asyncrat | hxxps://mega[.]nz/file/Kn5hTBRD#fz4k9neyANHDQIjSdQ2XCNjuUo4-8fRVRVbU1II5i14

Analysis

max time kernel
82s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-09-2024 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/Kn5hTBRD#fz4k9neyANHDQIjSdQ2XCNjuUo4-8fRVRVbU1II5i14

Score

10^/10

asyncrat stormkitty default credential_access discovery rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5524-373-0x0000000000400000-0x0000000000432000-memory.dmp	family_stormkitty

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RebelCracked.exeRebelCracked.exeRebelCracked.exeRebelCracked.exeRebelCracked.exeRebelCracked.exeRebelCracked.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	RebelCracked.exe

Executes dropped EXE 19 IoCs

Processes:

RebelCracked.exeRuntimeBroker.exeRebelCracked.exeRuntimeBroker.exeRuntimeBroker.exeRebelCracked.exeRuntimeBroker.exeRuntimeBroker.exeRebelCracked.exeRuntimeBroker.exeRuntimeBroker.exeRebelCracked.exeRuntimeBroker.exeRuntimeBroker.exeRebelCracked.exeRuntimeBroker.exeRuntimeBroker.exeRebelCracked.exeRuntimeBroker.exe

pid	process
5976	RebelCracked.exe
6008	RuntimeBroker.exe
3296	RebelCracked.exe
5524	RuntimeBroker.exe
5044	RuntimeBroker.exe
816	RebelCracked.exe
5836	RuntimeBroker.exe
764	RuntimeBroker.exe
4296	RebelCracked.exe
4968	RuntimeBroker.exe
5300	RuntimeBroker.exe
5692	RebelCracked.exe
3576	RuntimeBroker.exe
4040	RuntimeBroker.exe
4372	RebelCracked.exe
5980	RuntimeBroker.exe
5188	RuntimeBroker.exe
4504	RebelCracked.exe
5044	RuntimeBroker.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 21 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\e1e26908cff153ff03d59ace309163ae\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\e1e26908cff153ff03d59ace309163ae\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\94303f4f5dd44a5e2d9f9be2d9d4ea6a\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\e1e26908cff153ff03d59ace309163ae\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\e1e26908cff153ff03d59ace309163ae\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\e1e26908cff153ff03d59ace309163ae\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\94303f4f5dd44a5e2d9f9be2d9d4ea6a\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\94303f4f5dd44a5e2d9f9be2d9d4ea6a\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\94303f4f5dd44a5e2d9f9be2d9d4ea6a\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\94303f4f5dd44a5e2d9f9be2d9d4ea6a\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\e1e26908cff153ff03d59ace309163ae\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\e1e26908cff153ff03d59ace309163ae\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\94303f4f5dd44a5e2d9f9be2d9d4ea6a\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\94303f4f5dd44a5e2d9f9be2d9d4ea6a\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service
T1102

Processes:

flow ioc

122 pastebin.com
134 pastebin.com
145 pastebin.com
146 pastebin.com
102 pastebin.com
116 pastebin.com
129 pastebin.com
103 pastebin.com
110 pastebin.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

89 icanhazip.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
122	pastebin.com
134	pastebin.com
145	pastebin.com
146	pastebin.com
102	pastebin.com
116	pastebin.com
129	pastebin.com
103	pastebin.com
110	pastebin.com

flow	ioc
89	icanhazip.com

Suspicious use of SetThreadContext 6 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

description	pid	process	target process
PID 6008 set thread context of 5524	6008	RuntimeBroker.exe	RuntimeBroker.exe
PID 5044 set thread context of 5836	5044	RuntimeBroker.exe	RuntimeBroker.exe
PID 764 set thread context of 4968	764	RuntimeBroker.exe	RuntimeBroker.exe
PID 5300 set thread context of 3576	5300	RuntimeBroker.exe	RuntimeBroker.exe
PID 4040 set thread context of 5980	4040	RuntimeBroker.exe	RuntimeBroker.exe
PID 5188 set thread context of 5044	5188	RuntimeBroker.exe	RuntimeBroker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 20 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

Processes:

cmd.exenetsh.execmd.exenetsh.execmd.exenetsh.execmd.exenetsh.exenetsh.execmd.exenetsh.execmd.execmd.exenetsh.execmd.execmd.exenetsh.exenetsh.execmd.exenetsh.exe

pid	process
4956	cmd.exe
5392	netsh.exe
6064	cmd.exe
5712	netsh.exe
3340	cmd.exe
1224	netsh.exe
5072	cmd.exe
5976	netsh.exe
5004	netsh.exe
3056	cmd.exe
5196	netsh.exe
3084	cmd.exe
5568	cmd.exe
5696	netsh.exe
1500	cmd.exe
5672	cmd.exe
4584	netsh.exe
5936	netsh.exe
516	cmd.exe
2128	netsh.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

Processes:

msedge.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

5148 NOTEPAD.EXE

pid	process
5148	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exechrome.exetaskmgr.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

pid	process
4300	msedge.exe
4300	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
1084	identity_helper.exe
1084	identity_helper.exe
3576	msedge.exe
3576	msedge.exe
5272	chrome.exe
5272	chrome.exe
6076	taskmgr.exe
6076	taskmgr.exe
6076	taskmgr.exe
6076	taskmgr.exe
6076	taskmgr.exe
6076	taskmgr.exe
5524	RuntimeBroker.exe
5524	RuntimeBroker.exe
5524	RuntimeBroker.exe
6076	taskmgr.exe
6076	taskmgr.exe
5836	RuntimeBroker.exe
5836	RuntimeBroker.exe
5836	RuntimeBroker.exe
5524	RuntimeBroker.exe
5524	RuntimeBroker.exe
6076	taskmgr.exe
6076	taskmgr.exe
5836	RuntimeBroker.exe
5836	RuntimeBroker.exe
4968	RuntimeBroker.exe
4968	RuntimeBroker.exe
4968	RuntimeBroker.exe
5524	RuntimeBroker.exe
5524	RuntimeBroker.exe
6076	taskmgr.exe
5524	RuntimeBroker.exe
5524	RuntimeBroker.exe
6076	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exechrome.exe

pid	process
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

AUDIODG.EXEchrome.exe7zG.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exetaskmgr.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

description	pid	process
Token: 33	3188	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3188	AUDIODG.EXE
Token: SeShutdownPrivilege	5272	chrome.exe
Token: SeCreatePagefilePrivilege	5272	chrome.exe
Token: SeShutdownPrivilege	5272	chrome.exe
Token: SeCreatePagefilePrivilege	5272	chrome.exe
Token: SeRestorePrivilege	6060	7zG.exe
Token: 35	6060	7zG.exe
Token: SeSecurityPrivilege	6060	7zG.exe
Token: SeSecurityPrivilege	6060	7zG.exe
Token: SeDebugPrivilege	5524	RuntimeBroker.exe
Token: SeDebugPrivilege	5836	RuntimeBroker.exe
Token: SeDebugPrivilege	4968	RuntimeBroker.exe
Token: SeDebugPrivilege	6076	taskmgr.exe
Token: SeSystemProfilePrivilege	6076	taskmgr.exe
Token: SeCreateGlobalPrivilege	6076	taskmgr.exe
Token: SeDebugPrivilege	3576	RuntimeBroker.exe
Token: SeDebugPrivilege	5980	RuntimeBroker.exe
Token: SeDebugPrivilege	5044	RuntimeBroker.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exechrome.exe7zG.exetaskmgr.exe

pid	process
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
6060	7zG.exe
6076	taskmgr.exe
6076	taskmgr.exe
6076	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exechrome.exetaskmgr.exe

pid	process
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
6076	taskmgr.exe
6076	taskmgr.exe
6076	taskmgr.exe
6076	taskmgr.exe
6076	taskmgr.exe
6076	taskmgr.exe
6076	taskmgr.exe
6076	taskmgr.exe
6076	taskmgr.exe
6076	taskmgr.exe
6076	taskmgr.exe
6076	taskmgr.exe
6076	taskmgr.exe
6076	taskmgr.exe
6076	taskmgr.exe
6076	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

