asyncrat | 9d9a79f4ae9bf7a992945f6c06c5bec642c05e4e828217c50255dabfa3677006

max time kernel
1200s
max time network
1162s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RebelCracked.exe
Size

344KB
MD5

a84fd0fc75b9c761e9b7923a08da41c7
SHA1

2597048612041cd7a8c95002c73e9c2818bb2097
SHA256

9d9a79f4ae9bf7a992945f6c06c5bec642c05e4e828217c50255dabfa3677006
SHA512

a17f1144a0e3ce07c7ed6891987c5b969f291e9991442c33750028d35e2194794e8a649c397e8afc9f8ce19d485c453600c75cab4fcead09e38414d85819251a
SSDEEP

6144:lOcpeK8lucxAtLNFHUVuI/2zj1z6jZ755NofmWx4PCQL23wBw7R0ljTwrVuAdJKp:QcpSnx0LNFDQ60Ntbo5d7gBw7R7rbdJk

Score

10^/10

asyncrat stormkitty default discovery persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/3540-25-0x0000000000400000-0x0000000000432000-memory.dmp	family_stormkitty

Blocklisted process makes network request 6 IoCs

flow	pid	Process
349	3772	RuntimeBroker.exe
350	3772	RuntimeBroker.exe
351	3772	RuntimeBroker.exe
352	3772	RuntimeBroker.exe
353	3772	RuntimeBroker.exe
354	3772	RuntimeBroker.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Process not Found

