272e3138901442c309b37e0afa4bdfdcefbcf7b5da1c7d4bccaf0ff63f885353a33446779309cc8

Download Submit
memory/1784-1539-0x000001F2E2300000-0x000001F2E2301000-memory.dmp

Filesize
4KB

Download
memory/1784-1548-0x000001F2E2300000-0x000001F2E2301000-memory.dmp

Filesize
4KB

Download
memory/1784-1540-0x000001F2E2300000-0x000001F2E2301000-memory.dmp

Filesize
4KB

Download
memory/1784-1543-0x000001F2E2300000-0x000001F2E2301000-memory.dmp

Filesize
4KB

Download
memory/1784-1541-0x000001F2E2300000-0x000001F2E2301000-memory.dmp

Filesize
4KB

Download
memory/1784-1544-0x000001F2E2300000-0x000001F2E2301000-memory.dmp

Filesize
4KB

Download
memory/1784-1545-0x000001F2E2300000-0x000001F2E2301000-memory.dmp

Filesize
4KB

Download
memory/1784-1546-0x000001F2E2300000-0x000001F2E2301000-memory.dmp

Filesize
4KB

Download
memory/1784-1547-0x000001F2E2300000-0x000001F2E2301000-memory.dmp

Filesize
4KB

Download
memory/4304-346-0x00000210F8B30000-0x00000210F8B31000-memory.dmp

Filesize
4KB

Download
memory/4304-345-0x00000210F8B30000-0x00000210F8B31000-memory.dmp

Filesize
4KB

Download
memory/4304-338-0x00000210F8B30000-0x00000210F8B31000-memory.dmp

Filesize
4KB

Download
memory/4304-336-0x00000210F8B30000-0x00000210F8B31000-memory.dmp

Filesize
4KB

Download
memory/4304-350-0x00000210F8B30000-0x00000210F8B31000-memory.dmp

Filesize
4KB

Download
memory/4304-349-0x00000210F8B30000-0x00000210F8B31000-memory.dmp

Filesize
4KB

Download
memory/4304-348-0x00000210F8B30000-0x00000210F8B31000-memory.dmp

Filesize
4KB

Download
memory/4304-347-0x00000210F8B30000-0x00000210F8B31000-memory.dmp

Filesize
4KB

Download
memory/4304-337-0x00000210F8B30000-0x00000210F8B31000-memory.dmp

Filesize
4KB

Download
memory/4304-344-0x00000210F8B30000-0x00000210F8B31000-memory.dmp

Filesize
4KB

Download
memory/4400-433-0x00000000061E0000-0x00000000061EA000-memory.dmp

Filesize
40KB

Download
memory/4400-35-0x0000000005580000-0x00000000055E6000-memory.dmp

Filesize
408KB

Download
memory/4400-592-0x0000000006700000-0x0000000006712000-memory.dmp

Filesize
72KB

Download
memory/4400-27-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4456-0-0x00007FFCC73B3000-0x00007FFCC73B5000-memory.dmp

Filesize
8KB

Download
memory/4456-1-0x0000000000E20000-0x0000000000E7C000-memory.dmp

Filesize
368KB

Download
memory/4456-10-0x00007FFCC73B0000-0x00007FFCC7E71000-memory.dmp

Filesize
10.8MB

Download
memory/4456-17-0x00007FFCC73B0000-0x00007FFCC7E71000-memory.dmp

Filesize
10.8MB

Download
memory/4508-31-0x00007FFCC73B0000-0x00007FFCC7E71000-memory.dmp

Filesize
10.8MB

Download
memory/4508-16-0x00007FFCC73B0000-0x00007FFCC7E71000-memory.dmp

Filesize
10.8MB

Download
memory/4952-21-0x0000000005800000-0x0000000005892000-memory.dmp

Filesize
584KB

Download
memory/4952-19-0x00000000007B0000-0x0000000000808000-memory.dmp

Filesize
352KB

Download
memory/4952-20-0x0000000005DB0000-0x0000000006354000-memory.dmp

Filesize
5.6MB

Download
memory/4952-18-0x000000007470E000-0x000000007470F000-memory.dmp

Filesize
4KB

Download
memory/4952-22-0x00000000058A0000-0x00000000058EA000-memory.dmp

Filesize
296KB

Download
memory/4952-23-0x0000000005990000-0x0000000005A2C000-memory.dmp

Filesize
624KB

Download
memory/4952-24-0x00000000058F0000-0x00000000058FA000-memory.dmp

Filesize
40KB

Download