5156 OpenWith.exe

pid	process
5156	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 5116 wrote to memory of 4996	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 4996	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2544	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 4300	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 4300	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2288	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2288	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2288	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2288	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2288	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2288	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2288	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2288	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2288	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2288	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2288	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2288	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2288	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2288	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2288	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2288	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2288	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2288	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2288	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2288	5116	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/Kn5hTBRD#fz4k9neyANHDQIjSdQ2XCNjuUo4-8fRVRVbU1II5i14
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdbe2446f8,0x7ffdbe244708,0x7ffdbe244718
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,2000163949042239150,12404334354100655709,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
  2⤵
  PID:2544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,2000163949042239150,12404334354100655709,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,2000163949042239150,12404334354100655709,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,2000163949042239150,12404334354100655709,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,2000163949042239150,12404334354100655709,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,2000163949042239150,12404334354100655709,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:3808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,2000163949042239150,12404334354100655709,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,2000163949042239150,12404334354100655709,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5696 /prefetch:8
  2⤵
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,2000163949042239150,12404334354100655709,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5696 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,2000163949042239150,12404334354100655709,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,2000163949042239150,12404334354100655709,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2040,2000163949042239150,12404334354100655709,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3392 /prefetch:8
  2⤵
  PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2040,2000163949042239150,12404334354100655709,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5344 /prefetch:8
  2⤵
  PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,2000163949042239150,12404334354100655709,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,2000163949042239150,12404334354100655709,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5992 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,2000163949042239150,12404334354100655709,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2644 /prefetch:2
  2⤵
  PID:5072

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2736

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4128

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300 0x4dc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffdab99cc40,0x7ffdab99cc4c,0x7ffdab99cc58
  2⤵
  PID:5348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2160,i,17692773608056234500,6520091213290122454,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:5516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1988,i,17692773608056234500,6520091213290122454,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  PID:5528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2320,i,17692773608056234500,6520091213290122454,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2488 /prefetch:8
  2⤵
  PID:5568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3196,i,17692773608056234500,6520091213290122454,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:5816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3252,i,17692773608056234500,6520091213290122454,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:5824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4616,i,17692773608056234500,6520091213290122454,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:6100

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5880

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5820

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap14234:70:7zEvent424
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6060

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Rebel\ReadMe.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:5148

C:\Users\Admin\Desktop\Rebel\RebelCracked.exe
"C:\Users\Admin\Desktop\Rebel\RebelCracked.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5976
- C:\Users\Admin\AppData\Local\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:6008
- - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
    3⤵
    PID:5412
- - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5524
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3056
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:5712
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5196
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        5⤵
        
        PID:3672
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      4⤵
      PID:5976
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:5332
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        
        PID:1212
- C:\Users\Admin\Desktop\Rebel\RebelCracked.exe
  "C:\Users\Admin\Desktop\Rebel\RebelCracked.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3296
- - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:5044
  - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      Drops desktop.ini file(s)
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5836
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5568
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4920
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5696
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        6⤵
        
        PID:5192
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        5⤵
        
        PID:4532
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2444
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        6⤵
        
        PID:3248
- - C:\Users\Admin\Desktop\Rebel\RebelCracked.exe
    "C:\Users\Admin\Desktop\Rebel\RebelCracked.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:816
  - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:764
    - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4968
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3340
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5004
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        7⤵
        
        PID:2384
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        6⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        7⤵
        
        PID:3500
  - - C:\Users\Admin\Desktop\Rebel\RebelCracked.exe
      "C:\Users\Admin\Desktop\Rebel\RebelCracked.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:4296
    - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5300
      - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        6⤵
        
        PID:4512
      - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3084
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        8⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5936
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        8⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        7⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        8⤵
        
        PID:4508
    - - C:\Users\Admin\Desktop\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\Rebel\RebelCracked.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5692
      - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        8⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4956
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        9⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2128
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        9⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        8⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        9⤵
        
        PID:4552
      - C:\Users\Admin\Desktop\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\Rebel\RebelCracked.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5188
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        8⤵
        
        PID:6004
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        9⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1500
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        10⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1224
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        10⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        9⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        10⤵
        
        PID:5556
        
        C:\Users\Admin\Desktop\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\Rebel\RebelCracked.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        8⤵
        
        PID:5236
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        9⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        10⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5672
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        11⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4584
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        11⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        10⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        11⤵
        
        PID:5392
        
        C:\Users\Admin\Desktop\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\Rebel\RebelCracked.exe"
        8⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        9⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        10⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        11⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6064
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        12⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5712
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        12⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        11⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        
        PID:264
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        12⤵
        
        PID:5584
        
        C:\Users\Admin\Desktop\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\Rebel\RebelCracked.exe"
        9⤵
        
        PID:5616
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        10⤵
        
        PID:5588
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        11⤵
        
        PID:5420
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        11⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        12⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5072
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        13⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5976
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        13⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        12⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        13⤵
        
        PID:4692
        
        C:\Users\Admin\Desktop\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\Rebel\RebelCracked.exe"
        10⤵
        
        PID:5460
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        11⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        12⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        13⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:516
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        14⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5392
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        14⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        13⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        14⤵
        
        PID:5184
        
        C:\Users\Admin\Desktop\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\Rebel\RebelCracked.exe"
        11⤵
        
        PID:5196
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        12⤵
        
        PID:5576
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        13⤵
        
        PID:4068
        
        C:\Users\Admin\Desktop\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\Rebel\RebelCracked.exe"
        12⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        13⤵
        
        PID:5680
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        14⤵
        
        PID:2360
        
        C:\Users\Admin\Desktop\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\Rebel\RebelCracked.exe"
        13⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        14⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        15⤵
        
        PID:3648
        
        C:\Users\Admin\Desktop\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\Rebel\RebelCracked.exe"
        14⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        15⤵
        
        PID:6016
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        16⤵
        
        PID:2236
        
        C:\Users\Admin\Desktop\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\Rebel\RebelCracked.exe"
        15⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        16⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        17⤵
        
        PID:5676
        
        C:\Users\Admin\Desktop\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\Rebel\RebelCracked.exe"
        16⤵
        
