asyncrat | 9d9a79f4ae9bf7a992945f6c06c5bec642c05e4e828217c50255dabfa3677006

max time kernel
10s
max time network
72s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RebelCracked.exe
Size

344KB
MD5

a84fd0fc75b9c761e9b7923a08da41c7
SHA1

2597048612041cd7a8c95002c73e9c2818bb2097
SHA256

9d9a79f4ae9bf7a992945f6c06c5bec642c05e4e828217c50255dabfa3677006
SHA512

a17f1144a0e3ce07c7ed6891987c5b969f291e9991442c33750028d35e2194794e8a649c397e8afc9f8ce19d485c453600c75cab4fcead09e38414d85819251a
SSDEEP

6144:lOcpeK8lucxAtLNFHUVuI/2zj1z6jZ755NofmWx4PCQL23wBw7R0ljTwrVuAdJKp:QcpSnx0LNFDQ60Ntbo5d7gBw7R7rbdJk

Score

10^/10

asyncrat stormkitty default credential_access discovery rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2168-21-0x0000000000400000-0x0000000000432000-memory.dmp	family_stormkitty
behavioral1/memory/2168-26-0x0000000000400000-0x0000000000432000-memory.dmp	family_stormkitty
behavioral1/memory/2168-28-0x0000000000400000-0x0000000000432000-memory.dmp	family_stormkitty
behavioral1/memory/2168-24-0x0000000000400000-0x0000000000432000-memory.dmp	family_stormkitty
behavioral1/memory/2168-19-0x0000000000400000-0x0000000000432000-memory.dmp	family_stormkitty

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 8 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

pid	process
2012	RuntimeBroker.exe
2168	RuntimeBroker.exe
2732	RuntimeBroker.exe
2844	RuntimeBroker.exe
2584	RuntimeBroker.exe
2316	RuntimeBroker.exe
2960	RuntimeBroker.exe
2872	RuntimeBroker.exe

Loads dropped DLL 2 IoCs

Processes:

RuntimeBroker.exe

pid process

2012 RuntimeBroker.exe
2012 RuntimeBroker.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 5 IoCs

Processes:

RuntimeBroker.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

description	pid	process	target process
PID 2012 set thread context of 2168	2012	RuntimeBroker.exe	RuntimeBroker.exe
PID 2732 set thread context of 2844	2732	RuntimeBroker.exe	RuntimeBroker.exe
PID 2584 set thread context of 2316	2584	RuntimeBroker.exe	RuntimeBroker.exe
PID 2960 set thread context of 2872	2960	RuntimeBroker.exe	RuntimeBroker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1788 1564 WerFault.exe RuntimeBroker.exe
3148 2668 WerFault.exe RuntimeBroker.exe

pid	pid_target	process	target process
1788	1564	WerFault.exe	RuntimeBroker.exe
3148	2668	WerFault.exe	RuntimeBroker.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 16 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

Processes:

cmd.exenetsh.execmd.execmd.exenetsh.exenetsh.execmd.execmd.exenetsh.execmd.exenetsh.exenetsh.exenetsh.execmd.execmd.exenetsh.exe

pid	process
3520	cmd.exe
3716	netsh.exe
2428	cmd.exe
3752	cmd.exe
3080	netsh.exe
3636	netsh.exe
3396	cmd.exe
3672	cmd.exe
792	netsh.exe
448	cmd.exe
2300	netsh.exe
3800	netsh.exe
3588	netsh.exe
3236	cmd.exe
3940	cmd.exe
3540	netsh.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

1772 chrome.exe
1772 chrome.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	2168	RuntimeBroker.exe
Token: SeDebugPrivilege	2844	RuntimeBroker.exe
Token: SeDebugPrivilege	2316	RuntimeBroker.exe
Token: SeDebugPrivilege	2872	RuntimeBroker.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	process
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

RebelCracked.exeRuntimeBroker.exeRebelCracked.exeRuntimeBroker.exeRebelCracked.exeRuntimeBroker.exe

