asyncrat | 9d9a79f4ae9bf7a992945f6c06c5bec642c05e4e828217c50255dabfa3677006

max time kernel
16s
max time network
65s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RebelCracked.exe
Size

344KB
MD5

a84fd0fc75b9c761e9b7923a08da41c7
SHA1

2597048612041cd7a8c95002c73e9c2818bb2097
SHA256

9d9a79f4ae9bf7a992945f6c06c5bec642c05e4e828217c50255dabfa3677006
SHA512

a17f1144a0e3ce07c7ed6891987c5b969f291e9991442c33750028d35e2194794e8a649c397e8afc9f8ce19d485c453600c75cab4fcead09e38414d85819251a
SSDEEP

6144:lOcpeK8lucxAtLNFHUVuI/2zj1z6jZ755NofmWx4PCQL23wBw7R0ljTwrVuAdJKp:QcpSnx0LNFDQ60Ntbo5d7gBw7R7rbdJk

Score

10^/10

asyncrat stormkitty default discovery persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2796-24-0x0000000000400000-0x0000000000432000-memory.dmp	family_stormkitty

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RebelCracked.exeRebelCracked.exeRebelCracked.exeRebelCracked.exeRebelCracked.exeRebelCracked.exeRebelCracked.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	RebelCracked.exe

Executes dropped EXE 14 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

pid	process
4428	RuntimeBroker.exe
2796	RuntimeBroker.exe
2848	RuntimeBroker.exe
2412	RuntimeBroker.exe
4184	RuntimeBroker.exe
3504	RuntimeBroker.exe
4812	RuntimeBroker.exe
2372	RuntimeBroker.exe
2588	RuntimeBroker.exe
3564	RuntimeBroker.exe
4492	RuntimeBroker.exe
3884	RuntimeBroker.exe
4768	RuntimeBroker.exe
1052	RuntimeBroker.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 28 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\1bd60408b912f5870211c0f595cac75d\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\1bd60408b912f5870211c0f595cac75d\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\1bd60408b912f5870211c0f595cac75d\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\1bd60408b912f5870211c0f595cac75d\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\1bd60408b912f5870211c0f595cac75d\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\1bd60408b912f5870211c0f595cac75d\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\1bd60408b912f5870211c0f595cac75d\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service
T1102

Processes:

flow ioc

176 pastebin.com
183 pastebin.com
189 pastebin.com
41 pastebin.com
51 pastebin.com
161 pastebin.com
169 pastebin.com
198 pastebin.com
42 pastebin.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

26 icanhazip.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
176	pastebin.com
183	pastebin.com
189	pastebin.com
41	pastebin.com
51	pastebin.com
161	pastebin.com
169	pastebin.com
198	pastebin.com
42	pastebin.com

flow	ioc
26	icanhazip.com

Suspicious use of SetThreadContext 7 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

description	pid	process	target process
PID 4428 set thread context of 2796	4428	RuntimeBroker.exe	RuntimeBroker.exe
PID 2848 set thread context of 2412	2848	RuntimeBroker.exe	RuntimeBroker.exe
PID 4184 set thread context of 3504	4184	RuntimeBroker.exe	RuntimeBroker.exe
PID 4812 set thread context of 2372	4812	RuntimeBroker.exe	RuntimeBroker.exe
PID 2588 set thread context of 3564	2588	RuntimeBroker.exe	RuntimeBroker.exe
PID 4492 set thread context of 3884	4492	RuntimeBroker.exe	RuntimeBroker.exe
PID 4768 set thread context of 1052	4768	RuntimeBroker.exe	RuntimeBroker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

RuntimeBroker.exechcp.comfindstr.exefindstr.exeRuntimeBroker.exeRuntimeBroker.exenetsh.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.execmd.exechcp.comRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.execmd.exenetsh.execmd.exechcp.comchcp.comnetsh.exeRuntimeBroker.exeRuntimeBroker.execmd.exeRuntimeBroker.exeRuntimeBroker.exenetsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 25 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

Processes:

cmd.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.execmd.exenetsh.execmd.exenetsh.execmd.execmd.execmd.execmd.exenetsh.execmd.execmd.execmd.execmd.exenetsh.exenetsh.exenetsh.execmd.exenetsh.execmd.exe

pid	process
6480	cmd.exe
6304	netsh.exe
3944	netsh.exe
1060	netsh.exe
5712	netsh.exe
3484	netsh.exe
5616	cmd.exe
5360	netsh.exe
5976	cmd.exe
3408	netsh.exe
6208	cmd.exe
2792	cmd.exe
64	cmd.exe
6872	cmd.exe
6792	netsh.exe
5852	cmd.exe
6576	cmd.exe
3884	cmd.exe
5232	cmd.exe
6096	netsh.exe
7104	netsh.exe
1640	netsh.exe
5392	cmd.exe
6048	netsh.exe
6036	cmd.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

pid	process
2796	RuntimeBroker.exe
2796	RuntimeBroker.exe
2796	RuntimeBroker.exe
2796	RuntimeBroker.exe
2412	RuntimeBroker.exe
2412	RuntimeBroker.exe
2412	RuntimeBroker.exe
2412	RuntimeBroker.exe
3504	RuntimeBroker.exe
3504	RuntimeBroker.exe
3504	RuntimeBroker.exe
3504	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	2796	RuntimeBroker.exe
Token: SeDebugPrivilege	2412	RuntimeBroker.exe
Token: SeDebugPrivilege	3504	RuntimeBroker.exe
Token: SeDebugPrivilege	2372	RuntimeBroker.exe
Token: SeDebugPrivilege	3564	RuntimeBroker.exe
Token: SeDebugPrivilege	3884	RuntimeBroker.exe
Token: SeDebugPrivilege	1052	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