        PID:5428
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        17⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        18⤵
        
        PID:5948
        
        C:\Users\Admin\Desktop\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\Rebel\RebelCracked.exe"
        17⤵
        
        PID:5296
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        18⤵
        
        PID:5484
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        19⤵
        
        PID:6096
        
        C:\Users\Admin\Desktop\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\Rebel\RebelCracked.exe"
        18⤵
        
        PID:5504
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        19⤵
        
        PID:5232
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        20⤵
        
        PID:1296
        
        C:\Users\Admin\Desktop\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\Rebel\RebelCracked.exe"
        19⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        20⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        21⤵
        
        PID:5024
        
        C:\Users\Admin\Desktop\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\Rebel\RebelCracked.exe"
        20⤵
        
        PID:6016
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        21⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        22⤵
        
        PID:5044
        
        C:\Users\Admin\Desktop\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\Rebel\RebelCracked.exe"
        21⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        22⤵
        
        PID:5752
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        23⤵
        
        PID:1860
        
        C:\Users\Admin\Desktop\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\Rebel\RebelCracked.exe"
        22⤵
        
        PID:5360
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        23⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        24⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        24⤵
        
        PID:3232
        
        C:\Users\Admin\Desktop\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\Rebel\RebelCracked.exe"
        23⤵
        
        PID:5820
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        24⤵
        
        PID:5648
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        25⤵
        
        PID:5100
        
        C:\Users\Admin\Desktop\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\Desktop\Rebel\RebelCracked.exe"
        24⤵
        
        PID:5216

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1bd60408b912f5870211c0f595cac75d\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini

Filesize
282B

MD5
9e36cc3537ee9ee1e3b10fa4e761045b

SHA1
7726f55012e1e26cc762c9982e7c6c54ca7bb303

SHA256
4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

SHA512
5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

Download Submit
C:\Users\Admin\AppData\Local\1bd60408b912f5870211c0f595cac75d\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini

Filesize
402B

MD5
ecf88f261853fe08d58e2e903220da14

SHA1
f72807a9e081906654ae196605e681d5938a2e6c

SHA256
cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844

SHA512
82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

Download Submit
C:\Users\Admin\AppData\Local\1bd60408b912f5870211c0f595cac75d\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini

Filesize
282B

MD5
3a37312509712d4e12d27240137ff377

SHA1
30ced927e23b584725cf16351394175a6d2a9577

SHA256
b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3

SHA512
dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

Download Submit
C:\Users\Admin\AppData\Local\1bd60408b912f5870211c0f595cac75d\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini

Filesize
190B

MD5
d48fce44e0f298e5db52fd5894502727

SHA1
fce1e65756138a3ca4eaaf8f7642867205b44897

SHA256
231a08caba1f9ba9f14bd3e46834288f3c351079fcedda15e391b724ac0c7ea8

SHA512
a1c0378db4e6dac9a8638586f6797bad877769d76334b976779cd90324029d755fb466260ef27bd1e7f9fdf97696cd8cd1318377970a1b5bf340efb12a4feb4a

Download Submit
C:\Users\Admin\AppData\Local\1bd60408b912f5870211c0f595cac75d\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini

Filesize
190B

MD5
87a524a2f34307c674dba10708585a5e

SHA1
e0508c3f1496073b9f6f9ecb2fb01cb91f9e8201

SHA256
d01a7ef6233ef4ab3ea7210c0f2837931d334a20ae4d2a05ed03291e59e576c9

SHA512
7cfa6d47190075e1209fb081e36ed7e50e735c9682bfb482dbf5a36746abdad0dccfdb8803ef5042e155e8c1f326770f3c8f7aa32ce66cf3b47cd13781884c38

Download Submit
C:\Users\Admin\AppData\Local\1bd60408b912f5870211c0f595cac75d\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini

Filesize
504B

MD5
29eae335b77f438e05594d86a6ca22ff

SHA1
d62ccc830c249de6b6532381b4c16a5f17f95d89

SHA256
88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4

SHA512
5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

Download Submit
C:\Users\Admin\AppData\Local\1bd60408b912f5870211c0f595cac75d\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
4KB

MD5
eaafa343dac20d7692de9cd1fe68f76b

SHA1
b0ab85686141c241ed6352f0cc6f21f5da3cd4c2

SHA256
6bb4ac62a842fb11c7972bf45f15f153b21c703446e20dbd8c636a05ee1c870d

SHA512
364adc3a2c6e537193fead5002a79fece4323868581597cfc4b04ff2a91e589df65eb9e3326e65b9e3407d01f17bf302a4ce2d952a147224548aeedbc5d80349

Download Submit
C:\Users\Admin\AppData\Local\1bd60408b912f5870211c0f595cac75d\Admin@UXMRPRRI_en-US\System\WorldWind.jpg

Filesize
122KB

MD5
5568d4a2672f97c1429028c6b19b7e4c

SHA1
60bf6677e270adfd471dc8b43b77be3638953a20

SHA256
7e1a826de38570f0346f8645d599bf7e2e5a2e507c756687ba84927ca13f636f

SHA512
6069cb3ddd3ec9d042d01d56c04447c8d944a1f5263e924e0d4c1d5603d16b3ecd287cc8ba9f04eb2add69e88cb69627c841d5bc565fa78fd62e04877d928f36

Download Submit
C:\Users\Admin\AppData\Local\56aa99fa6474c9fffa21dcc5dd303792\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
4KB

MD5
9f57fcbbb086dac817ab6c4608eb4307

SHA1
d80200cd73645f9c27fd4dc6f08277e3a6a469a8

SHA256
404e417286501680d1dfd342fcd85600dc3e912f6028b4af5301cca62ce092f7

SHA512
add834cc7350919c94beb0ff2111dba2a15fb995d3394a4682eb708dfdabce93b25a06cdbcb4a1b1b84987bf6f4604fbeb0700b368439f9c3a7371b077e93e7b

Download Submit
C:\Users\Admin\AppData\Local\6273da9205fec68c64afc3253dbfc051\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
1KB

MD5
9838de6de5b11a57258b49cfbc241810

SHA1
4b36be3563801fc99a31d7fd97569fd09f225629

SHA256
67b4f736c2e16cec5222b78ffe29f623f143c4ab9f11d11fd57cbcbc3d35f287

SHA512
c78b1027c9870860e4e7dce6bfaea7ff617263898550d05f8225e7d3c82d57902df681b15b448cc88e7b13c4008e1850658426310a58d16652f2f336c0c96173

Download Submit
C:\Users\Admin\AppData\Local\6273da9205fec68c64afc3253dbfc051\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
2KB

MD5
73e3ef04ec6f970980a6ed6e67bfe7b4

SHA1
f568c319adfd69f53beda9263f59bcbaed54b5ba

SHA256
bcdfad6034238737fed27f897e6e105167e55eadad166ee6253431f04f5e9c03

SHA512
e7139010dc45a2afa5e7e8910ae843e1253bd6b77641af8a589db2743ca41e005e7f38a7bf1e9c3e09fdfaeff7d58e2ef395d38b70ccb9c0034d9328f4d50ee1