description	pid	process	target process
PID 1236 wrote to memory of 2012	1236	RebelCracked.exe	RuntimeBroker.exe
PID 1236 wrote to memory of 2012	1236	RebelCracked.exe	RuntimeBroker.exe
PID 1236 wrote to memory of 2012	1236	RebelCracked.exe	RuntimeBroker.exe
PID 1236 wrote to memory of 2012	1236	RebelCracked.exe	RuntimeBroker.exe
PID 1236 wrote to memory of 1708	1236	RebelCracked.exe	RebelCracked.exe
PID 1236 wrote to memory of 1708	1236	RebelCracked.exe	RebelCracked.exe
PID 1236 wrote to memory of 1708	1236	RebelCracked.exe	RebelCracked.exe
PID 2012 wrote to memory of 2176	2012	RuntimeBroker.exe	RuntimeBroker.exe
PID 2012 wrote to memory of 2176	2012	RuntimeBroker.exe	RuntimeBroker.exe
PID 2012 wrote to memory of 2176	2012	RuntimeBroker.exe	RuntimeBroker.exe
PID 2012 wrote to memory of 2176	2012	RuntimeBroker.exe	RuntimeBroker.exe
PID 2012 wrote to memory of 2168	2012	RuntimeBroker.exe	RuntimeBroker.exe
PID 2012 wrote to memory of 2168	2012	RuntimeBroker.exe	RuntimeBroker.exe
PID 2012 wrote to memory of 2168	2012	RuntimeBroker.exe	RuntimeBroker.exe
PID 2012 wrote to memory of 2168	2012	RuntimeBroker.exe	RuntimeBroker.exe
PID 2012 wrote to memory of 2168	2012	RuntimeBroker.exe	RuntimeBroker.exe
PID 2012 wrote to memory of 2168	2012	RuntimeBroker.exe	RuntimeBroker.exe
PID 2012 wrote to memory of 2168	2012	RuntimeBroker.exe	RuntimeBroker.exe
PID 2012 wrote to memory of 2168	2012	RuntimeBroker.exe	RuntimeBroker.exe
PID 2012 wrote to memory of 2168	2012	RuntimeBroker.exe	RuntimeBroker.exe
PID 1708 wrote to memory of 2732	1708	RebelCracked.exe	RuntimeBroker.exe
PID 1708 wrote to memory of 2732	1708	RebelCracked.exe	RuntimeBroker.exe
PID 1708 wrote to memory of 2732	1708	RebelCracked.exe	RuntimeBroker.exe
PID 1708 wrote to memory of 2732	1708	RebelCracked.exe	RuntimeBroker.exe
PID 1708 wrote to memory of 876	1708	RebelCracked.exe	RebelCracked.exe
PID 1708 wrote to memory of 876	1708	RebelCracked.exe	RebelCracked.exe
PID 1708 wrote to memory of 876	1708	RebelCracked.exe	RebelCracked.exe
PID 2732 wrote to memory of 2844	2732	RuntimeBroker.exe	RuntimeBroker.exe
PID 2732 wrote to memory of 2844	2732	RuntimeBroker.exe	RuntimeBroker.exe
PID 2732 wrote to memory of 2844	2732	RuntimeBroker.exe	RuntimeBroker.exe
PID 2732 wrote to memory of 2844	2732	RuntimeBroker.exe	RuntimeBroker.exe
PID 2732 wrote to memory of 2844	2732	RuntimeBroker.exe	RuntimeBroker.exe
PID 2732 wrote to memory of 2844	2732	RuntimeBroker.exe	RuntimeBroker.exe
PID 2732 wrote to memory of 2844	2732	RuntimeBroker.exe	RuntimeBroker.exe
PID 2732 wrote to memory of 2844	2732	RuntimeBroker.exe	RuntimeBroker.exe
PID 2732 wrote to memory of 2844	2732	RuntimeBroker.exe	RuntimeBroker.exe
PID 876 wrote to memory of 2584	876	RebelCracked.exe	RuntimeBroker.exe
PID 876 wrote to memory of 2584	876	RebelCracked.exe	RuntimeBroker.exe
PID 876 wrote to memory of 2584	876	RebelCracked.exe	RuntimeBroker.exe
PID 876 wrote to memory of 2584	876	RebelCracked.exe	RuntimeBroker.exe
PID 876 wrote to memory of 2592	876	RebelCracked.exe	RebelCracked.exe
PID 876 wrote to memory of 2592	876	RebelCracked.exe	RebelCracked.exe
PID 876 wrote to memory of 2592	876	RebelCracked.exe	RebelCracked.exe
PID 2584 wrote to memory of 1860	2584	RuntimeBroker.exe	RuntimeBroker.exe
PID 2584 wrote to memory of 1860	2584	RuntimeBroker.exe	RuntimeBroker.exe
PID 2584 wrote to memory of 1860	2584	RuntimeBroker.exe	RuntimeBroker.exe
PID 2584 wrote to memory of 1860	2584	RuntimeBroker.exe	RuntimeBroker.exe
PID 2584 wrote to memory of 2128	2584	RuntimeBroker.exe	RuntimeBroker.exe
PID 2584 wrote to memory of 2128	2584	RuntimeBroker.exe	RuntimeBroker.exe
PID 2584 wrote to memory of 2128	2584	RuntimeBroker.exe	RuntimeBroker.exe
PID 2584 wrote to memory of 2128	2584	RuntimeBroker.exe	RuntimeBroker.exe
PID 2584 wrote to memory of 2120	2584	RuntimeBroker.exe	RuntimeBroker.exe
PID 2584 wrote to memory of 2120	2584	RuntimeBroker.exe	RuntimeBroker.exe
PID 2584 wrote to memory of 2120	2584	RuntimeBroker.exe	RuntimeBroker.exe
PID 2584 wrote to memory of 2120	2584	RuntimeBroker.exe	RuntimeBroker.exe
PID 2584 wrote to memory of 2316	2584	RuntimeBroker.exe	RuntimeBroker.exe
PID 2584 wrote to memory of 2316	2584	RuntimeBroker.exe	RuntimeBroker.exe
PID 2584 wrote to memory of 2316	2584	RuntimeBroker.exe	RuntimeBroker.exe
PID 2584 wrote to memory of 2316	2584	RuntimeBroker.exe	RuntimeBroker.exe
PID 2584 wrote to memory of 2316	2584	RuntimeBroker.exe	RuntimeBroker.exe
PID 2584 wrote to memory of 2316	2584	RuntimeBroker.exe	RuntimeBroker.exe
PID 2584 wrote to memory of 2316	2584	RuntimeBroker.exe	RuntimeBroker.exe
PID 2584 wrote to memory of 2316	2584	RuntimeBroker.exe	RuntimeBroker.exe
PID 2584 wrote to memory of 2316	2584	RuntimeBroker.exe	RuntimeBroker.exe