Executes dropped EXE 64 IoCs

pid	Process
3344	RuntimeBroker.exe
3540	RuntimeBroker.exe
1860	RuntimeBroker.exe
3100	RuntimeBroker.exe
1080	RuntimeBroker.exe
744	RuntimeBroker.exe
3908	RuntimeBroker.exe
2196	RuntimeBroker.exe
4872	RuntimeBroker.exe
2868	RuntimeBroker.exe
4464	RuntimeBroker.exe
2536	RuntimeBroker.exe
4692	RuntimeBroker.exe
3612	RuntimeBroker.exe
4408	RuntimeBroker.exe
1436	RuntimeBroker.exe
4116	RuntimeBroker.exe
1688	RuntimeBroker.exe
5100	RuntimeBroker.exe
4756	RuntimeBroker.exe
5536	RuntimeBroker.exe
5660	RuntimeBroker.exe
5280	RuntimeBroker.exe
624	RuntimeBroker.exe
5584	RuntimeBroker.exe
5040	RuntimeBroker.exe
4572	RuntimeBroker.exe
5804	RuntimeBroker.exe
4076	RuntimeBroker.exe
5868	RuntimeBroker.exe
4804	RuntimeBroker.exe
1480	RuntimeBroker.exe
5832	RuntimeBroker.exe
5608	RuntimeBroker.exe
3812	RuntimeBroker.exe
5796	RuntimeBroker.exe
4112	RuntimeBroker.exe
1080	RuntimeBroker.exe
3100	RuntimeBroker.exe
6044	RuntimeBroker.exe
1428	RuntimeBroker.exe
4528	RuntimeBroker.exe
6596	RuntimeBroker.exe
7120	RuntimeBroker.exe
5852	RuntimeBroker.exe
6996	RuntimeBroker.exe
6716	RuntimeBroker.exe
7112	RuntimeBroker.exe
6724	RuntimeBroker.exe
2160	RuntimeBroker.exe
5824	RuntimeBroker.exe
4784	RuntimeBroker.exe
2676	RuntimeBroker.exe
5196	RuntimeBroker.exe
7080	RuntimeBroker.exe
6128	RuntimeBroker.exe
5728	RuntimeBroker.exe
6904	RuntimeBroker.exe
6248	RuntimeBroker.exe
5616	RuntimeBroker.exe
5348	RuntimeBroker.exe
6864	RuntimeBroker.exe
1692	RuntimeBroker.exe
3212	RuntimeBroker.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\c15762fec1d88668b7893daae5a1a79f\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\b2a4129d590c5a0f13623e3ce4b6fd11\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\91c4aa4bb6b92f9696b156a183171088\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	Process not Found
File created	C:\Users\Admin\AppData\Local\fc7cdc24b837ca3d660e8a7c947b53b5\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	Process not Found
File created	C:\Users\Admin\AppData\Local\91c4aa4bb6b92f9696b156a183171088\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	Process not Found
File created	C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\74539204bf59aa420e781862240f3dc7\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\040b5477f88fab961bb3378764c3009c\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\91c4aa4bb6b92f9696b156a183171088\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\1a33a219d23adc17f0a4eb418b7c9575\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\ed7282cf3c7caab5b23a16ba43529fdc\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\ed7282cf3c7caab5b23a16ba43529fdc\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\b2a4129d590c5a0f13623e3ce4b6fd11\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	Process not Found
File created	C:\Users\Admin\AppData\Local\74539204bf59aa420e781862240f3dc7\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	Process not Found
File created	C:\Users\Admin\AppData\Local\ed7282cf3c7caab5b23a16ba43529fdc\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\11d9d4f3b4d40f0301d279a4756db7d8\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\b2a4129d590c5a0f13623e3ce4b6fd11\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\c15762fec1d88668b7893daae5a1a79f\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\b2a4129d590c5a0f13623e3ce4b6fd11\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\c15762fec1d88668b7893daae5a1a79f\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\c15762fec1d88668b7893daae5a1a79f\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	Process not Found
File created	C:\Users\Admin\AppData\Local\ed7282cf3c7caab5b23a16ba43529fdc\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\c15762fec1d88668b7893daae5a1a79f\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\1a33a219d23adc17f0a4eb418b7c9575\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\74539204bf59aa420e781862240f3dc7\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\91c4aa4bb6b92f9696b156a183171088\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\fc7cdc24b837ca3d660e8a7c947b53b5\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\ed7282cf3c7caab5b23a16ba43529fdc\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\b2a4129d590c5a0f13623e3ce4b6fd11\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	Process not Found
File created	C:\Users\Admin\AppData\Local\11d9d4f3b4d40f0301d279a4756db7d8\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\74539204bf59aa420e781862240f3dc7\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\c15762fec1d88668b7893daae5a1a79f\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\fc7cdc24b837ca3d660e8a7c947b53b5\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\11d9d4f3b4d40f0301d279a4756db7d8\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\91c4aa4bb6b92f9696b156a183171088\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\fc7cdc24b837ca3d660e8a7c947b53b5\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\ed7282cf3c7caab5b23a16ba43529fdc\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\1a33a219d23adc17f0a4eb418b7c9575\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\c15762fec1d88668b7893daae5a1a79f\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\ed7282cf3c7caab5b23a16ba43529fdc\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\c15762fec1d88668b7893daae5a1a79f\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	Process not Found
File created	C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\b2a4129d590c5a0f13623e3ce4b6fd11\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\b2a4129d590c5a0f13623e3ce4b6fd11\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	Process not Found
File created	C:\Users\Admin\AppData\Local\11d9d4f3b4d40f0301d279a4756db7d8\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\91c4aa4bb6b92f9696b156a183171088\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	Process not Found