RebelCracked.exeRuntimeBroker.exeRebelCracked.exeRuntimeBroker.exeRebelCracked.exeRuntimeBroker.exeRebelCracked.exeRuntimeBroker.exeRebelCracked.exeRuntimeBroker.exe

description	pid	process	target process
PID 232 wrote to memory of 4428	232	RebelCracked.exe	RuntimeBroker.exe
PID 232 wrote to memory of 4428	232	RebelCracked.exe	RuntimeBroker.exe
PID 232 wrote to memory of 4428	232	RebelCracked.exe	RuntimeBroker.exe
PID 232 wrote to memory of 3884	232	RebelCracked.exe	RebelCracked.exe
PID 232 wrote to memory of 3884	232	RebelCracked.exe	RebelCracked.exe
PID 4428 wrote to memory of 2796	4428	RuntimeBroker.exe	RuntimeBroker.exe
PID 4428 wrote to memory of 2796	4428	RuntimeBroker.exe	RuntimeBroker.exe
PID 4428 wrote to memory of 2796	4428	RuntimeBroker.exe	RuntimeBroker.exe
PID 4428 wrote to memory of 2796	4428	RuntimeBroker.exe	RuntimeBroker.exe
PID 4428 wrote to memory of 2796	4428	RuntimeBroker.exe	RuntimeBroker.exe
PID 4428 wrote to memory of 2796	4428	RuntimeBroker.exe	RuntimeBroker.exe
PID 4428 wrote to memory of 2796	4428	RuntimeBroker.exe	RuntimeBroker.exe
PID 4428 wrote to memory of 2796	4428	RuntimeBroker.exe	RuntimeBroker.exe
PID 3884 wrote to memory of 2848	3884	RebelCracked.exe	RuntimeBroker.exe
PID 3884 wrote to memory of 2848	3884	RebelCracked.exe	RuntimeBroker.exe
PID 3884 wrote to memory of 2848	3884	RebelCracked.exe	RuntimeBroker.exe
PID 3884 wrote to memory of 4648	3884	RebelCracked.exe	RebelCracked.exe
PID 3884 wrote to memory of 4648	3884	RebelCracked.exe	RebelCracked.exe
PID 2848 wrote to memory of 2412	2848	RuntimeBroker.exe	RuntimeBroker.exe
PID 2848 wrote to memory of 2412	2848	RuntimeBroker.exe	RuntimeBroker.exe
PID 2848 wrote to memory of 2412	2848	RuntimeBroker.exe	RuntimeBroker.exe
PID 2848 wrote to memory of 2412	2848	RuntimeBroker.exe	RuntimeBroker.exe
PID 2848 wrote to memory of 2412	2848	RuntimeBroker.exe	RuntimeBroker.exe
PID 2848 wrote to memory of 2412	2848	RuntimeBroker.exe	RuntimeBroker.exe
PID 2848 wrote to memory of 2412	2848	RuntimeBroker.exe	RuntimeBroker.exe
PID 2848 wrote to memory of 2412	2848	RuntimeBroker.exe	RuntimeBroker.exe
PID 4648 wrote to memory of 4184	4648	RebelCracked.exe	RuntimeBroker.exe
PID 4648 wrote to memory of 4184	4648	RebelCracked.exe	RuntimeBroker.exe
PID 4648 wrote to memory of 4184	4648	RebelCracked.exe	RuntimeBroker.exe
PID 4648 wrote to memory of 3672	4648	RebelCracked.exe	RebelCracked.exe
PID 4648 wrote to memory of 3672	4648	RebelCracked.exe	RebelCracked.exe
PID 4184 wrote to memory of 3504	4184	RuntimeBroker.exe	RuntimeBroker.exe
PID 4184 wrote to memory of 3504	4184	RuntimeBroker.exe	RuntimeBroker.exe
PID 4184 wrote to memory of 3504	4184	RuntimeBroker.exe	RuntimeBroker.exe
PID 4184 wrote to memory of 3504	4184	RuntimeBroker.exe	RuntimeBroker.exe
PID 4184 wrote to memory of 3504	4184	RuntimeBroker.exe	RuntimeBroker.exe
PID 4184 wrote to memory of 3504	4184	RuntimeBroker.exe	RuntimeBroker.exe
PID 4184 wrote to memory of 3504	4184	RuntimeBroker.exe	RuntimeBroker.exe
PID 4184 wrote to memory of 3504	4184	RuntimeBroker.exe	RuntimeBroker.exe
PID 3672 wrote to memory of 4812	3672	RebelCracked.exe	RuntimeBroker.exe
PID 3672 wrote to memory of 4812	3672	RebelCracked.exe	RuntimeBroker.exe
PID 3672 wrote to memory of 4812	3672	RebelCracked.exe	RuntimeBroker.exe
PID 3672 wrote to memory of 1680	3672	RebelCracked.exe	RebelCracked.exe
PID 3672 wrote to memory of 1680	3672	RebelCracked.exe	RebelCracked.exe
PID 4812 wrote to memory of 2372	4812	RuntimeBroker.exe	RuntimeBroker.exe
PID 4812 wrote to memory of 2372	4812	RuntimeBroker.exe	RuntimeBroker.exe
PID 4812 wrote to memory of 2372	4812	RuntimeBroker.exe	RuntimeBroker.exe
PID 4812 wrote to memory of 2372	4812	RuntimeBroker.exe	RuntimeBroker.exe
PID 4812 wrote to memory of 2372	4812	RuntimeBroker.exe	RuntimeBroker.exe
PID 4812 wrote to memory of 2372	4812	RuntimeBroker.exe	RuntimeBroker.exe
PID 4812 wrote to memory of 2372	4812	RuntimeBroker.exe	RuntimeBroker.exe
PID 4812 wrote to memory of 2372	4812	RuntimeBroker.exe	RuntimeBroker.exe
PID 1680 wrote to memory of 2588	1680	RebelCracked.exe	RuntimeBroker.exe
PID 1680 wrote to memory of 2588	1680	RebelCracked.exe	RuntimeBroker.exe
PID 1680 wrote to memory of 2588	1680	RebelCracked.exe	RuntimeBroker.exe
PID 1680 wrote to memory of 2252	1680	RebelCracked.exe	RebelCracked.exe
PID 1680 wrote to memory of 2252	1680	RebelCracked.exe	RebelCracked.exe
PID 2588 wrote to memory of 3564	2588	RuntimeBroker.exe	RuntimeBroker.exe
PID 2588 wrote to memory of 3564	2588	RuntimeBroker.exe	RuntimeBroker.exe
PID 2588 wrote to memory of 3564	2588	RuntimeBroker.exe	RuntimeBroker.exe
PID 2588 wrote to memory of 3564	2588	RuntimeBroker.exe	RuntimeBroker.exe
PID 2588 wrote to memory of 3564	2588	RuntimeBroker.exe	RuntimeBroker.exe
PID 2588 wrote to memory of 3564	2588	RuntimeBroker.exe	RuntimeBroker.exe
PID 2588 wrote to memory of 3564	2588	RuntimeBroker.exe	RuntimeBroker.exe