Download Submit
C:\Users\Admin\AppData\Local\6273da9205fec68c64afc3253dbfc051\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
2KB

MD5
fc2ad59d056b92b80f2edf60f773f9eb

SHA1
0a70c325f008bc69de7b8e089f8a3c10328f545f

SHA256
14c2afa70e7204fef21d4fb6dcf2bd20c3dd7050c1e96632ca99a2dff7c80f33

SHA512
99de15adbc097e490b4d25acb6553268cbdc70d639f64dd6b1b0a86db84459e5284c8f74256cfbab8624c3c68066fcc8c08a3a09da8773513e56da392b5c6dc7

Download Submit
C:\Users\Admin\AppData\Local\6273da9205fec68c64afc3253dbfc051\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
2KB

MD5
5cf4d7fdfb63216cad192414a3447485

SHA1
c563666ca4b93c16ce875148877f5b03a82dea69

SHA256
2450dda3e01d866d2964b537a3db136b746126cbd4874ae755fef9e408fe9857

SHA512
3d2ab525d2c15a8ec0816dbbc2739b41796f5a7b16840dfce2b890fbe3d881065fd5bebe538b3819a44ee9eea5c3786416b4a52404e8484516e46dcdc163a039

Download Submit
C:\Users\Admin\AppData\Local\6273da9205fec68c64afc3253dbfc051\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
4KB

MD5
9506ea3f5eec42021a0c9629bc78c084

SHA1
f054f90d3b5777a5729cd5fc455069a6443affc5

SHA256
e1d44a9fd4d8cfd9848ff53e9e86a0d65de99668212d5d14d569743b3d67abd2

SHA512
8baa7661a5e00ac0c17678659bb5a2d39f252333a7098fd2058330169e73a861bf0aa9aa53d9f5748cae19015ce0527c5766911956b25f774bc083d87310eeb1

Download Submit
C:\Users\Admin\AppData\Local\826a670fbd0646f8913d0e1e50b960d1\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
1KB

MD5
e511211a4b64d1791d15d2e9eae7d9a2

SHA1
52aa5331787ed3a115b4afcac0a06967d4dce230

SHA256
8324466b62285961c5b969cff6e4e2fad2f5275893a5ab0e6a16f4175101338d

SHA512
7f7046b17c32ee124fdd493815b2b678ad222b9589c4f548d57e6e15b386cbd7d12753c03c6320281460163219fc605e99cc9710e6fee1d3d94ec762afc9d36e

Download Submit
C:\Users\Admin\AppData\Local\826a670fbd0646f8913d0e1e50b960d1\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
4KB

MD5
b21c420ea92853d15d209bfceadfc2d4

SHA1
3b93f475e90045dc8d923f5a43516f6bfea52e6a

SHA256
49ca460dca6285f5eea64bd558eb36f428961d2566fdeb3c2616678f182880cb

SHA512
2f4434ffd5eaadeba5305ac4a397443cb86daefd45f12c39ddcab348a7cd84d5d6e51cafc0e8fae30a0e5d4eccb62ec5418782387907723491d9bc5053362903

Download Submit
C:\Users\Admin\AppData\Local\94303f4f5dd44a5e2d9f9be2d9d4ea6a\Admin@UXMRPRRI_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\94303f4f5dd44a5e2d9f9be2d9d4ea6a\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
4KB

MD5
e260694b154f6e6bb4a97abfa7f83535

SHA1
bc8ae3d33484c283abc19ffff3d6fba46ef1f409

SHA256
f490f3af93426bea0020a716e4bba7591c294eb606c8d04f439527ec399d2249

SHA512
e3ce47402524067f9c84f11d71c1b2f803601095f0ffb3d3b7366f6d50d97947fc04890ebe32bffe69f4a71af653626371f5d7144bade866deb502c6919447fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
ca47c76a71626dbc093bf25677addd4d

SHA1
82578bdef981be562e96c91760b452fad098e3c0

SHA256
0d820e91dad78be2b9667276211ce8959013ee561d43124e764793e565b8b383

SHA512
98df5c7f4fd420f57f161cdbc51a64bcce4c3cbb95c8d69aca11e012098846e22cf79dc02bed305746406b557b464fb9073937c70be86a24d5951e5b81329bcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
dbedad8a093a5ea284c68ee76d0e3d87

SHA1
ae5e2df6cbc06022729322be67c8c1425a325f6a

SHA256
e0b4d8056688f307e3b6774d077f9ad067db36b2fcb92941efb0cdb46606e040

SHA512
62b02bd778b6d4a3997ac734eded737e5d3e7d89a9b12d67c9abdd6c26e292101c4f29eec1b8ed994e6db150851732093c25386146e1d65eeed03375c99aa581

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
df3c57ea2ae4c0e8daddb15a6277bb18

SHA1
97b522ec0f10e8c3d4fd67cf7629b4861d0a7daa

SHA256
3d1a42df8942ec30ca743855608115faaa38f6bebb8db0ee1cb817bc2f31bbe3

SHA512
e423a12c02b30d64994e0d429e79a12356b0ffe5cba58ab0fb5bdc0ee75d1048fea0a33a9b335d75128d0519eb77c533312d0a69484568d6e6b91c46e3bf6878

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
688db5396b35287ff73e99837c3794d7

SHA1
600909768dcfa2d2a772a6dadecad6b1b5d7e2fe

SHA256
7ae6929d4535d36dbb24a1cd617e618d68747371079bb61d9b6d3487a72c58a3

SHA512
c581f3f373f38492d169c3c1f23baa8db6faefb5340cc739220abb781b8b3b2eb2c3ed3b925444d29d0c3cb6e620b8d8cc1a9a3ae8691c26fed465a37eb81752

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RebelCracked.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RuntimeBroker.exe.log

Filesize
706B

MD5
9b4d7ccdebef642a9ad493e2c2925952

SHA1
c020c622c215e880c8415fa867cb50210b443ef0

SHA256
e6f068d76bd941b4118225b130db2c70128e77a45dcdbf5cbab0f8a563b867ff

SHA512
8577ecd7597d4b540bc1c6ccc4150eae7443da2e4be1343cc42242714d04dd16e48c3fcaefd95c4a148fe9f14c5b6f3166b752ae20d608676cf6fb48919968e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
483c8dc1f7a736fc6f50d2cbcb8f89ff

SHA1
1bd42bb90ebefcb29cd8a78a9e6a5b4dc873dd4d

SHA256
a0d22a38e065d296a1dc4fe279dceeb3dfc0cdb71379bc12cd31aa632b005495

SHA512
ac687871321d87ae55a3a1cd77497798bf7ecaa1d2b53c46d88b80aa8449040ec8845b209231ed893424ff56c33b44012f72310d9b075f814a6fa122dbc4189d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
7610e7a2f1565c256f28b03e2c2134a8

SHA1
9733fed1c9d801ba0498897fb03bb3780f1429b1

SHA256
f8b2169477e851b65df06fcd2beb9d85f30fb8efc86e198bec2f0cba8b07cfea

SHA512
814113cd1e6ca05bca8f872b02d1fa90513099775e535901857b95253ea25a804c461110e32699cad5df41fd7c260c0115750b889e36d72f10ff81788f90e616