File created	C:\Users\Admin\AppData\Local\91c4aa4bb6b92f9696b156a183171088\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\ed7282cf3c7caab5b23a16ba43529fdc\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\ed7282cf3c7caab5b23a16ba43529fdc\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\91c4aa4bb6b92f9696b156a183171088\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\fc7cdc24b837ca3d660e8a7c947b53b5\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\c15762fec1d88668b7893daae5a1a79f\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\91c4aa4bb6b92f9696b156a183171088\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\fc7cdc24b837ca3d660e8a7c947b53b5\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\040b5477f88fab961bb3378764c3009c\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	Process not Found
File opened for modification	C:\Users\Admin\AppData\Local\040b5477f88fab961bb3378764c3009c\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\91c4aa4bb6b92f9696b156a183171088\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
269	pastebin.com
547	pastebin.com
581	pastebin.com
612	pastebin.com
618	pastebin.com
747	pastebin.com
749	pastebin.com
776	pastebin.com
118	pastebin.com
400	pastebin.com
522	pastebin.com
557	pastebin.com
730	pastebin.com
743	pastebin.com
123	pastebin.com
342	pastebin.com
463	pastebin.com
528	pastebin.com
574	pastebin.com
746	pastebin.com
762	pastebin.com
452	pastebin.com
807	pastebin.com
854	pastebin.com
927	pastebin.com
62	pastebin.com
296	pastebin.com
309	pastebin.com
353	pastebin.com
363	pastebin.com
605	pastebin.com
750	pastebin.com
929	pastebin.com
70	pastebin.com
327	pastebin.com
430	pastebin.com
490	pastebin.com
744	pastebin.com
748	pastebin.com
365	pastebin.com
589	pastebin.com
76	pastebin.com
270	pastebin.com
288	pastebin.com
625	pastebin.com
745	pastebin.com
825	pastebin.com
197	pastebin.com
341	pastebin.com
423	pastebin.com
835	pastebin.com
843	pastebin.com
281	pastebin.com
422	pastebin.com
511	pastebin.com
563	pastebin.com
742	pastebin.com
814	pastebin.com
513	pastebin.com
766	pastebin.com
902	pastebin.com
171	pastebin.com
257	pastebin.com
457	pastebin.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
52	icanhazip.com
565	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 3344 set thread context of 3540	3344	RuntimeBroker.exe	84
PID 1860 set thread context of 3100	1860	RuntimeBroker.exe	87
PID 1080 set thread context of 744	1080	RuntimeBroker.exe	94
PID 3908 set thread context of 2196	3908	RuntimeBroker.exe	98
PID 4872 set thread context of 2868	4872	RuntimeBroker.exe	114
PID 4464 set thread context of 2536	4464	RuntimeBroker.exe	122
PID 4692 set thread context of 3612	4692	RuntimeBroker.exe	127
PID 4408 set thread context of 1436	4408	RuntimeBroker.exe	134
PID 4116 set thread context of 1688	4116	RuntimeBroker.exe	137
PID 5100 set thread context of 4756	5100	RuntimeBroker.exe	140
PID 5536 set thread context of 5660	5536	RuntimeBroker.exe	484
PID 5280 set thread context of 624	5280	RuntimeBroker.exe	162
PID 5584 set thread context of 5040	5584	RuntimeBroker.exe	2523
PID 4572 set thread context of 5804	4572	RuntimeBroker.exe	2737
PID 4076 set thread context of 5868	4076	RuntimeBroker.exe	3116
PID 4804 set thread context of 1480	4804	RuntimeBroker.exe	2900
PID 5832 set thread context of 5608	5832	RuntimeBroker.exe	2367
PID 3812 set thread context of 5796	3812	RuntimeBroker.exe	2922
PID 4112 set thread context of 1080	4112	RuntimeBroker.exe	2609
PID 3100 set thread context of 6044	3100	RuntimeBroker.exe	4385
PID 1428 set thread context of 4528	1428	RuntimeBroker.exe	5337
PID 6596 set thread context of 7120	6596	RuntimeBroker.exe	6009
PID 5852 set thread context of 6996	5852	RuntimeBroker.exe	4235
PID 6716 set thread context of 7112	6716	RuntimeBroker.exe	5877
PID 6724 set thread context of 2160	6724	RuntimeBroker.exe	6427
PID 5824 set thread context of 4784	5824	RuntimeBroker.exe	7048
PID 2676 set thread context of 5196	2676	RuntimeBroker.exe	5015
PID 7080 set thread context of 6128	7080	RuntimeBroker.exe	7056
PID 5728 set thread context of 6904	5728	RuntimeBroker.exe	7049
PID 6248 set thread context of 5616	6248	RuntimeBroker.exe	7750
PID 5348 set thread context of 6864	5348	RuntimeBroker.exe	8750
PID 1692 set thread context of 3212	1692	RuntimeBroker.exe	8340
PID 1448 set thread context of 6860	1448	RuntimeBroker.exe	8488
PID 2356 set thread context of 5036	2356	RuntimeBroker.exe	6725
PID 6600 set thread context of 6616	6600	RuntimeBroker.exe	6735
PID 4184 set thread context of 6692	4184	RuntimeBroker.exe	8266
PID 3560 set thread context of 6600	3560	RuntimeBroker.exe	10422
PID 6784 set thread context of 5076	6784	RuntimeBroker.exe	9570
PID 5164 set thread context of 6236	5164	RuntimeBroker.exe	9524
PID 3632 set thread context of 6432	3632	RuntimeBroker.exe	10877
PID 5556 set thread context of 628	5556	RuntimeBroker.exe	11290
PID 6436 set thread context of 5596	6436	RuntimeBroker.exe	11351
PID 7148 set thread context of 4852	7148	RuntimeBroker.exe	9871
PID 5664 set thread context of 6308	5664	RuntimeBroker.exe	10461
PID 2676 set thread context of 3772	2676	RuntimeBroker.exe	1286
PID 6076 set thread context of 6060	6076	RuntimeBroker.exe	12007
PID 5660 set thread context of 6740	5660	RuntimeBroker.exe	9828
PID 6204 set thread context of 1100	6204	RuntimeBroker.exe	11564
PID 6460 set thread context of 1980	6460	RuntimeBroker.exe	12448
PID 2464 set thread context of 404	2464	RuntimeBroker.exe	13983
PID 1576 set thread context of 6096	1576	RuntimeBroker.exe	10609
PID 1944 set thread context of 4472	1944	RuntimeBroker.exe	14310
PID 2436 set thread context of 2332	2436	RuntimeBroker.exe	14028
PID 6608 set thread context of 5708	6608	RuntimeBroker.exe	12050
PID 5496 set thread context of 6568	5496	RuntimeBroker.exe	11729
PID 5460 set thread context of 7016	5460	RuntimeBroker.exe	15114
PID 2356 set thread context of 6816	2356	RuntimeBroker.exe	12019
PID 2020 set thread context of 4872	2020	RuntimeBroker.exe	16473
PID 5544 set thread context of 5720	5544	RuntimeBroker.exe	11838
PID 5936 set thread context of 3952	5936	RuntimeBroker.exe	16617
PID 6312 set thread context of 6884	6312	RuntimeBroker.exe	17409
PID 6984 set thread context of 7316	6984	RuntimeBroker.exe	16934
PID 7060 set thread context of 5860	7060	RuntimeBroker.exe	17528
PID 7360 set thread context of 7432	7360	RuntimeBroker.exe	10208