C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
"C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:232
- C:\Users\Admin\AppData\Local\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4428
- - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2796
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2792
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1216
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1060
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      4⤵
      System Location Discovery: System Language Discovery
      PID:3748
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4104
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3920
- C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
  "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3884
- - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      Drops desktop.ini file(s)
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2412
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:64
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4772
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3484
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3456
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4564
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3032
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2356
- - C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
    "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4648
  - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4184
    - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3504
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5616
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5360
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        7⤵
        
        PID:208
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        6⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        7⤵
        
        PID:208
  - - C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
      "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3672
    - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4812
      - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5852
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        8⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3408
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        8⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        7⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        8⤵
        
        PID:5408
    - - C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1680
      - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        8⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6208
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        9⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6048
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        9⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        8⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        9⤵
        
        PID:6328
      - C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        6⤵
        Checks computer location settings
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        9⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5392
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        10⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5712
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        10⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        9⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        10⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        7⤵
        Checks computer location settings
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        10⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5976
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        11⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        11⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        10⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        
        PID:400
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        11⤵
        
        PID:5972
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        8⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        9⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        10⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        11⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6872
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        12⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3944
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        12⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        11⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        12⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        9⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        10⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        11⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        10⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        11⤵
        
        PID:5312
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        12⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        13⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5232
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        14⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7104
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        14⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        13⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        14⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        11⤵
        
        PID:5336
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        12⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        13⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        14⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6480
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        15⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        15⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6304
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        15⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        14⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        15⤵
        
        PID:6876
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        12⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        13⤵
        
        PID:5508
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        14⤵
        
        PID:5640
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        14⤵
        
        PID:5792
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        13⤵
        
        PID:5544
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        14⤵
        
        PID:5308
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        15⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        14⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        15⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        16⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        17⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3884
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        18⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6096
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        18⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        17⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        18⤵
        
        PID:6808
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        15⤵
        
        PID:5900
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        16⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        17⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        18⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6576
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        19⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        19⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6792
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        19⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        18⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        19⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        19⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        16⤵
        
        PID:5736
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        17⤵
        
        PID:6708
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        18⤵
        
        PID:6832
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        18⤵
        
        PID:6884
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        18⤵
        
        PID:6916
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        18⤵
        
        PID:6936
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        17⤵
        
        PID:6756
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        18⤵
        
        PID:6464
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        19⤵
        
        PID:5452
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        19⤵
        
        PID:5136
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        19⤵
        
        PID:6528
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        19⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        20⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6036
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        21⤵
        
        PID:6772
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        18⤵
        
        PID:6504
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        19⤵
        
        PID:6172
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        20⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        19⤵
        
        PID:6224
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        20⤵
        
        PID:6932
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        21⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        21⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        20⤵
        
        PID:6996
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        21⤵
        
        PID:6416
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        22⤵
        
        PID:6696
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        21⤵
        
        PID:6476
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        22⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        23⤵
        
        PID:6908
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        22⤵
        
        PID:6756
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        23⤵
        
        PID:6852
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        24⤵
        
        PID:6112
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        23⤵
        
        PID:6780
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        24⤵
        
        PID:6932
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        25⤵
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        24⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        25⤵
        
        PID:7016
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        26⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        25⤵
        
        PID:6332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff84e8146f8,0x7ff84e814708,0x7ff84e814718
  2⤵
  PID:952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,5162040342854041867,13435073944695380068,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,5162040342854041867,13435073944695380068,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,5162040342854041867,13435073944695380068,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2580 /prefetch:8
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5162040342854041867,13435073944695380068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5162040342854041867,13435073944695380068,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5162040342854041867,13435073944695380068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5162040342854041867,13435073944695380068,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5162040342854041867,13435073944695380068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5162040342854041867,13435073944695380068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:5172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5162040342854041867,13435073944695380068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:6036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2132,5162040342854041867,13435073944695380068,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5232 /prefetch:8
  2⤵
  PID:5840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2132,5162040342854041867,13435073944695380068,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3436 /prefetch:8
  2⤵
  PID:2624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5162040342854041867,13435073944695380068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:5944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5162040342854041867,13435073944695380068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
  2⤵
  PID:5320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5162040342854041867,13435073944695380068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
  2⤵
  PID:5328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5162040342854041867,13435073944695380068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
  2⤵
  PID:5468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5162040342854041867,13435073944695380068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:5824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5162040342854041867,13435073944695380068,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5162040342854041867,13435073944695380068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:6084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5162040342854041867,13435073944695380068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:6056
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,5162040342854041867,13435073944695380068,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  PID:7088
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,5162040342854041867,13435073944695380068,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  PID:6468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ff84e8146f8,0x7ff84e814708,0x7ff84e814718
  2⤵
  PID:4916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1bd60408b912f5870211c0f595cac75d\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
4KB

MD5
803333e8d5f06268e9ef6b6f557013ac

SHA1
08d07eff9d103413ab1104b81864eddd23c04b4f

SHA256
300843ba65b1a260b8bd8e74ae2084204691cdaf90fcb7e0d25731ebe139d219

SHA512
73341303f1748a221f8674f25b22c11103e70693d97fbdb5b639d6ac9590a1b1f38c9ecf1bac0ac61383bdcbdfa7266694542e08d5d6e7568f0a19f680fd5499

Download Submit
C:\Users\Admin\AppData\Local\1bd60408b912f5870211c0f595cac75d\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
4KB

MD5
ed344dca328cc35e61074ef0a7b5c5fc

SHA1
136af65621f52c96ef692370a6e98a2165e9b426

SHA256
7bcc1a402b931d9568e2bf0b4eb13a3c3cf85804e7fa024a6d61cdbc313e4e56

SHA512
b2f1538944ebb6ab819dd5d214ec3d8e55595d76bb857b69808d762ccf1228b5b6ae749a95e186e7d734ee1314fcb14c928ccc9e2d1ef23b8f70e94912305f5e

Download Submit
C:\Users\Admin\AppData\Local\2b5a9524031a64d7bf916040410de67d\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
4KB

MD5
d75495463111d176b5114ada3bac97bd

SHA1
a88600dcfb775b97f7f05dadcb67577c5b47fc15

SHA256
86fbb38cd9aad745bfdc13df1709a7fbce85e4b3f8734fbe0f1d71a3c647480d

SHA512
f3f8a32672a088378d087b36fa3168587a3363b44e4be441c1fb08cc55e06f109aa3bcecef39b046aa85c23d35d6c512ca9a5f9134d95061657b32f3390d5250

Download Submit
C:\Users\Admin\AppData\Local\2b5a9524031a64d7bf916040410de67d\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
64B