C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
"C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Users\Admin\AppData\Local\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
    3⤵
    PID:2176
- - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2168
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3752
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3792
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3800
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        5⤵
        
        PID:3808
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      4⤵
      PID:3868
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3956
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        
        PID:4068
- C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
  "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2844
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3396
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3580
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3588
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        6⤵
        
        PID:3472
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        5⤵
        
        PID:3136
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3852
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        6⤵
        
        PID:824
- - C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
    "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:876
  - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        5⤵
        
        PID:1860
    - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        5⤵
        
        PID:2128
    - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        5⤵
        
        PID:2120
    - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3540
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        7⤵
        
        PID:3696
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        6⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        7⤵
        
        PID:1568
  - - C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
      "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
      4⤵
      PID:2592
    - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2960
      - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        6⤵
        
        PID:2124
      - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3236
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        8⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:792
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        8⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        7⤵
        
        PID:572
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        8⤵
        
        PID:3308
    - - C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        5⤵
        
        PID:1144
      - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        6⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        7⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        8⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3520
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        9⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3716
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        9⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        8⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        9⤵
        
        PID:4056
      - C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        6⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        7⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        8⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        8⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        8⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 900
        9⤵
        Program crash
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        7⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        8⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        9⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        9⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        9⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        8⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        9⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        10⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        9⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        10⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        11⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        10⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        11⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        12⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        12⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        12⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        12⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        13⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        14⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        14⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        11⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        12⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        13⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        12⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        13⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        14⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        14⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        14⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        14⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        14⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        13⤵
        
        PID:292
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        14⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        15⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        15⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        14⤵
        
        PID:600
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        15⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        16⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        16⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        17⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3672
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        18⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3080
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        18⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        17⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        18⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        15⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        16⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        17⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        16⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        17⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        18⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        18⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        19⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3940
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        20⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3636
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        20⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        19⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        20⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        17⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        18⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        19⤵
        
        PID:292
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        19⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        19⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 904
        20⤵
        Program crash
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        18⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        19⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        20⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        19⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        20⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        21⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        21⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        21⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        20⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        21⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        22⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        21⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        22⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        23⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        22⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        23⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        24⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        24⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        24⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        24⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        24⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        23⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        24⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        25⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        25⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        25⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        24⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        25⤵
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        26⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        25⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        26⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        27⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        26⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        27⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        28⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        28⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        27⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        28⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        29⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        29⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        29⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        28⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        29⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        30⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        29⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        30⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        31⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        30⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        31⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        32⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        31⤵
        
        PID:1680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef2969758,0x7fef2969768,0x7fef2969778
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1124 --field-trial-handle=1308,i,13575115793167994134,12431508322427141556,131072 /prefetch:2
  2⤵
  PID:1932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1308,i,13575115793167994134,12431508322427141556,131072 /prefetch:8
  2⤵
  PID:944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1308,i,13575115793167994134,12431508322427141556,131072 /prefetch:8
  2⤵
  PID:1856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2296 --field-trial-handle=1308,i,13575115793167994134,12431508322427141556,131072 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2300 --field-trial-handle=1308,i,13575115793167994134,12431508322427141556,131072 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1336 --field-trial-handle=1308,i,13575115793167994134,12431508322427141556,131072 /prefetch:2
  2⤵
  PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2888 --field-trial-handle=1308,i,13575115793167994134,12431508322427141556,131072 /prefetch:1
  2⤵
  PID:2648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3708 --field-trial-handle=1308,i,13575115793167994134,12431508322427141556,131072 /prefetch:8
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3720 --field-trial-handle=1308,i,13575115793167994134,12431508322427141556,131072 /prefetch:1
  2⤵
  PID:2428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3020 --field-trial-handle=1308,i,13575115793167994134,12431508322427141556,131072 /prefetch:1
  2⤵
  PID:3644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1612 --field-trial-handle=1308,i,13575115793167994134,12431508322427141556,131072 /prefetch:8
  2⤵
  PID:1608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3140 --field-trial-handle=1308,i,13575115793167994134,12431508322427141556,131072 /prefetch:1
  2⤵
  PID:3472

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\036a961c2d93a4e8a2c24a44ebdf34cb\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
59B

MD5
e7393463bad6a2e6f4853f33de2c67ea

SHA1
2053f35f1fd214fb364c3cdfa8d1ce5a712c02d3

SHA256
ea0cd9285170a5c31103b75120bad5798e5cb9e4b5b49a239872138b2c7e4c22

SHA512
63db3c63d4f0a3454dddd59a682b0fa26c3d28aec5cc36a27f1c474933853ebdb94b11c42ca9a246f19c63236834e3e635a32161b4f7bf5720ae16f7afef2083