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
9b5d51d916a62a9de691841a61f48ea0

SHA1
9119100b1fef8367d7e717bbb02d7900ae01c203

SHA256
bc6e71283f578974286fdcaf7862a4eb8f7d435f4434ccc3e0921c756cfddd96

SHA512
c1f2bfa22af797527ceeb0f8d0ae0dee1a160eb40971a7a083504b97e9ece3679733e24ed60d288baafbb25661b3f74a99e520ce0f5d286e2c979a5ca444405d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8db46c8a3bcb76393cb6713fc65fe70a

SHA1
8437b58e5d7fd54905c18ae6786d0bc98c6db3e9

SHA256
2df1097e8ad533de66a1ee261ace7d8767d645389cb244afed3fe7459c6d6c59

SHA512
b494a527f4e4d258d44454566312bf1b8149116f9243e9492124578e21099b350bbb4ec57cd1e5624fe23b1dbe88c5dd4feb277ce75a67f733cfcb6e06c9adf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
769344cca3b1a97c169c9d107274ecf6

SHA1
722f5d71e5bef60553fff02430ffe2b43361430b

SHA256
8adeccd0a0bbe58e8ac005873f8ad0ca6b0b6bba5c81e9751b3221355d9b502b

SHA512
748b4c256a99641cb5ec4667532983f3ca2fc4e464a2d5291c0a0a9f469570246d68cbb49ed67f9969cce925d03c997107a3033913d8c79c5eae53c98a547c7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
adc6d1f6e8f1578a2fd44e5c38116f68

SHA1
d930110e3d7260b85f98c2a63dc99de5dc0b3b8e

SHA256
a78e37260ac194547454f5b2dcd6c6de65225e6333ca5e45811d0797a2636c38

SHA512
0f5c64d704d655fbc738de52185eb171c682072004fb30e30e4290246db65aecd164ab227cc36c048d4c6d7e99624080a1dfac2271aa90f5b862c07b32f1225a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
5973b398cf335adcdca47c1f740a4c57

SHA1
13ea05e1cbde4280a186043dc073bcdf164c36ea

SHA256
9e7bce83974012b28cdf0f7db899c316b776e585efcaa90aa522ead707106bdb

SHA512
8bbef475d21881b726fcec2dac1ff944c1c0b36b214a7d96712d858dd65338cb3b0ef4265c8dc9a97216394604f0b95a1e2d88f98463b0d8f1117233bce3ac29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f9c1.TMP

Filesize
48B

MD5
4c78071d88c2b97b9cd0c70edda0d56f

SHA1
797a7b63247807ce46664f78ca00a743fcf10340

SHA256
0d7726ac3f9e66308ee9baa303618d080fc23806ebb776947019706d3fbeb448

SHA512
1cf19617bd5f23cd1751209dfcfa9ad89694765b956eaee838f980ef1acdeb96b349fc29a5b9294f3f864211c6b4919daf2c26cbd59c40794f4ace3d36131944

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
282d732d6910cc9dd8e9627e070e6f50

SHA1
f06a9aec4927ced7f69a07b51e763326d972a95d

SHA256
6870fd41d20c0b4f2e262bbcc68695b7e0a83e03f807a53ecaa7c3a37661e38b

SHA512
ce7b166ff12d5453904d05e3aee73b44745afb7a9dced52f8add5adc59f02c63b6aa17d7638ee0e895dbf8caa6ace8b20ea4ef800c7658172c7dd18b61e1f889

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0f15219fc54b19aaca1ac0330b2ec7ff

SHA1
d30b9681f931405864cd49e1b7ce18b196a76245

SHA256
7cb8e733181d96effb603c74f85396706e7fc94bb3541b1333eb0f9562dff45a

SHA512
13e95f5d2c20e70dcf3eba1f78fa82aa4b1b67fc104a8c99658a91370bb7fe5f622d0a4aed3d01d9fd67414b909e8c4e90c0b55709dd5f730df5732694d9945f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
128e547828f91cc929e28ef5f4cccd7d

SHA1
13e55263d3300bb455f86c0a4b5fec2fe6f19184

SHA256
25589468a1b753ac988f74c767980589e51f6783695ddb5ac602ae1cf0c7ca95

SHA512
e57d79258b6692b83cbb8b8cb8ac1b86a2ea2e1802b3016a747ea861f1e65226419c8bbb551a8056deec5d678f7ad43949f59595c0ac099f0aae93c9c7422611

Download Submit
C:\Users\Admin\AppData\Local\RuntimeBroker.exe

Filesize
330KB

MD5
75e456775c0a52b6bbe724739fa3b4a7

SHA1
1f4c575e98d48775f239ceae474e03a3058099ea

SHA256
e8d52d0d352317b3da0be6673099d32e10e7b0e44d23a0c1a6a5277d37b95cf3

SHA512
b376146c6fa91f741d69acf7b02a57442d2ea059be37b9bdb06af6cc01272f4ded1a82e4e21b9c803d0e91e22fc12f70391f5e8c8704d51b2435afc9624e8471

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
90281dbd5cb1133ade2bf34dd0d390aa

SHA1
10443ff1fea33ab751cffa19d208f63b433296ec

SHA256
ba4b82d026ba3561666eb31cad20732a27d11d9ca844c52ad757bd44d83fed33

SHA512
3d39ac85f4f9c16660c158da693f4e3fe39a477a0f34e5bfaeb766680b41e661d2a4bff165baa06e52f504474c6280d50802b7c4f2e97bf4d1930ed0a52abc91

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC994.tmp.dat

Filesize
114KB

MD5
503d6b554ee03ef54c8deb8c440f6012

SHA1
e306b2a07bf87e90c63418024c92933bcc3f4d7f

SHA256
4c407af4d5326d1ea43e89945eda0b86c81ad0d12bd5465b327c0fd1df56f7d4

SHA512
3490b51dfe2e8f6efa3cdeee7bc08c03072597861c1a2f88dc830139abb7611c671ddad345c2af97bb1e88927c09467ed92b5feafe6696d7e2b31b3bd3447437

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC9A6.tmp.dat

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC9A9.tmp.dat

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD2CD.tmp.dat

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD2E2.tmp.dat

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD314.tmp.dat

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Browsers\Edge\Cookies.txt

Filesize
37B

MD5
77514b253704ac7429c85a2384600c12

SHA1
e49ce0bc9527a984dcbf9a8aa48a5040c1045399

SHA256
b3bf9f6ccd27ea29afa23a2e89c0071c0783999a1cde1d3b5cd578f48fa28135

SHA512
b47e679f2d91b75eb3cc15e3d830380a8525b62e8ad24c458f35d64011d23dbc566c6fb5b34747af76faa03b0eee7bb2359416eea677e818c99d55b4cea5273e

Download Submit
C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Browsers\Edge\History.txt