MD5
e8a0fd97cc481353426fa93ca9d4acd9

SHA1
532a91f60bbac82b880682f7e9fc269a64e56e4f

SHA256
64e0cd9fdec5edc6c1021c7ddcc2236be2e9985749fa5c139da465c5ec215282

SHA512
2d5801809c23062b5aff4b5a007426bc58754cc72885a3a00b8fd0f0d797edbfcb61954488ceea3af8b0bcec4337f05b1ec0dafdc3541e2774546091762b8c0a

Download Submit
C:\Users\Admin\AppData\Local\2b5a9524031a64d7bf916040410de67d\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
128B

MD5
a2f57a41ea52d9ad4b4d22295b40e874

SHA1
3fc346c2b2f23a29b17c3a29c221387dc28f8135

SHA256
4fd1ad0026abc38ef6e2bdadb0e8310e19bf3612f0583488ba9d6f73424ff607

SHA512
988e726e13551cb31840dadf5d050ad3dd870e756f75b2952a86204bb2bd67a787b6ca2919060898f5068eeed59c242e465e0cbc64c6f464643dc4eea189f407

Download Submit
C:\Users\Admin\AppData\Local\2b5a9524031a64d7bf916040410de67d\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
192B

MD5
cbbd2ec8526beb6201cd7d08f972733d

SHA1
9c96a1f91814f85d789c3af4316210a900550cdc

SHA256
ed82c9bc5aed211e485a3ac601eb3bd4acfd14822cd5a10624ea5a236fdf21c4

SHA512
9fe456df2a0b322efcfb2a8f76322e527cec74f1e794295539a56059e830621bc16ea5ea147c56fbb8dd8890009fd42ed1a83ea9b7c153781af21f5a0c282f86

Download Submit
C:\Users\Admin\AppData\Local\2b5a9524031a64d7bf916040410de67d\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\6273da9205fec68c64afc3253dbfc051\Admin@UXMRPRRI_en-US\Browsers\Edge\History.txt

Filesize
615B

MD5
f13e77fe844da541ddd1df3efa74597a

SHA1
88c0abffb8f4dcea49c921893e5f1435290d53a9

SHA256
d3b762584f3e0dded5fa5c6ae2432d5db5f88abff051f866e1e57d3edc709519

SHA512
4eee5cf20e740b73199f259b5849046c8e3bd8b149d335ecdb30a7228a6775457c22bd6dc44f22aaab97106ce0b2c5d112175ad7528b66b0c04344902e15fa91

Download Submit
C:\Users\Admin\AppData\Local\6273da9205fec68c64afc3253dbfc051\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
624B

MD5
4f78238fbb516e9da4e5226c677c85e2

SHA1
6c211972403eadc5c7295a02ead75cd324796117

SHA256
875c0ccf23b1753a4d135af24ef0c44e3befa94b2665c09d7956cb6644ef0fca

SHA512
a59f2f559ca2b4bf0a565703f74415e11620dbaf841f11e5bbac81b19a3f57b75b7ed3d74db7f87d746c4d3934bc042b9202c2ee0304b68990088601126ad711

Download Submit
C:\Users\Admin\AppData\Local\6273da9205fec68c64afc3253dbfc051\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
688B

MD5
b5a8142be8b566783317a7fcff9a77ca

SHA1
1ab2c934e77ce6e56cfbbbe7d623fd12b30ef3e7

SHA256
7c2e5cdab83f08f198a0fa30b57274feeae9a65d2eb2007041e5c98151ce612a

SHA512
794c5194213eb34d752722a8b644c29f9d57bb3fc8e5c2d05eb855bd081f0eb308dbad7c93f0eea0c0250b098613a098543db8885a7b615eaf1b9b2bef4ce38e

Download Submit
C:\Users\Admin\AppData\Local\6273da9205fec68c64afc3253dbfc051\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
780B

MD5
bdf72e0e553b029a0dc37519e66e2e3b

SHA1
f96a46c30699d34442c59985125d70e6c7eeff02

SHA256
6a8cf3bd74e18294482839b8c9570ab5f44ea0b214e5389c5e91f0eebf1f43f0

SHA512
01bc7ddb45c208d27840e6bf3940df9a15faa8afd61082374c93a6c097f1e8f0341a51bec18912dfe43c40070b60dd06bf916993f9555c823622b55b85ffe316

Download Submit
C:\Users\Admin\AppData\Local\6273da9205fec68c64afc3253dbfc051\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
844B

MD5
a58ac16b1da13853fe92e262a8a11d98

SHA1
09e531e903bd5fceff7017df11caacbfb5e1816f

SHA256
7b0dd5a67740cb27c93758d11cd3c9e0e1c73b1367ac14508fa03fec22ab8f43

SHA512
746f0f853ff5f1af90220c42cd1dba688769c41864d721ad9021bffdeb4df8b479825e1aa989209b8d52c8c365f4aa036123a72828c05ff9c41fbf7e4023ac55

Download Submit
C:\Users\Admin\AppData\Local\826a670fbd0646f8913d0e1e50b960d1\Admin@UXMRPRRI_en-US\Browsers\Edge\Cookies.txt

Filesize
4KB

MD5
a9e52c03e17d5c69407d8b602beacdb1

SHA1
701e878441ccb0899de1b15119e080e34ed22080

SHA256
0afbc927171120c469b5959b3df8375d6b8a1ff873975c7fd1c965697a0370a5

SHA512
66e7f114a60694339c0f51dcc54fce95bee777ec57cea4dd597ffe0a3f708630376fe452f977331288efa4e18f62e20f1f94565804173f0b394d8044195b962c

Download Submit
C:\Users\Admin\AppData\Local\826a670fbd0646f8913d0e1e50b960d1\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
532B

MD5
6ca237027d1f822d9bca2ad8c94f3238

SHA1
4b69254f464c3c306a597ae9eef1a3fbdfa4435c

SHA256
879a5dd2cfb51e159da8bbc5820ece69706042295469350d8b5f7dfff911a5b6

SHA512
a2b6a8a2c62f16169ba4f4241d1425c7f435d12d908cebe8b5b88554b472c4b64283846f83d38415e927f19f1cbba3cc92991c66f79b4cad64a60d6311c65e82

Download Submit
C:\Users\Admin\AppData\Local\826a670fbd0646f8913d0e1e50b960d1\Admin@UXMRPRRI_en-US\System\ProductKey.txt