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8312	780	Process not Found	1688

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 64 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
5220	netsh.exe
5728	netsh.exe
6792	cmd.exe
1612	cmd.exe
5992	netsh.exe
920	netsh.exe
6716	netsh.exe
180	cmd.exe
7752	Process not Found
5340	cmd.exe
7672	netsh.exe
8572	netsh.exe
5228	netsh.exe
7668	cmd.exe
4784	Process not Found
8500	Process not Found
5732	netsh.exe
3340	cmd.exe
6864	netsh.exe
4376	Process not Found
7484	cmd.exe
8800	Process not Found
7940	netsh.exe
8848	netsh.exe
8452	netsh.exe
4892	cmd.exe
1604	cmd.exe
4780	Process not Found
6480	cmd.exe
7144	netsh.exe
7452	netsh.exe
1460	cmd.exe
9204	Process not Found
8728	netsh.exe
8876	netsh.exe
8456	netsh.exe
5340	cmd.exe
7032	netsh.exe
6076	netsh.exe
4088	cmd.exe
6632	Process not Found
8048	Process not Found
1880	Process not Found
9208	netsh.exe
7972	Process not Found
9228	Process not Found
5284	netsh.exe
2152	cmd.exe
3420	cmd.exe
7112	cmd.exe
5152	netsh.exe
1068	cmd.exe
6704	Process not Found
8112	cmd.exe
10148	Process not Found
5908	netsh.exe
2456	netsh.exe
3368	netsh.exe
3972	cmd.exe
8908	Process not Found
8848	Process not Found
7376	Process not Found
6756	cmd.exe
5536	cmd.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	Process not Found