Download Submit
C:\Users\Admin\AppData\Local\036a961c2d93a4e8a2c24a44ebdf34cb\Admin@XPAJOTIY_en-US\System\ProductKey.txt

Filesize
29B

MD5
cad6c6bee6c11c88f5e2f69f0be6deb7

SHA1
289d74c3bebe6cca4e1d2e084482ad6d21316c84

SHA256
dc288491fadc4a85e71085890e3d6a7746e99a317cd5ef09a30272dfb10398c0

SHA512
e02cf6bff8b4ebd7a1346ecb1667be36c3ef7415fff77c3b9cfb370f3d0dc861f74d3e0e49065699850ba6cc025cd68d14ceb73f3b512c2a9b28873a69aff097

Download Submit
C:\Users\Admin\AppData\Local\036a961c2d93a4e8a2c24a44ebdf34cb\Admin@XPAJOTIY_en-US\System\ScanningNetworks.txt

Filesize
59B

MD5
409930721dbce1ee58227d109cca4570

SHA1
767f86ffec769d8415f07b4372a108cba1bf7221

SHA256
6b6dd8b11f84fb78e3e8cfaa7c5fca569d79402b9fc5861b00960b25607c911e

SHA512
4875187fce9545a92df636e384f92dcb403dfe80f3cad4a68e79329a1f42e12e9d04948f2a52b939638481da6d3e3b5f5096fe6dfd674ee53cca7c655ec03f17

Download Submit
C:\Users\Admin\AppData\Local\0775172d29401e95ee22b45ac676e48c\Admin@XPAJOTIY_en-US\Browsers\Google\History.txt

Filesize
864B

MD5
20e240d795c0a9a05a2b82be9d07072b

SHA1
b12a6caa30f72e39cd71c2793bc93c69f30646b8

SHA256
1ab240be903df2bb5c03e259d25db33a0f668c5920886d5768e54c00b64c76d7

SHA512
965e4c3137d8d2f69dfd086cc8ecee76259de873e11f916d5c991b495eea56eec8b02a90b9dedcc5d28ebe3d0dd2342238bc204c528b0c3bfe3fc8c7aaa17093

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
144B

MD5
9438d1e3686266d61bfd9a0b8d86fa11

SHA1
08aadc98cc8612ae124c971da72ec5c04118d043

SHA256
1c0253ac27c7af1159cfe840764e199a32d69571eade7e83ea40bd4f4f42d311

SHA512
0f893e6c956f5ff98b6a062a04ddd60a908091067ff87c88e875a0a2eac41f779c834e90d29ae3d6e0074cee2b8ad57bd7e6b26c63334a6e746af167abc8626e

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
268B

MD5
a3acdca2b3f02039818f553ef59be051

SHA1
767213ae36e3dad3eba42d70d0f35b449ce9c2ac

SHA256
ccac681a917a45b4a9cef3f641e50999796e51bfa444fc87ffa6144d50ac4f08

SHA512
c56ee6d30c07e2bef0638c736fa70a8217fe9092cf1119a689c2bce2aca7c65550458dba43f5023e001c4e2c057125f96972fbbe2c55ee351dba0d593c7edc9d

Download Submit
C:\Users\Admin\AppData\Local\3f054c307d33eed4d6a1fd350150ec2f\Admin@XPAJOTIY_en-US\Directories\Desktop.txt

Filesize
616B

MD5
0db9e756c51b236c36813342ddbb1c79

SHA1
f2270344aa237a5893187e919864059318493efa

SHA256
bc550b4fc23bdcaa3f79953e0942cd0cd891ca9dc69a58424a7e19b4fd2a521b

SHA512
92dcbce51f3d4c2a1a716856537501bf1029a8751dc97a2bb3796da97c501021ec70c5bc177db565cb89286a5bb7c606bfe97a8d49237d39b3250b16300c8c77

Download Submit
C:\Users\Admin\AppData\Local\3f054c307d33eed4d6a1fd350150ec2f\Admin@XPAJOTIY_en-US\Directories\Documents.txt

Filesize
761B

MD5
04ed6212b1302f003ff40457dc8fa1dc

SHA1
9aa40e0fd9022a7d096cba82a2e3d1132beaa2d1

SHA256
ac5bfa39238d3b517e2422a7f716b501b378b645842dc11233ec6641b1ee8359

SHA512
296f0be2b02190b865af1027604acc4d82cd1bb05c6efe7b3724fc706c7b846e4d422589670e8c14a991643113579bcafda6dc19f5bd4a86febbd867a52dc98e

Download Submit
C:\Users\Admin\AppData\Local\3f054c307d33eed4d6a1fd350150ec2f\Admin@XPAJOTIY_en-US\Directories\Downloads.txt