Filesize
29B

MD5
71eb5479298c7afc6d126fa04d2a9bde

SHA1
a9b3d5505cf9f84bb6c2be2acece53cb40075113

SHA256
f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3

SHA512
7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

Download Submit
C:\Users\Admin\AppData\Local\826a670fbd0646f8913d0e1e50b960d1\Admin@UXMRPRRI_en-US\System\ScanningNetworks.txt

Filesize
84B

MD5
58cd2334cfc77db470202487d5034610

SHA1
61fa242465f53c9e64b3752fe76b2adcceb1f237

SHA256
59b3120c5ce1a7d1819510272a927e1c8f1c95385213fccbcdd429ff3492040d

SHA512
c8f52d85ec99177c722527c306a64ba61adc3ad3a5fec6d87749fbad12da424ba6b34880ab9da627fb183412875f241e1c1864d723e62130281e44c14ad1481e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RebelCracked.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RuntimeBroker.exe.log

Filesize
706B

MD5
9b4d7ccdebef642a9ad493e2c2925952

SHA1
c020c622c215e880c8415fa867cb50210b443ef0

SHA256
e6f068d76bd941b4118225b130db2c70128e77a45dcdbf5cbab0f8a563b867ff

SHA512
8577ecd7597d4b540bc1c6ccc4150eae7443da2e4be1343cc42242714d04dd16e48c3fcaefd95c4a148fe9f14c5b6f3166b752ae20d608676cf6fb48919968e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000031

Filesize
18KB

MD5
dcef2a0d8c834b19ef04237bd11c630b

SHA1
5181b56940da31951e0a0502154b1eddd1a21fab

SHA256
5bdbc19ec213546b8b89248b024e057b19181f2ad1779f4dfa34c0b545d18432

SHA512
8b97e1cc83dc83a1df75cc9536695409529f5693bd23af85a4c1c6df9f5b92ef4e58c299b30517698cc8c176fdb8d2aa3baf7d0b62faec378942083ed559fe03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
5fb05663888c646ce44f3b65feadd0f6

SHA1
1090348f431f22db056ad4137973d4e321bf83df

SHA256
4aa18a9573a975bf13a77cea2c2d6d7cad93b7dd3d8f5944719927e7ecf7d7e5

SHA512
05ee2855c59b209bd3085bfcf347be89f61d9318c533f584fa70fc40d95e9188b4f2c7bc14915b25bd9691551520975563c7750a0f1f3212198a8210c68f124f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
03e65300eaa12e278e90797c043c2b8b

SHA1
12041f72cd364601e5bff6eeccd9c2126434245f

SHA256
e3b2ecff1314e654ed8b52183bc61f7144129041e8fc0a03288d096657f6f95c

SHA512
b7ef23a0625e6f9aeede334ce3d39f2a2b89a648cb769badf585dc998bce2772898fdbaa507db36f70b5a7fa2c1ec0fe0a8700c5afec2d0c50525d0a5bf2a314

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e0bab7dc02094cb41b934fa5ebb9f95e

SHA1
d56ee2330a604f1343ca1a21e1174a34e738c52e

SHA256
291ad330a1ff51518aab66209506bd93464ebce734f85247ad070ada72a5cac4

SHA512
b842e1e6ac809cd6ec99b5f333849cb1e519b4dc140daea29978868ad4e622e5eec94a69611bc00c54ecb476285f9cdea840999e38fd97e5147304eecd8b0d2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
216ec153917ebbcd15e18d55b8ac9519

SHA1
b13f4bf381c3ea48b5278b4ad536bd7a5cf5b035

SHA256
31f6dc127a2ac9fb6253ab6231cb9aaeeee1c5ec5d90397101f6abc19a588e86

SHA512
57548895149fd15687fd9cfc1702030c1c610dcc4ad8e4a87e0af5a2fdec96d452c0595cf7c67d3f0b92f696d235b9663b2744802b6c6b75fe387163fe5205d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7b52c3aaa848577523443175a4274580

SHA1
eab2f713ce80fc717dc94f896c957fbf131929cc

SHA256
728b7485afe32b4214c202583ebc6822644952e6e6aff8dbdf9cbb435488afd6

SHA512
306c7315a9c4b241cb9cd5a6d19eebf75b6a3f280e108ddb43456d3f0b580bbf1d40aa3a6656a11f8182a3baee9f3039307d4ad4d30e3e84af0d65cf21cdb29a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
9e0bd2a4248c50f5e847024a303ca975

SHA1
530e00be0e77d23a9d08b4a540e1d1f0d16acd3e

SHA256
38ce9be65ed3b682bebd33fab4ac987622928223478c91f5c588860cadbe4146

SHA512
b587004443ee11098ece9da5db4b4d9bb6d6cc878e3d6f747b292922e054aefb2b98fccdcb40045afd62a5138e989b667341dd0b3745ef6331041a1059639811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58538a.TMP

Filesize
48B

MD5
1b44edee9279b40abf7e692f6f0015fb

SHA1
0b5e36e2fdebcfd5b685e7005067ea8d061922e0

SHA256
b0706c9160177fa18171792924d86fa89857bc2dd2b88f9ff021c38cd496336b

SHA512
b820da600c451f12c22532f371515fea0e0d4650a6d7d223c9964e2cfcf8f18511eeb24d95c4d616a714819783855b19c3f22d6eac02c3f7f59f26044668141f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
871B

MD5
cc9b6fd40ca09c529420aa42c378b476

SHA1
06914a55d0b4348be468e8e0e9129b3af56959bf

SHA256
bfe4d0a6e92c80c3fd826db1a21141a8ebb101d5c3b992019cf5a0af11f55a21

SHA512
4ec401ed83d8fe5eeba86e84107f8813e99a29c9f611100a1e706946960c9da8e77d916aade829c6e6ab83d0a32e7f9df8395c312b64a0a0f0db5d6b07feda9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe585733.TMP

Filesize
704B

MD5
8236128f935c09e72981f6f5aab1793f

SHA1
1200e73532b257dd14492e9c88ce8f9cf6210a13

SHA256
730c860520c2b1510f2c1c0d333ec993a180db0933e7ba1708764705a862dfaa

SHA512
5dd9b47b8047b6b55095ccb52e2a1b3d45de5e8a630a11a851d4dba16e7b6adf26ffcf2844f903ca16ff2b2ba55daad4379d99270dd43c8e8e3381d110747f19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8cbd893ab8ef8bc99ae2266d01e6d05b