Filesize
102B

MD5
c904f8750147bd22b446683de3e0d527

SHA1
67cc1edd521f00207df79de5cd773f513ab6617a

SHA256
cd79a28958fea640ed5e71669f368fbba16fb33f8315f1c8d1918f4a41f9d074

SHA512
daf0959e4c3008f02b45f7dbd7a2d0abdaa420e6d11105f8244bec1163fd6f9bebfc709b037a21a3b2a79a9b6b9e2130d4c5229870547aec4a3691cde98c4ed3

Download Submit
C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Directories\Desktop.txt

Filesize
818B

MD5
f966f805660c2e9fd686b700ba9321a7

SHA1
2893f96a460f079920f8604ed1b43dc9d4a1988f

SHA256
c0f23166b93533968be5e4c696b92b9f2913585ebf0aa3a5341e9f7234d8abd5

SHA512
0aac42a35c79a8e09c8e36b44d87069896ac9aec4e58c41b933524390bc00afbaba0c0d24b77c07e39eff8e5cde07b0ea8a9dab13e99b5e988a18ef3f5e4cef5

Download Submit
C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Directories\Documents.txt

Filesize
909B

MD5
4ed1da46d3a2175364ab12c8b4b81f5a

SHA1
e409d93b310e57911d0e719b9f24f4c9ebe9d4d4

SHA256
a50b0125ab1132cfddcc65a237ee05c96598460b4e5e3b9e942bc39dfe9e7edf

SHA512
b7a5e550ebaf38e556f9f07a0d9f26e491a692f996daa38d1a60a60dad8f4c614e5b7a6211159f08174e7435784aace35dc0df609230ec518868c99db43676d3

Download Submit
C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Directories\Downloads.txt

Filesize
765B

MD5
8a1d2a4926f085b98a4e1f1d881f5f1c

SHA1
b6269b499444874aa7f4bb616c42a0f998def873

SHA256
982c80f94407ad1d1e5bacba74d82dbeb5fa4a7abfccfca4c932034446c0346b

SHA512
f53b3de379d2a71e0c745e663d9f3d868c625a1be20fbb3eb3b1fd13fc7448d27ce2b836ea8ea78cc699fb2f60ff90d664e3dba0e86f2685c16dd1d582705557

Download Submit
C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Directories\OneDrive.txt

Filesize
25B

MD5
966247eb3ee749e21597d73c4176bd52

SHA1
1e9e63c2872cef8f015d4b888eb9f81b00a35c79

SHA256
8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e

SHA512
bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

Download Submit
C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Directories\Pictures.txt

Filesize
317B

MD5
f825ba64c11e41a47e3e7eb7113cf80b

SHA1
c88ecc8e9f27a592895bd1678ebf50fefade738f

SHA256
e3d48acfe888ba84d4c1bb7ffaafdcedd6f2d2d13a40d863d5f1b7ef31483398

SHA512
eb704e1a7d8a9efa8f1dc4132239594e2ff8a1017fdcd8ab5ad75084947038efc1d7af581705d824166ae6c74c6d6ac6b9c363c045493a17c362fc8fd362bd40

Download Submit
C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Directories\Startup.txt

Filesize
24B

MD5
68c93da4981d591704cea7b71cebfb97

SHA1
fd0f8d97463cd33892cc828b4ad04e03fc014fa6

SHA256
889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

SHA512
63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

Download Submit
C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Directories\Temp.txt

Filesize
2KB

MD5
a978348666b5c74c5a048dfc5a0a3e8c

SHA1
749240fb87b7a4bf232438a025c94069f11e01d7

SHA256
c6e8e278649008d58276f850bf1d6bd05a299eb9e86a97ba0cd5684529d4d6e4

SHA512
a04c6c5b61db1fd422630c521cecbc2f32e5bfc73bc612027c35b57089258f4652edda714124c333ac2b88a941d0b7584a13518e10c1e7aaf64d789d86f2569b

Download Submit
C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Directories\Videos.txt

Filesize
23B

MD5
1fddbf1169b6c75898b86e7e24bc7c1f

SHA1
d2091060cb5191ff70eb99c0088c182e80c20f8c

SHA256
a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

SHA512
20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

Download Submit
C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
4KB

MD5
39c2e851dcda054d2b2a35c1154cf325

SHA1
fdca23ef6db55aec4078873464a076e4e8516a2b

SHA256
0a0a86ecc38be094178f118c1524e19f76c5058f7b4e03bdad6d4aff37c95fb6

SHA512
e609efe5b2b2822764c29ccb0adadef003556484ff7406adb895ec412649e0147bd747fc3cef95aee969cf874247a3c8a4ce3feaf64ce90a510c2b449f58c6cf

Download Submit
C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
4KB

MD5
5cbecfbec2fca06aca1f2555986580bc

SHA1
506a0c6d9619d7ff057a67c5e7142bbf728df707

SHA256
ad6e14a14edcf047fcdf39eaf8fe1cf625d9befe24c6fe7291fb1eb4a4e81105

SHA512
0b1e31e317a9e12d8184663a16dc738c9ff9f175bcad1dd3925a7f794265776f27d97decfce3b69e70a64565ebebbdd63ec29762ed2874d20e822eb1024a8124

Download Submit
C:\Users\Admin\AppData\Local\c6c193096bef91194577b7d7d520c777\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
436B

MD5
c717ee4f2e49f8fd5c053a1739677f29

SHA1
2bfb52c78e0a707f231afe914e59ec6c34e7f9db

SHA256
0dec30182e65f8efbff4daa0feffc1202ac078d791464d948813d3831c19be9f

SHA512
98d7f2576a58553ef320c2cd750819bcb73c3a445bba479ad8baf46c1338207346254fd91a1690e34309e477303c276ceff105d075dd00dc05f7f35bfa3bc282

Download Submit
C:\Users\Admin\AppData\Local\c6c193096bef91194577b7d7d520c777\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\e1e26908cff153ff03d59ace309163ae\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
39B

MD5
7ab011d191ea6babfc5166b2c8ffecbb

SHA1
8187af60e0eb625d7baa1dc9d8992cd45a2b866f

SHA256
866ff0c30c0456cec43fe5396513dfd139ceeea3f78b9edc840e4b22e1bf8a04

SHA512
154f351506b8e19bf56cfadd0c8a0b250ce5a153a87b46c450a6c264d0f20b769ae60058cd33d1b192149504bf7e1be8c1223726f4d6918e3a7e5fc1444e1c3b

Download Submit
C:\Users\Admin\AppData\Local\e1e26908cff153ff03d59ace309163ae\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
103B

MD5
85c2b1d3cb4ceaa58149d46995e977ca

SHA1
e97d3f5ccf7228871f3cb130accb42ce4ad6741c

SHA256
3236796703c45d977d0610df8cc77652db97df273de77ef1259adf8905c76fff

SHA512
6e3f2551cc28f9933ef8219c0f1c130415ecce5b650c8b11817bbf01e24a50cca3a9f6af1b58cf28314bfa869b06d7a29f9808ce87034b5f54605ef4595817dc

Download Submit
C:\Users\Admin\AppData\Local\e1e26908cff153ff03d59ace309163ae\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
195B