Filesize
657B

MD5
41bf57924a0d9609ce405e6b38891045

SHA1
bc505d04b580b1c91906b86437832de0178c4011

SHA256
2d3d9fede2d5c27b39b2c8cdb55613d5d5ac30a2ceb1a1fd3798fbc71b49ed2a

SHA512
ade6476a7e6d1d845b77bede3d145d2249fc1b59901da027169925a94867961401c6a650a556356b6ac91223ecc14451d0bb4510167e2d6672ecd61d319fc783

Download Submit
C:\Users\Admin\AppData\Local\3f054c307d33eed4d6a1fd350150ec2f\Admin@XPAJOTIY_en-US\Directories\Pictures.txt

Filesize
321B

MD5
aa74ef12bdad99cc153cf37831b4cf0d

SHA1
9d35cc02454fe73694dade89118365a7c9e44ba7

SHA256
f084e2c79aa313ce2affc13cb3c6797dcab8cd711882584f227fd5a0b9b9e6b8

SHA512
c0700bc1193aceb674a4fbb834cfd7997d251359927306ce2fee78245e962ea9e8b7c90da558806dce0bba6904e17b60e6c08dc3d79e309df5a5733839ace3c9

Download Submit
C:\Users\Admin\AppData\Local\3f054c307d33eed4d6a1fd350150ec2f\Admin@XPAJOTIY_en-US\Directories\Startup.txt

Filesize
24B

MD5
68c93da4981d591704cea7b71cebfb97

SHA1
fd0f8d97463cd33892cc828b4ad04e03fc014fa6

SHA256
889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

SHA512
63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

Download Submit
C:\Users\Admin\AppData\Local\3f054c307d33eed4d6a1fd350150ec2f\Admin@XPAJOTIY_en-US\Directories\Temp.txt

Filesize
1KB

MD5
0fe4f92213fa3d31138b663731ee09c3

SHA1
e62066bfe8d4ed13b99863dd42ea5018ffb15a5d

SHA256
11a765e1478db2b7c00e15953a229f91cd4adc14b63d60730fc8c772ee789265

SHA512
577c6e095ff85e65e8d2a5c1780250cc6e2791d5bddd7d9fb298fc89e4dd8af12e31855800bff49a843341a80e116c498f5dba08070b68fac6885037748a976a

Download Submit
C:\Users\Admin\AppData\Local\3f054c307d33eed4d6a1fd350150ec2f\Admin@XPAJOTIY_en-US\Directories\Videos.txt

Filesize
23B

MD5
1fddbf1169b6c75898b86e7e24bc7c1f

SHA1
d2091060cb5191ff70eb99c0088c182e80c20f8c

SHA256
a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

SHA512
20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

Download Submit
C:\Users\Admin\AppData\Local\3f054c307d33eed4d6a1fd350150ec2f\Admin@XPAJOTIY_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini

Filesize
282B

MD5
9e36cc3537ee9ee1e3b10fa4e761045b

SHA1
7726f55012e1e26cc762c9982e7c6c54ca7bb303

SHA256
4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

SHA512
5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

Download Submit
C:\Users\Admin\AppData\Local\3f054c307d33eed4d6a1fd350150ec2f\Admin@XPAJOTIY_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini

Filesize
402B

MD5
ecf88f261853fe08d58e2e903220da14

SHA1
f72807a9e081906654ae196605e681d5938a2e6c

SHA256
cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844

SHA512
82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

Download Submit
C:\Users\Admin\AppData\Local\3f054c307d33eed4d6a1fd350150ec2f\Admin@XPAJOTIY_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini

Filesize
282B

MD5
3a37312509712d4e12d27240137ff377

SHA1
30ced927e23b584725cf16351394175a6d2a9577

SHA256
b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3

SHA512
dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

Download Submit
C:\Users\Admin\AppData\Local\3f054c307d33eed4d6a1fd350150ec2f\Admin@XPAJOTIY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini

Filesize
504B

MD5
29eae335b77f438e05594d86a6ca22ff

SHA1
d62ccc830c249de6b6532381b4c16a5f17f95d89

SHA256
88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4

SHA512
5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

Download Submit
C:\Users\Admin\AppData\Local\3f054c307d33eed4d6a1fd350150ec2f\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
534B

MD5
e1eb60892214f13835b658bda1928fd9

SHA1
931c1b39f02503fbda430552e0c25a4289d80e33

SHA256
a2377903e3cd96e822029f1e72a7dcd03e660c11a0213f279f77404feb78aff9

SHA512
8ae4312150ff5a208aee20750175739e19279b3fb5bef011e728eaa965cbdd3e8fc2fc5c2dfe33e80df1e41d647414115a8a91211316d411b6d8e726ccfecbec

Download Submit
C:\Users\Admin\AppData\Local\3f054c307d33eed4d6a1fd350150ec2f\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
782B

MD5
8dd98008c08184931ab02e51df3c5ac2

SHA1
51adb59109a757a2788e6665c8f34567e17ce885

SHA256
c88741b54bf4eaca1712c1f6fb914cdc44945465033ce9eb7be0accbe67190e1

SHA512
7fcc5c94982c7968580b5409da90b251966a046839a5b0b04e652cb2bdd87365d9326675bd22043b828ec52bb459d6022a64b3702c545e889bc8e28353fd7214