SHA1
375679ab0bebe13a9b748d3bdb7a86a7fca8a54b

SHA256
b84c6191bdbaf9e3d2857225d604f9eed4565d6bc935e234ee2da6caf396d711

SHA512
a005bb96f8919298c5d5380efbb814e0f1b1dc72c0e36cd512237f53cf714f618431516f65487de15621b3df45488d1426e3601fcfbe21f68165e2766fc52e59

Download Submit
C:\Users\Admin\AppData\Local\RuntimeBroker.exe

Filesize
330KB

MD5
75e456775c0a52b6bbe724739fa3b4a7

SHA1
1f4c575e98d48775f239ceae474e03a3058099ea

SHA256
e8d52d0d352317b3da0be6673099d32e10e7b0e44d23a0c1a6a5277d37b95cf3

SHA512
b376146c6fa91f741d69acf7b02a57442d2ea059be37b9bdb06af6cc01272f4ded1a82e4e21b9c803d0e91e22fc12f70391f5e8c8704d51b2435afc9624e8471

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
90281dbd5cb1133ade2bf34dd0d390aa

SHA1
10443ff1fea33ab751cffa19d208f63b433296ec

SHA256
ba4b82d026ba3561666eb31cad20732a27d11d9ca844c52ad757bd44d83fed33

SHA512
3d39ac85f4f9c16660c158da693f4e3fe39a477a0f34e5bfaeb766680b41e661d2a4bff165baa06e52f504474c6280d50802b7c4f2e97bf4d1930ed0a52abc91

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1CF2.tmp.dat

Filesize
124KB

MD5
2c332123c2ed1d1e9905e462f826d15e

SHA1
4eb1d7c6de34fab24f6e7998178bca9e28f21ecf

SHA256
c803011fc411d4c5bdc08d2bf7d0bff639d74eff3e9b9a60ccbe8f37b8ef9104

SHA512
70ff687542a7a4a24d98c55db00628b68ad9b9b9ba42b509522aceeb199a196e0d63ec9ec42645c22538899a58d2395af687b264c34335828cf07459dbb766a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6FA5.tmp.dat

Filesize
28KB

MD5
e503ea20696bf185ea2479d810fce8bb

SHA1
e7700ca1b7babcbbf6fbcc13fb7ba2fdfea5ac11

SHA256
72ed70e09b91c4d5a8b2f07963eeff3a5266a10ba24c97d6b3bc86824cb12472

SHA512
50264ff09078e051b8a1ab595e69a02a0cf430b1b2ecf24e4751efc9389e99cf7d442afd5fdde496a442cbd064ba93a7366fa9aaea79747741991ec20a8bf05d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpADC4.tmp.dat

Filesize
114KB

MD5
503d6b554ee03ef54c8deb8c440f6012

SHA1
e306b2a07bf87e90c63418024c92933bcc3f4d7f

SHA256
4c407af4d5326d1ea43e89945eda0b86c81ad0d12bd5465b327c0fd1df56f7d4

SHA512
3490b51dfe2e8f6efa3cdeee7bc08c03072597861c1a2f88dc830139abb7611c671ddad345c2af97bb1e88927c09467ed92b5feafe6696d7e2b31b3bd3447437

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpADC6.tmp.dat

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpADC9.tmp.dat

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB660.tmp.dat

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB666.tmp.dat

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB667.tmp.dat

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB668.tmp.dat

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB679.tmp.dat

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEFD3.tmp.dat

Filesize
116KB

MD5
b6d9677d249d21c992f389a71961037e

SHA1
5495767186db98e49d576237a32f74fe41dd466c

SHA256
1c53c05d860ada7ac5a5b6f4250a10731a945357d52284014569106488715a6a

SHA512
3c43c879f17c4618e6888a13b3f75ca95396ef2a7b1cc89b2ffa6ade31560b9ecb5c69f8bd3eff6066841a0e7ab980caf712226a7440d0ada29d91023deeb6be

Download Submit
C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Browsers\Edge\History.txt

Filesize
664B

MD5
4cbe9fe8a4088f3fe4684c0c68c0e0a6

SHA1
4fc35121268a67328816803b69458c9ea88ecc68

SHA256
6463025a11a60449d5f64b27dc919edc06bcd509206dfffaab6225736f526950

SHA512
28add10c84114279e1df6a4c48f375506aa2bf7b55169c0ba175f638c6cb2a766b2e618577d7023ffc506b85566e61486321e39345849f2e534a62bdd5a35034

Download Submit
C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Directories\Desktop.txt

Filesize
521B

MD5
0246c03cfa7f911e0cb61d36af9a2f40

SHA1
cd1ec5dbc82a6d1f6986a6e65bb873599d45d2de

SHA256
c2e74b14f3abe3daee30779573c800cc29c94ec561211889a36881ba658461e9

SHA512
a0411a5e858d85931dce3fda7b866fdd692dab58f9a1fbf0cdbc049a9838cad551b8c59da6957bb906652c68e532e4d8840ac1e3d78fccf4a80c27052e6b2d03

Download Submit
C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Directories\Documents.txt

Filesize
942B

MD5
8668f8b3dd510deb8db5b1f21eee7d08

SHA1
e45963cdd6a6507f8f650c934c597870d4e8050c

SHA256
b1e45514e7af12e966ded88f791553ef120dd2011739505be3ea80df9526ce6d

SHA512
68465d757fd1e7479e8cfd77b9c501348cb536d1f03df246adbc37b735174072e7ead2cee50515e600d029669ff072554eb7cd585e2b04095300172ff93ba1bb

Download Submit
C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Directories\Downloads.txt

Filesize
768B

MD5
f0c1124307141b559995dc3c29b9963a

SHA1
b099652176abe61026aa542c6d9b128c53558603

SHA256
9c23de100e934fbfaa3076a2225873d6166203748fd0cf00b3fa46128568d802

SHA512
1daca4c2299d1d142b3291c26beecc4bb0c72bcd33fa58d3aee80956c77d71320cc0e56627b4dbd6806599bce948c69babce143e8f897eb9373cf137778e2fd4

Download Submit
C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Directories\OneDrive.txt

Filesize
25B

MD5
966247eb3ee749e21597d73c4176bd52

SHA1
1e9e63c2872cef8f015d4b888eb9f81b00a35c79

SHA256
8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e

SHA512
bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

Download Submit
C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Directories\Pictures.txt