MD5
74c3c532d0e5ed9d7f3934d21ddddcc9

SHA1
beddf1f3ff9047e4e5547dd23c8d776cf4cfd89d

SHA256
61a5e589cbd7faac456104f764f045242dc62cb20a4d81150f8a393a42d08204

SHA512
1f59dae7273e6d938bda1b8a33e6b1c3dd9f1e0b38139b7e2e4e5d87caabc1f165c5f200f223e0f825cf763d272ce1498b9d23d446fa273524bfb332c058ba09

Download Submit
C:\Users\Admin\AppData\Local\e1e26908cff153ff03d59ace309163ae\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
287B

MD5
a77bd7b49806340d8cc29d7ad65903ff

SHA1
34a586755627809e11a891b63ebe645d9c1322df

SHA256
06aca4c7049ffe808872c08298869d7f6d758e53fb408dfd218e5f36be0ffbf4

SHA512
8ef2e61167400692df492152e30b737e27221815c3fddb75c0ad6fccc7d2dbcb9552c8dd53a3dbad33ae107c2cdafecff4182ee70a2ab3dfccda0bf178bdcdc0

Download Submit
C:\Users\Admin\AppData\Local\e1e26908cff153ff03d59ace309163ae\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
351B

MD5
d80f4ca5d359356b9c8974125186e83c

SHA1
8b0a4c5ebfb3ee110bc2e63d34e3f2d151b14aa9

SHA256
3a86c024bb8547b1304f61ee17aa2d47d7d8441b5c173efa673486f9055a2c65

SHA512
5d70089c30a587d0cc783305f7db4940703261556be6aca4db150cb4086502422dbd4430beacb4e1478218c59b88d92a86a3e8d5c7f8a69cfdbacd248f6aa7f0

Download Submit
C:\Users\Admin\AppData\Local\e1e26908cff153ff03d59ace309163ae\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
383B

MD5
04497b817b1dc72ebcf9b7a0b9270120

SHA1
7b02b5810543cb280b51658ee302d3874f8dff9e

SHA256
0b4c5dfda2f4c42887bad8c35a1c5783d7de8972e2f89a9a531cfbbb00ab7c99

SHA512
b0bea41aa21614345fc1c3bf13517a1ddda04ba0cecdc862bbbd4d5fb13e91616b5df41e7d7cdf7958de9e63f622e9eca7d5d6aa5571a227cabf8b949a272937

Download Submit
C:\Users\Admin\AppData\Local\e1e26908cff153ff03d59ace309163ae\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
475B

MD5
d3eefc1d3dcbba141b2f32961bd4fc71

SHA1
268a762b1287f09e64278200a299cca8b9a7c40f

SHA256
c5171f2c16324eb708612f1057c6ac7233bbb80f22b0f29daf608d2b16ad85ff

SHA512
ce41fdd98afd0cbb01d923e42f114cc672b81116f99247e6831b1554341e16ee5c3f2aa07737e26af9c0f6ec27e797c7d479838572ece5a3c571b577b3488e31

Download Submit
C:\Users\Admin\AppData\Local\e1e26908cff153ff03d59ace309163ae\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
539B

MD5
3061f5f367f09783a00978f4bde817ea

SHA1
05148973f83babd973885c40849e3d369bd6d81f

SHA256
2f0cacef44abb2202a221b680c26118476e957a0f83073198d4293e076f118b6

SHA512
dc8f26b5bc1f7fcfc600906d44dc556a88274302f3c5436cce612486bb5e9a9dbad8f9953b80881a9c34e517bc275af3f3aed9694a4937cbf64347389057de8a

Download Submit
C:\Users\Admin\AppData\Local\e1e26908cff153ff03d59ace309163ae\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
578B

MD5
425becc11d022e4ac14b6b99b3e4eaa1

SHA1
0e0bc0bdd6d50533d4478e7add9a3bfb0e7ca783

SHA256
f01237895579ada4d9a62615ba0b7387853bd1ed7ad6c4109ed860a92daaeb52

SHA512
424ffde6353672be8e427a0565e19bdf1a4ca7bfba0007b9a28d84c47d985635cce3d3a1d7d527c21429ad37ab2902a5df2cd338a16a98c3482cfc30273b431f

Download Submit
C:\Users\Admin\AppData\Local\e1e26908cff153ff03d59ace309163ae\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
642B

MD5
f07cbca623197e3b5f73ceb1c2eff770

SHA1
24a14b5f912962b8678887ae35114d506c632914

SHA256
4f22f7dfa3cb61ff48b7b84941bd9b2e2513040e7c92642b25f781588c62fb23

SHA512
26bbcf5cefca626174b2c1a7761412d95a4df23c2b0ceede70bb7d4b1b75f4ac59eaf8528a4d1cd8d93de0e4c8f4d050b0a60e89db4a46f686b3ca95a59cc279

Download Submit
C:\Users\Admin\AppData\Local\e1e26908cff153ff03d59ace309163ae\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
876B

MD5
e5d4e457717986de166210e44c3abfb8

SHA1
034ba463d3a407e49c052817907371c81ea7fb3f

SHA256
71f4b43d33f9e9ba956fcc6d033fd732ec581b8372d756daf59716707fd2fa4e

SHA512
f54bc10fb03928c88951519f1bdc44676258a1c670782ceb1eb20dc436380e74d71be7e1cfc65084418d698bd17da3ee656baf23124a4ff292c88a928728a54e

Download Submit
C:\Users\Admin\AppData\Local\e1e26908cff153ff03d59ace309163ae\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
931B

MD5
696de62bd86c0a888753d6cf6572b776

SHA1
9b2eebd4e2da10a9cb0df74e8132ce17569607b7

SHA256
659dfd6d9bea58336066403e49eda2e67a4cb155a9627c1a757dce4f79e0ee03

SHA512
d3b0a0a2976e2eb4649bc151e251c69a7338ef2b67be508a8d53094c02476ae51ecab1fca3381c9b1215c582ad245b2e28d1a69062d6ed1467f0a9238559eeca

Download Submit
C:\Users\Admin\AppData\Local\e1e26908cff153ff03d59ace309163ae\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
995B

MD5
e5d97a16142ea612e76462f8e714894c

SHA1
f5fa67e8ca386180a1d659c5e09c3470eee5074c

SHA256
612f07e22f5510c1325bf03297dd39606273c00a49a9123995325f1d4ec720e6

SHA512
dae41484cce5c1e4cc1a962af0dca5ad71cb8eada1cea6061d2daa4fe275185b430fc0ac798a7b4dbeac7a680e9a32a477ea90cdcd180edfc11969be14e2d57e

Download Submit
C:\Users\Admin\AppData\Local\e1e26908cff153ff03d59ace309163ae\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
1KB

MD5
5545bf5827a62040928502209a92c963

SHA1
dea9df627dc3c1301b1421b6c50e185d959096d5

SHA256
3cf45ad46a9d37283354f6dc36a9cf29e347109ce4f514c0015b3ec157b83e73

SHA512
01ec4dce20cb514ad8037e56daec598e23518812ebc7bde9327821d050ec7b517d8659d79ba9a666933c8eeaaa9a2f7b1bad7fcfd0872fd896bd6e963db7aadb