Download Submit
C:\Users\Admin\AppData\Local\3f054c307d33eed4d6a1fd350150ec2f\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
1KB

MD5
3ae4827910fe39f00572cfd7a6a5a9a8

SHA1
6424ba25e0eed4a0a5d64464f9ff62a70af76bf6

SHA256
ccbfa163e12f356caebbe68885ca24494fae28c9cb3f53cdee1fb4a526b1d90b

SHA512
bdd65d2dbc4386b2c0c8b9bc3649aa1d3317c0ea32b673515cf6ae7522bba24fc8bef3a9c381baa2f885f28e923f76d8d4f6771753c1749000469f1d447be36c

Download Submit
C:\Users\Admin\AppData\Local\3f054c307d33eed4d6a1fd350150ec2f\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
1KB

MD5
9c1e9905b7843f877f72f5c5844db5e1

SHA1
a3048648bbd954c4a8d5bbb5ff21475b16754284

SHA256
f45ee2205e02494eb969dde18efff83d68005387a0484bde83accae03851e799

SHA512
54ee660d7e59f6a5c7aeb380a16c4d875c53359142dda9446df08f98b61efc7acefae21587872ee8fe6c5c2f442ad3da9c78f2d15ce9e48df8b7fbfd058a48d2

Download Submit
C:\Users\Admin\AppData\Local\3f054c307d33eed4d6a1fd350150ec2f\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
1KB

MD5
59a836ebf000bc56b665c4ef3e3fc040

SHA1
44c71d3059ca1c7d8d63eaa880bb7f0cfbdc2128

SHA256
04d6a3cdebc483f7c740b78154c38520ac066723f8017d89098eaaa2583736d1

SHA512
e559e1bebefec6c841651ebe415e4abec38c79e00cfca5a14a13f1dea6668a1fdf796b4638f4dc52132fdc6d32efe6daef9a216afa0fa43334534e9a7684bb24

Download Submit
C:\Users\Admin\AppData\Local\3f054c307d33eed4d6a1fd350150ec2f\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
1KB

MD5
9a036388428da04d84c7f2c76f978cdc

SHA1
2f80100574cdf77997dee7226bfd751ab8077591

SHA256
28b8430cc97947d23ebe73138ec56e5a26f0997ba9346515b703f9f712028b98

SHA512
a95e1d1319edfdfb0993832aa3535e14ac2d3ac2305afbd0fc139e640f783de78e2a934c1f4e52414946165541867e211b3c956d02d5e13e1ffad7b74fa7b7f9

Download Submit
C:\Users\Admin\AppData\Local\3f054c307d33eed4d6a1fd350150ec2f\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
1KB

MD5
4fcebb59f26b4a51a75f4e45f72b55cd

SHA1
f6e26d5fa4539fd70691ab0ccd4edfef4738c0b0

SHA256
64ce819b9389f20f4fb2b8f4325e2197d08abdfc709acbe7503eedff46657ada

SHA512
1485c8d9495a4c9716c6b8c5eee81876763127c8261ec3ffdf9a51dfab931643791fc412795cbc058e5d6c5835eb078f737f04988199592cbcf40f2373edba82

Download Submit
C:\Users\Admin\AppData\Local\3f054c307d33eed4d6a1fd350150ec2f\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
1KB

MD5
a9160fa3aee90756b966c5e7bac8ac24

SHA1
516738ca254487485adeccd60af67a5b493be9fa

SHA256
e96ec8ad68aaa151b4bd4f701df302339f1313ee4c3972b6f2aca18afeb32d2e

SHA512
de218a4b87f511a67e8bc1d9e0fdc577b8d24bdce7f1897fa0d3dcd319c69b878a27733873893b4eb1d4e6a3cd6db4ec01be71f0779b5384e16206e5355a4fa2

Download Submit
C:\Users\Admin\AppData\Local\3f054c307d33eed4d6a1fd350150ec2f\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
1KB

MD5
c256b4a42c73ac1f5b87e85bf0606039

SHA1
a4d004029f8a9c5b7641b209a36b7a9d7944344c

SHA256
3cc48c9e1997ead82711a46e89eaee33a53998fe2e3d0fb1514246bea5662047

SHA512
dc799d9088bb0bffe94c919f6a943de3f6184ed295034e1446273efff3ff901cc41cc067371a70e8dab4321c3fb03ffd9157414829ead7dcc1b9cfd1c04abb14

Download Submit
C:\Users\Admin\AppData\Local\3f054c307d33eed4d6a1fd350150ec2f\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
2KB

MD5
814c37bf019a7d3d8a390a2ec0b0f6e5

SHA1
176227605419dde03bbec336c5595290b9a2a8e8

SHA256
a398d727fadddff0daa8cafc639a356e8af9d69987e30085899e997569676b0a

SHA512
2dc0c56d7da63dc0530c08606f084d16fd7e841ae154edfae6954c7127a3c7df1a69cc40315efa7d82ec93a2a31e1cca1c951054de034f086dd5d37fb6311e01