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	Process not Found

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-523280732-2327480845-3730041215-1000\{AEEDE87D-6204-4EC5-BF7C-EA086DD1D02D}	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3540	RuntimeBroker.exe
3540	RuntimeBroker.exe
3604	msedge.exe
3604	msedge.exe
1572	msedge.exe
1572	msedge.exe
3100	RuntimeBroker.exe
3100	RuntimeBroker.exe
3100	RuntimeBroker.exe
3540	RuntimeBroker.exe
3540	RuntimeBroker.exe
744	RuntimeBroker.exe
744	RuntimeBroker.exe
744	RuntimeBroker.exe
3540	RuntimeBroker.exe
3540	RuntimeBroker.exe
3100	RuntimeBroker.exe
3100	RuntimeBroker.exe
3540	RuntimeBroker.exe
3540	RuntimeBroker.exe
2196	RuntimeBroker.exe
2196	RuntimeBroker.exe
2196	RuntimeBroker.exe
3100	RuntimeBroker.exe
3100	RuntimeBroker.exe
3540	RuntimeBroker.exe
3540	RuntimeBroker.exe
3540	RuntimeBroker.exe
3540	RuntimeBroker.exe
3100	RuntimeBroker.exe
3100	RuntimeBroker.exe
3540	RuntimeBroker.exe
3540	RuntimeBroker.exe
3100	RuntimeBroker.exe
3100	RuntimeBroker.exe
744	RuntimeBroker.exe
744	RuntimeBroker.exe
744	RuntimeBroker.exe
744	RuntimeBroker.exe
3540	RuntimeBroker.exe
3540	RuntimeBroker.exe
744	RuntimeBroker.exe
744	RuntimeBroker.exe
3540	RuntimeBroker.exe
3540	RuntimeBroker.exe
3100	RuntimeBroker.exe
3100	RuntimeBroker.exe
3100	RuntimeBroker.exe
3100	RuntimeBroker.exe
2868	RuntimeBroker.exe
2868	RuntimeBroker.exe
2868	RuntimeBroker.exe
3100	RuntimeBroker.exe
3100	RuntimeBroker.exe
3540	RuntimeBroker.exe
3540	RuntimeBroker.exe
744	RuntimeBroker.exe
744	RuntimeBroker.exe
3100	RuntimeBroker.exe
3100	RuntimeBroker.exe
2196	RuntimeBroker.exe
2196	RuntimeBroker.exe
3540	RuntimeBroker.exe
3540	RuntimeBroker.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
8988	Process not Found
10912	Process not Found
8976	Process not Found
6556	Process not Found
584	Process not Found
8044	Process not Found
3588	Process not Found
7204	Process not Found
2568	Process not Found
7164	Process not Found
7384	Process not Found
2516	Process not Found
10076	Process not Found
6476	Process not Found
552	Process not Found
4772	Process not Found
8220	Process not Found
8896	Process not Found
6332	Process not Found
9440	Process not Found
7796	Process not Found
9476	Process not Found
11160	Process not Found
8376	Process not Found
7936	Process not Found
4208	Process not Found
6076	Process not Found
6524	Process not Found
9496	Process not Found
8800	Process not Found
7856	Process not Found
6588	Process not Found
2628	Process not Found
1464	Process not Found
7944	Process not Found
8740	Process not Found
8916	Process not Found
6516	Process not Found
3340	Process not Found
7388	Process not Found
6008	Process not Found
10292	Process not Found
9972	Process not Found
9988	Process not Found
4784	Process not Found
6904	Process not Found
3616	Process not Found
2644	Process not Found
4676	Process not Found
10360	Process not Found
10932	Process not Found
8672	Process not Found
6128	Process not Found
5020	Process not Found
10068	Process not Found
5196	Process not Found
3880	Process not Found
10356	Process not Found
10372	Process not Found
10492	Process not Found
10136	Process not Found
8852	Process not Found
5144	Process not Found
336	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3540	RuntimeBroker.exe
Token: SeDebugPrivilege	3100	RuntimeBroker.exe
Token: SeDebugPrivilege	744	RuntimeBroker.exe
Token: SeDebugPrivilege	2196	RuntimeBroker.exe
Token: SeDebugPrivilege	2868	RuntimeBroker.exe
Token: SeDebugPrivilege	2536	RuntimeBroker.exe
Token: SeDebugPrivilege	3612	RuntimeBroker.exe
Token: SeDebugPrivilege	1436	RuntimeBroker.exe
Token: SeDebugPrivilege	1688	RuntimeBroker.exe
Token: SeDebugPrivilege	4756	RuntimeBroker.exe
Token: SeDebugPrivilege	5660	RuntimeBroker.exe
Token: SeDebugPrivilege	624	RuntimeBroker.exe
Token: SeDebugPrivilege	5040	RuntimeBroker.exe