Download Submit
C:\Users\Admin\AppData\Local\e1e26908cff153ff03d59ace309163ae\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
1KB

MD5
8195308742817204b543b664b1d4f4e6

SHA1
acfde3833f5e832f3eec2b9cebc2f5db530364ff

SHA256
d6fac5e654f7ebdfc84a1ff5dba1c5780d6312788e5fff665b88281615bd9114

SHA512
e6314896cab5c981217a7862ff812bcf618d3592b9e10f93f7a237d8902241ac16c15b4e24cb3a7f0be8137e6c927c4658f021698c1f1d8ebf88563670698739

Download Submit
C:\Users\Admin\AppData\Local\e1e26908cff153ff03d59ace309163ae\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
4KB

MD5
229abdd4083c030f8aad9f1cd7a192f0

SHA1
b4dc77d3c6e8e8140b176e4d10b611fc07d5bd84

SHA256
99c599e4061b3092229784e2d5cad596211635ede262e94bb489f6628eec4336

SHA512
46950f916a822f2854fcf5c481400e4a52f3755cf2445db1223c7d0688b1a49ad55c01f25ad735d2f3f2faf3b957bde800ac47ba19758415535cb4e8966a3c04

Download Submit
C:\Users\Admin\AppData\Local\e1e26908cff153ff03d59ace309163ae\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
791B

MD5
18531ebab36d85b9cd6251f9a6b54e8b

SHA1
fd15f166ae97d10800a784a0ba0be8ec24ec3047

SHA256
b2fb89d730e4dc6dcb5b471d531377241344cb77ae5e7a30d998e56dac331bb6

SHA512
80b22b8fedf852a079fa23920569dc833d29b969ebf760f16d624de4f5b4d7d6c67a0ebaf287c49d957dac04acb6dfd44b321a08f7ec3a4318127771e0a41d55

Download Submit
C:\Users\Admin\AppData\Local\e1e26908cff153ff03d59ace309163ae\Admin@UXMRPRRI_en-US\System\ProductKey.txt

Filesize
29B

MD5
71eb5479298c7afc6d126fa04d2a9bde

SHA1
a9b3d5505cf9f84bb6c2be2acece53cb40075113

SHA256
f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3

SHA512
7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

Download Submit
C:\Users\Admin\AppData\Local\e1e26908cff153ff03d59ace309163ae\Admin@UXMRPRRI_en-US\System\ScanningNetworks.txt

Filesize
84B

MD5
58cd2334cfc77db470202487d5034610

SHA1
61fa242465f53c9e64b3752fe76b2adcceb1f237

SHA256
59b3120c5ce1a7d1819510272a927e1c8f1c95385213fccbcdd429ff3492040d

SHA512
c8f52d85ec99177c722527c306a64ba61adc3ad3a5fec6d87749fbad12da424ba6b34880ab9da627fb183412875f241e1c1864d723e62130281e44c14ad1481e

Download Submit
C:\Users\Admin\Desktop\Rebel\ReadMe.txt

Filesize
13B

MD5
1c6c20f0c324e98e38272f1245d24e11

SHA1
bbb5dc3a18a532529ec6fa88c86542288dd979f7

SHA256
4ca7414e2aba6d74826403afb6ccbcc1752297a1b61aced8808b75d80d212f2d

SHA512
a30aed5a54580ad73f16ad237f82e2dc99c99d9645d40d1fbdf88a7d6c10c238b6967c011ba46c6084d409e4a37b41983d600146f93cd9250a810b7d784d8246

Download Submit
C:\Users\Admin\Desktop\Rebel\RebelCracked.exe

Filesize
344KB

MD5
a84fd0fc75b9c761e9b7923a08da41c7

SHA1
2597048612041cd7a8c95002c73e9c2818bb2097

SHA256
9d9a79f4ae9bf7a992945f6c06c5bec642c05e4e828217c50255dabfa3677006

SHA512
a17f1144a0e3ce07c7ed6891987c5b969f291e9991442c33750028d35e2194794e8a649c397e8afc9f8ce19d485c453600c75cab4fcead09e38414d85819251a

Download Submit
C:\Users\Admin\Downloads\Rebel.7z

Filesize
8.1MB

MD5
4a8429dd823216bda95f67f85483a8d9

SHA1
77640784d85848c945820d37794839f346f138d2

SHA256
cef9230ad3111e4a233e61b49ac977d4d25849061a90b05c3e7d6f308022b4de

SHA512
1d4d41cee280c62657b17c2ddc11fc7ce6bab42204d94fe05eed263d139765c19dfd16f2fde4b4e5e8b925c39945c3208600a2bfad941e4723d3bfeb7c30b91a

Download Submit
\??\pipe\LOCAL\crashpad_5116_JHNDIDZSMWVDKKIA

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5524-408-0x0000000005760000-0x00000000057C6000-memory.dmp

Filesize
408KB

Download
memory/5524-373-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5836-1000-0x00000000065E0000-0x00000000065EA000-memory.dmp

Filesize
40KB

Download
memory/5836-1246-0x0000000006B00000-0x0000000006B12000-memory.dmp

Filesize
72KB

Download
memory/5976-352-0x0000000000760000-0x00000000007BC000-memory.dmp

Filesize
368KB

Download
memory/6008-371-0x00000000054C0000-0x000000000555C000-memory.dmp

Filesize
624KB

Download
memory/6008-370-0x00000000052C0000-0x000000000530A000-memory.dmp

Filesize
296KB

Download
memory/6008-372-0x0000000005440000-0x000000000544A000-memory.dmp

Filesize
40KB

Download
memory/6008-367-0x00000000001B0000-0x0000000000208000-memory.dmp

Filesize
352KB

Download
memory/6008-368-0x00000000057C0000-0x0000000005D64000-memory.dmp

Filesize
5.6MB

Download
memory/6008-369-0x0000000005310000-0x00000000053A2000-memory.dmp

Filesize
584KB

Download
memory/6076-421-0x000001CE83530000-0x000001CE83531000-memory.dmp

Filesize
4KB

Download
memory/6076-420-0x000001CE83530000-0x000001CE83531000-memory.dmp

Filesize
4KB

Download
memory/6076-423-0x000001CE83530000-0x000001CE83531000-memory.dmp

Filesize
4KB

Download
memory/6076-422-0x000001CE83530000-0x000001CE83531000-memory.dmp

Filesize
4KB

Download
memory/6076-419-0x000001CE83530000-0x000001CE83531000-memory.dmp

Filesize
4KB

Download
memory/6076-418-0x000001CE83530000-0x000001CE83531000-memory.dmp

Filesize
4KB

Download
memory/6076-417-0x000001CE83530000-0x000001CE83531000-memory.dmp

Filesize
4KB

Download
memory/6076-413-0x000001CE83530000-0x000001CE83531000-memory.dmp

Filesize
4KB

Download
memory/6076-412-0x000001CE83530000-0x000001CE83531000-memory.dmp

Filesize
4KB

Download
memory/6076-411-0x000001CE83530000-0x000001CE83531000-memory.dmp

Filesize
4KB

Download