Download Submit
C:\Users\Admin\AppData\Local\3f054c307d33eed4d6a1fd350150ec2f\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
2KB

MD5
467c0aba5dd6ff4b8169bb1864e92fd3

SHA1
b52eb505e91a41db58c7955db08143f94da31c0a

SHA256
06ba5a42f1757fbbca57db49068b6826fe91afa452622be4e6e0fed942d850b7

SHA512
59e557a497fcc15fd9701d2cbc0b38ed76a6d5109f6667326cca270578b89e6e22dc01d83d7b01c668d45b125dc4df693350425d20298b404ca127e6823f3252

Download Submit
C:\Users\Admin\AppData\Local\3f054c307d33eed4d6a1fd350150ec2f\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
4KB

MD5
e11ffc0946756086bc661f4a7aa97e4d

SHA1
feced1cec5f02e743e1bc94b9906a3abd484fda8

SHA256
b89c8e4cbe325ddcec933a3cd87d36eed233d83e5e4ed65c53810ed75d13bda0

SHA512
a2d33d5bfee06bdc1fdbdccc3316656ee6f9c1504e2a04b720a94703a722b2560a68bc88abf57848fbd8c60b8700c24f3bffc784e263d9ff6f181ee1e2fc2ff5

Download Submit
C:\Users\Admin\AppData\Local\499447a94694ee5ed14a8e40a87db9cd\Admin@XPAJOTIY_en-US\Browsers\Google\History.txt

Filesize
602B

MD5
bb0ee2e894537fea8c8500a33f5828d9

SHA1
6961b679fad479bc5c7d0cf4d48932d5e19b7a4e

SHA256
0fce3a2aa1702517fb019ee8b21a188f41c26088d3b345276189ea7f318c93f1

SHA512
de7a378a05499e66ad111741bf080725c834477dd5d87a7a934d650c332bbc16d384f58660efa7707337d13dd0602a13deebe03bd4b5a3381531662a17814d28

Download Submit
C:\Users\Admin\AppData\Local\499447a94694ee5ed14a8e40a87db9cd\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
85B

MD5
bebae8118aba2e17b5696a422f8972bb

SHA1
b732a5da0521e946fbd85337ccb268fb4ae249b7

SHA256
9bc6a2a0e25dd99144ceb60528da5395cbabcc7c0e57f2ee5bc7e43da05007cd

SHA512
479287d4dee9cccb84d4a94b37b374cbfb28b8a480972a41fbde77773d98c50871fb70a9b626f128bf1f079e817f25b448f4e53cdb724e1f1c8692bfac33ce8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
8da58d136898f5fd9688017e0b280b7e

SHA1
25844650ee2bfff2b49fa952ac8cca70e12d52b6

SHA256
40f259ab8012994ad8e64bbc7eb157d9f6b1aba281b7bb70a89750b21017c360

SHA512
9d8a6848de9131d99588f699d0bfbd51c90e34cad1823e4c7cd9d06f0b2018f9c208a3f954039ab11a2a5b7d988aec9d98ddb743eb98351cc83525ad5ac523b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
856b553d365fea9e4146b695fe4ee14e

SHA1
37292e3bb653320c63047d80acadcac624a812b6

SHA256
acf4283818e7dcc3e44f7a1b281f3039fa63c24a0bc3b2df7e019c56637fb97f

SHA512
5b2dec56c67e0c5d7bab826626f16005c97cda33ebaabbfb3f489fc9541edc228169571dd90381a17abc465e842c46bb842183a0be04b36f824db17272ef004c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
424ad02f0f355932ea1922ddee89b671

SHA1
3d2574604be16d82a575a1b8cdf8be4ce6478a8d

SHA256
f40d14bf67960e473566d8efb27554c1bef07df5ce02ad4e3ef1c31423142efd

SHA512
3eae4eee07fc71ff8816f9885efdf9a69c2a64e09a0bfea04a5c88418776c12d26bcb8fdbf062c11a31cf8b0325e36eca027d4480613b068e1e4cfff5312e83d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
016eae45588d3bbf6dd9fd205876e16e

SHA1
bca3557e21f5979378d113e556ea0e9056b4d87b

SHA256
ecab84107a670ade34a246acd31379acc48b5ffcb1fd12a1cab855cca974a695

SHA512
8b520efea31321ac7b4996162a641ab684f59af5a63532da88031d1d6ad66e672a27c51d4a81a3f13910e974050f730e071ed0025063a72e4a9cbf00d4ab3085

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d5ea372a0e01614fd49a683c74f8e50f

SHA1
d62906ed9b5c49820b846af9c19a2bd74b6d9b16

SHA256
efd3e2ab039d34d658c95b09766b6eeec8e6a85054530e152f13cc538dd7df0f

SHA512
bd51ab0f246aff02a24ad054a0cb049780aa430fcb319a26cd72f595a38a2710d844e0bc86b5a8baae52510f009a4af2ae275d5ea0dd2e19b5ec87a7282a19cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
341KB