Filesize
632B

MD5
9e4a0b6018961db635f37f1df8ade3b3

SHA1
f54336a9186030033e6a59d066519d1afb86cbb6

SHA256
70df72d8be252c9770a7882a8ec8fbc8561354452a5bb18a372897bfd7577633

SHA512
830fe5eb818a8d84f8b5aa49b47b845c63020c0f6e4890cc4e14872272861bfd2e66e2f253629871a0432b0935d01eec51291ae4f5f03baf55a68a1bfe587afd

Download Submit
C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Directories\Startup.txt

Filesize
24B

MD5
68c93da4981d591704cea7b71cebfb97

SHA1
fd0f8d97463cd33892cc828b4ad04e03fc014fa6

SHA256
889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

SHA512
63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

Download Submit
C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Directories\Temp.txt

Filesize
2KB

MD5
f9563770f24799a9224edf762b91179e

SHA1
a7008fa4b8cfe522557653f46740a0a306988cba

SHA256
bd85d3823b4f649448dc08e012a47d2426db1ff7f711d9fe89fcfe1302b76684

SHA512
c0aaf121e3ab4c596cc0ff0f720ead6021a861799b0a7e73ce72584b928775d4e1420c879b7f049dca963beca92ac866b627fc769a2ecbe0d60483004551cdb5

Download Submit
C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Directories\Temp.txt

Filesize
2KB

MD5
f9387fc79433463756407aad84506812

SHA1
814166055c5e7dc93dee166f7d9ba4cffd9fbf9d

SHA256
faf7753519c51b88f7cc24cfb12844f544ccc3cb4d04e4a6457cbc0b66adbe3d

SHA512
54ced601e2ac450cbb4ee5196df35041a7013b70f7167d134aaa8f9dc2d4102ba6bf33f4d283d8c3d5764d1b36cd5054d3560754caa5593f1681c618c8d053e6

Download Submit
C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Directories\Videos.txt

Filesize
23B

MD5
1fddbf1169b6c75898b86e7e24bc7c1f

SHA1
d2091060cb5191ff70eb99c0088c182e80c20f8c

SHA256
a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

SHA512
20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

Download Submit
C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini

Filesize
282B

MD5
9e36cc3537ee9ee1e3b10fa4e761045b

SHA1
7726f55012e1e26cc762c9982e7c6c54ca7bb303

SHA256
4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

SHA512
5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

Download Submit
C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini

Filesize
402B

MD5
ecf88f261853fe08d58e2e903220da14

SHA1
f72807a9e081906654ae196605e681d5938a2e6c

SHA256
cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844

SHA512
82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

Download Submit
C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini

Filesize
282B

MD5
3a37312509712d4e12d27240137ff377

SHA1
30ced927e23b584725cf16351394175a6d2a9577

SHA256
b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3

SHA512
dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

Download Submit
C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini

Filesize
190B

MD5
d48fce44e0f298e5db52fd5894502727

SHA1
fce1e65756138a3ca4eaaf8f7642867205b44897

SHA256
231a08caba1f9ba9f14bd3e46834288f3c351079fcedda15e391b724ac0c7ea8

SHA512
a1c0378db4e6dac9a8638586f6797bad877769d76334b976779cd90324029d755fb466260ef27bd1e7f9fdf97696cd8cd1318377970a1b5bf340efb12a4feb4a

Download Submit
C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini

Filesize
190B

MD5
87a524a2f34307c674dba10708585a5e

SHA1
e0508c3f1496073b9f6f9ecb2fb01cb91f9e8201

SHA256
d01a7ef6233ef4ab3ea7210c0f2837931d334a20ae4d2a05ed03291e59e576c9

SHA512
7cfa6d47190075e1209fb081e36ed7e50e735c9682bfb482dbf5a36746abdad0dccfdb8803ef5042e155e8c1f326770f3c8f7aa32ce66cf3b47cd13781884c38

Download Submit
C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini

Filesize
504B

MD5
29eae335b77f438e05594d86a6ca22ff

SHA1
d62ccc830c249de6b6532381b4c16a5f17f95d89

SHA256
88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4

SHA512
5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

Download Submit
C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
1KB

MD5
a73ad1493fbf2dd7890fe63f432997c7

SHA1
342fcb87b15e45968ebb79f010583741c7d6afbb

SHA256
a476b9932d83fdf072ebf89c5db4d4d9807fdeb67b7d6c89876fe1122563d12e

SHA512
09ce966d9384992ca88b9f61a8543728047c981e37263a4f5398f48a0e99fac7d7d9a6ae5e8ced84b05bda680ea1075027bf1e4509ac09fe9802138fd3c15f3d

Download Submit
C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
1KB

MD5
8057fbf7d4b05e90f88dd5f870996b0c

SHA1
1c3d98535147d7db163515946fe0e684cad847c3

SHA256
8bf1467439483a15b58050c2920cdf3aee8a2b57094bca489aa6f72c9aa09e23

SHA512
1c0d3fbe22dfdbcfa197b570b59e0e615be95dd4c6dd794458498f46ffde56e63c1c6b5200b8ef64f50edf2a498e01ddd7476b88f929404fcc3416d6eb6b41a1

Download Submit
C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
532B

MD5
7af5e4f5afd7bbe9581704794a02301c

SHA1
0a8b569173967042d61812f3fffd349e8b9f270f

SHA256
a0cf0aa2860dc9e3d28be90e3e75a212b3585ea00609512a5d4304acf2acb223

SHA512
cca2f9c3936539b7d92b1b5e65d7627be6e16e4309344e60d2ee5621945476eb11b39eeba770d10fafb0058915374cdda3feb6d8aa91e8eb5dc7ac83529eb23b

Download Submit
C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
4KB

MD5
a76123cfc20f660d76f5c567e9ed5632

SHA1
4a48f3bd53f82feb48802e8365bffce1a953bc12

SHA256
99769ae4aa4a429d32e7af6ecc3acb77568e93d69f384c1ffda8f4b38cca9165

SHA512
319549d4075d8510c5830f3581d2a8e89c323650c6c190b14a7a000a10247768ce0497fa133ac6d186e708f7657646fb12c706948923ce149b26a9df45930f4d

Download Submit
C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
213B

MD5
3d32cc43e6f3f8b40d5771d879c58cc5

SHA1
7e367bc93da57d3bd4663eb1eac074f6dea18ad0

SHA256
d3d0031e0ab1b3048e6caf0275cbb877fa85fb2c648b8ad1bd1f79508aab4e50

SHA512
793db6260be63e4582ef56303ce9f095e00fa3e98d4705019bba1d0fbd8f4a77104b6008a9800365776dca75930da5eeff930f089baa561bdbb752c2d80ac2d2

Download Submit
C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
277B

MD5
f03875bb86d142eba4ea82367b7a9fb3

SHA1
7227ffd24fc429faa6a08fff31df02f6ebc41791

SHA256
0eab11f88a29c7fa0556c18e86c6f9b21613cbc69bf704dbc18f60eec75723ee

SHA512
3e0615b31c397fa8341cc95492311ae6143e0ab1110c96f8e65e2113a46cb1fdecf53b06d9630ae727c292a58a4398063b28748506ec574e151308c04b581d4a

Download Submit
C:\Users\Admin\AppData\Local\c236eda9d7f89f5139e8594421200a40\Admin@UXMRPRRI_en-US\System\WorldWind.jpg

Filesize
74KB

MD5
232603435a1b259c2f8bf4a3375dbc8f

SHA1
a13d1b2567f228e0599f6a5d073a3a0d3ccff8c7

SHA256
34b6fc29e8a3ba36625453fabf06f177397a1aac3902b9a2b7f409fdfa306e38

SHA512
05e0c7959a98c9f30cee1892f78d0a85cad84ff9aeec97046d2821842a88afe868ecd676a7020936c367f0e4e72f16185a7104a0dce125b5fdcf19d3b79c26d0

Download Submit
C:\Users\Admin\AppData\Local\c6c193096bef91194577b7d7d520c777\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
340B

MD5
ff16c656fde0158466ae5298a34ddbf7

SHA1
1824ae71d09610ac4cbb86554fee355a7b93414a

SHA256
150f45877589700f6ce5c1ea4c59c60377119114ef586c69a5fd4892cbc737c3

SHA512
f222e72669a7d8c240a124c0ae9120c324d1aad9f451fbe019d0e1e1b7d01849309e06fc542d8b175ff3c06f4c96d1cf974756a5febb1ba96dafd8d61b60baa8

Download Submit
C:\Users\Admin\AppData\Local\c6c193096bef91194577b7d7d520c777\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
404B

MD5
e3456607b865d049994648f3b8c0e66e

SHA1
f250aa7678c7fc39f454840b5dd8f7bca27192e8

SHA256
48d7245c64a6f465832d7d3fa9709559515baee3dd671d94cb6965eaf2160df1

SHA512
54eb77b401fdc102b0575e4a71483a7de6870da60eb56d514a025304a69a962294f37b5d5333e45c3fd9a25e56c77d115e5cfbfc61363cb5c84be77b015b056f

Download Submit
C:\Users\Admin\AppData\Local\c6c193096bef91194577b7d7d520c777\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
468B

MD5
199c37918cf39beed9f9c2a73b5491f5

SHA1
257f2a88a4c53b342d8d76a3a8350c6a0331319c

SHA256
c0bdce1ee6434e25dcb5dd13e53ba27aa8598484a3d651ae1f6d3fbb55c1086a

SHA512
b3f34aff623b5a34097277e36ed90f9909e45091c338929d891d13a1234dfbf2fb33ab72ee829a4a7f8c9a721b0d81cd8997ef95a30d709ed755fbe97463db66

Download Submit
C:\Users\Admin\AppData\Local\c6c193096bef91194577b7d7d520c777\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
4KB

MD5
f8c3b9d026d976e26a061d94f841a232

SHA1
a467572d62cbeef0178ab133771e229c7a006c19

SHA256
c8d3cefc3676fa3301a19ddb47b386919dcc7b3942f8901c1eee3dc3cf812c3d

SHA512
6f9d4e005917fd29a49f5d89619a7cd590c82fd13c9ec92cc335c5300b77257bc3a0f11ef2bb85a2b162dd9e122250b9adacbee58abae15494ebcb9e2695e306

Download Submit
C:\Users\Admin\AppData\Local\c6c193096bef91194577b7d7d520c777\Admin@UXMRPRRI_en-US\System\Process.txt

Filesize
149B

MD5
bdf43b3792ddbbd7722ac82e4aadc2f8

SHA1
bd1d8d84d5c614d8b2303e4f7f77950b0f80a4a9

SHA256
5ffbe28d4d6a3c2d1e32508fb0f239cf074d0fe96aa294ab3ac8ce6fdfd24bdf

SHA512
874175c20595210c4cbbf6f36ac42eebdfe0e975c6c00a030f79844ca26019c1f83ccbb1d2e994ddd1508a0b00a3dbf79e68fc1765ab570eebcfbc5834a77945

Download Submit
\??\pipe\LOCAL\crashpad_664_ZGAWPEWKJJSIBIST

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/232-16-0x00007FF850B80000-0x00007FF851641000-memory.dmp

Filesize
10.8MB

Download
memory/232-0-0x00007FF850B83000-0x00007FF850B85000-memory.dmp

Filesize
8KB

Download
memory/232-1-0x0000000000190000-0x00000000001EC000-memory.dmp

Filesize
368KB

Download
memory/232-3-0x00007FF850B80000-0x00007FF851641000-memory.dmp

Filesize
10.8MB

Download
memory/2796-24-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2796-36-0x0000000005B00000-0x0000000005B66000-memory.dmp

Filesize
408KB

Download
memory/2796-563-0x0000000007700000-0x0000000007712000-memory.dmp

Filesize
72KB

Download
memory/2796-409-0x0000000006760000-0x000000000676A000-memory.dmp

Filesize
40KB

Download
memory/3884-15-0x00007FF850B80000-0x00007FF851641000-memory.dmp

Filesize
10.8MB

Download
memory/3884-30-0x00007FF850B80000-0x00007FF851641000-memory.dmp

Filesize
10.8MB

Download
memory/4428-21-0x0000000005EC0000-0x0000000005F0A000-memory.dmp

Filesize
296KB

Download
memory/4428-20-0x0000000005F10000-0x0000000005FA2000-memory.dmp

Filesize
584KB

Download
memory/4428-19-0x00000000063C0000-0x0000000006964000-memory.dmp

Filesize
5.6MB

Download
memory/4428-18-0x0000000000DB0000-0x0000000000E08000-memory.dmp

Filesize
352KB

Download
memory/4428-17-0x000000007489E000-0x000000007489F000-memory.dmp

Filesize
4KB

Download
memory/4428-22-0x00000000060C0000-0x000000000615C000-memory.dmp

Filesize
624KB

Download
memory/4428-23-0x0000000006040000-0x000000000604A000-memory.dmp

Filesize
40KB

Download