MD5
ffddd1c4177442cf6b71c0274f5663f1

SHA1
5047af46aa660782fdd703b0fb10833e1d884c31

SHA256
83ee210dcb778ab2060de49b73a3bdd7aa27ae3622cd7d74e3ceb15d1c262d9f

SHA512
108da90937eead747a866046b708302a8039deabc226824ec053c343aab543b2820a10a1b8526d386ddbfd51cdf798c8eae86718489bda7984bcb0d4845113a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ab052972-eb5c-4c6d-a633-df4fe992a9fa.tmp

Filesize
341KB

MD5
ff589cb8cf1e0721623a9edda760306f

SHA1
438c49126d26f60f89362b323aba7faaff644dc5

SHA256
09e9796e2ea9e78271f2269ae1c10b0c4eb4f643812b336cec11efdb486e255d

SHA512
055d603fc2f753ed8bd3498725e92bf55d5cc941feb64c9bf12158e7ffa4cb9bb613df8cfa9d5e46538aef1c59a4b217062a7b2bb38e89c27b9fbdedc2ec5575

Download Submit
C:\Users\Admin\AppData\Local\RuntimeBroker.exe

Filesize
330KB

MD5
75e456775c0a52b6bbe724739fa3b4a7

SHA1
1f4c575e98d48775f239ceae474e03a3058099ea

SHA256
e8d52d0d352317b3da0be6673099d32e10e7b0e44d23a0c1a6a5277d37b95cf3

SHA512
b376146c6fa91f741d69acf7b02a57442d2ea059be37b9bdb06af6cc01272f4ded1a82e4e21b9c803d0e91e22fc12f70391f5e8c8704d51b2435afc9624e8471

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9FDA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA318.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
e87d64670a56c2a625658096ae73408f

SHA1
9dee648b8d5660e09416e33d66b7d09b3fc3db98

SHA256
d3fbdfb580352a821362428d3f90d8fc11dc00afecd1b1bae5bb125de15435e6

SHA512
23de58acd9030113477588ac1c55e8cc1011babdf06f0fde1f6cfd51cf65fe33f7774faff028e8c69eae860419c44e326126b7e2960ca68c25687e48236b8138

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4EAC.tmp.dat

Filesize
92KB

MD5
d20a40f2639a7028c6f88b9d8d1f774f

SHA1
4bc39c8c6d84860d05141ec8424260185ddc9167

SHA256
bcf4a0a42afc5bb63b08e56e7103c12381521c2ce8d4a2c68911d87dc6574a03

SHA512
3248c8db5253d39aca8b0efec265b506c5905c6944dd4ce5405601342bc33e5914c68d2c21aa1ee7ac7e3dcbfa9595b1d107740e069ce1feb139947913379306

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4EAE.tmp.dat

Filesize
148KB

MD5
dade8d84090010e2fb94058cd5fbc83b

SHA1
89c37869ba6d2a629d6eb92f70fafc6a0052c36e

SHA256
d511572d33ef494550e7d969a90766880f8afb22e80cf5481dca65becd40b83a

SHA512
41f68a52e63f4b1a1737a5d612330d732910d39f4f63b7f836a248882bb8680b7379964425d7af95c81780d47417fd3a7d31b8526deb36245684d8ccce2078b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF019.tmp.dat

Filesize
92KB

MD5
2cd7a684788f438d7a7ae3946df2e26f

SHA1
3e5a60f38395f3c10d9243ba696468d2bb698a14

SHA256
2ebed8dd3531958e857c87ddbf46376b8a10ea2f364d2399d9fcc604da0bee1d

SHA512
0fec4b36e2173d1ad5eca880e1be1d0c7093d459aeb612d371e4ac92fbeaea55beb36e9228d36d57fe1851bd4d57b26dd5b8edb4620fb17b91441e840669c7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF01B.tmp.dat

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFD63.tmp.dat

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFD67.tmp.dat

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\d6c873f077ebb9bf20357a1b9587948b\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
1KB

MD5
25a4ecbbf6e4c622c656f9c64dda4567

SHA1
b56802a100c324a218f50b99d97eabe8a7f3fdae

SHA256
277d359a1646bc8a31ed1b5ceb7301fe453434ecb079d035b0ce4171c32ff971

SHA512
916a3040e146216585d0f99d0243820daf892f974ddaccb25a3c02afef4c9ed697f9cb9e29d54180cf42609f1ede355cd8fb62eea016d143e4d78caff279a378

Download Submit
\??\pipe\crashpad_1772_AVYICTFYCEJFWXNH

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1236-0-0x000007FEF5C53000-0x000007FEF5C54000-memory.dmp

Filesize
4KB

Download
memory/1236-1-0x00000000011D0000-0x000000000122C000-memory.dmp

Filesize
368KB

Download
memory/1236-4-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/1236-9-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2012-12-0x00000000003C0000-0x00000000003CA000-memory.dmp

Filesize
40KB

Download
memory/2012-10-0x00000000002D0000-0x0000000000328000-memory.dmp

Filesize
352KB

Download
memory/2012-11-0x00000000020C0000-0x000000000210A000-memory.dmp

Filesize
296KB

Download
memory/2168-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2168-16-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2168-21-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2168-26-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2168-28-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2168-24-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2168-17-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2168-19-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2844-38-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download