Token: SeDebugPrivilege	5804	RuntimeBroker.exe
Token: SeDebugPrivilege	5868	RuntimeBroker.exe
Token: SeDebugPrivilege	1480	RuntimeBroker.exe
Token: SeDebugPrivilege	5608	RuntimeBroker.exe
Token: SeDebugPrivilege	5796	RuntimeBroker.exe
Token: SeDebugPrivilege	1080	RuntimeBroker.exe
Token: SeDebugPrivilege	6044	RuntimeBroker.exe
Token: SeDebugPrivilege	4528	RuntimeBroker.exe
Token: SeDebugPrivilege	7120	RuntimeBroker.exe
Token: SeDebugPrivilege	6996	RuntimeBroker.exe
Token: SeDebugPrivilege	7112	RuntimeBroker.exe
Token: SeDebugPrivilege	2160	RuntimeBroker.exe
Token: SeDebugPrivilege	4784	RuntimeBroker.exe
Token: SeDebugPrivilege	5196	RuntimeBroker.exe
Token: SeDebugPrivilege	6128	RuntimeBroker.exe
Token: SeDebugPrivilege	6904	RuntimeBroker.exe
Token: SeDebugPrivilege	5616	RuntimeBroker.exe
Token: 33	1964	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1964	AUDIODG.EXE
Token: SeDebugPrivilege	6864	RuntimeBroker.exe
Token: SeDebugPrivilege	3212	RuntimeBroker.exe
Token: SeDebugPrivilege	6860	RuntimeBroker.exe
Token: SeDebugPrivilege	5036	RuntimeBroker.exe
Token: SeDebugPrivilege	6616	RuntimeBroker.exe
Token: SeDebugPrivilege	6692	RuntimeBroker.exe
Token: SeDebugPrivilege	6600	RuntimeBroker.exe
Token: SeDebugPrivilege	5076	RuntimeBroker.exe
Token: SeDebugPrivilege	6236	RuntimeBroker.exe
Token: SeDebugPrivilege	6432	RuntimeBroker.exe
Token: SeDebugPrivilege	628	RuntimeBroker.exe
Token: SeDebugPrivilege	5596	RuntimeBroker.exe
Token: SeDebugPrivilege	4852	RuntimeBroker.exe
Token: SeDebugPrivilege	6308	RuntimeBroker.exe
Token: SeDebugPrivilege	3772	RuntimeBroker.exe
Token: SeDebugPrivilege	6060	RuntimeBroker.exe
Token: SeDebugPrivilege	6740	RuntimeBroker.exe
Token: SeDebugPrivilege	1100	RuntimeBroker.exe
Token: SeDebugPrivilege	1980	RuntimeBroker.exe
Token: SeDebugPrivilege	6900	RuntimeBroker.exe
Token: SeDebugPrivilege	404	RuntimeBroker.exe
Token: SeDebugPrivilege	6096	RuntimeBroker.exe
Token: SeDebugPrivilege	4472	RuntimeBroker.exe
Token: SeDebugPrivilege	2332	RuntimeBroker.exe
Token: SeDebugPrivilege	5708	RuntimeBroker.exe
Token: SeDebugPrivilege	6568	RuntimeBroker.exe
Token: SeDebugPrivilege	7016	RuntimeBroker.exe
Token: SeDebugPrivilege	6816	RuntimeBroker.exe
Token: SeDebugPrivilege	4872	RuntimeBroker.exe
Token: SeDebugPrivilege	5720	RuntimeBroker.exe
Token: SeDebugPrivilege	3952	RuntimeBroker.exe
Token: SeDebugPrivilege	6884	RuntimeBroker.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4252 wrote to memory of 3344	4252	RebelCracked.exe	82
PID 4252 wrote to memory of 3344	4252	RebelCracked.exe	82
PID 4252 wrote to memory of 3344	4252	RebelCracked.exe	82
PID 4252 wrote to memory of 2700	4252	RebelCracked.exe	83
PID 4252 wrote to memory of 2700	4252	RebelCracked.exe	83
PID 3344 wrote to memory of 3540	3344	RuntimeBroker.exe	84
PID 3344 wrote to memory of 3540	3344	RuntimeBroker.exe	84
PID 3344 wrote to memory of 3540	3344	RuntimeBroker.exe	84
PID 3344 wrote to memory of 3540	3344	RuntimeBroker.exe	84
PID 3344 wrote to memory of 3540	3344	RuntimeBroker.exe	84
PID 3344 wrote to memory of 3540	3344	RuntimeBroker.exe	84
PID 3344 wrote to memory of 3540	3344	RuntimeBroker.exe	84
PID 3344 wrote to memory of 3540	3344	RuntimeBroker.exe	84
PID 2700 wrote to memory of 1860	2700	RebelCracked.exe	85
PID 2700 wrote to memory of 1860	2700	RebelCracked.exe	85
PID 2700 wrote to memory of 1860	2700	RebelCracked.exe	85
PID 2700 wrote to memory of 940	2700	RebelCracked.exe	86
PID 2700 wrote to memory of 940	2700	RebelCracked.exe	86
PID 1860 wrote to memory of 3100	1860	RuntimeBroker.exe	87
PID 1860 wrote to memory of 3100	1860	RuntimeBroker.exe	87
PID 1860 wrote to memory of 3100	1860	RuntimeBroker.exe	87
PID 1860 wrote to memory of 3100	1860	RuntimeBroker.exe	87
PID 1860 wrote to memory of 3100	1860	RuntimeBroker.exe	87
PID 1860 wrote to memory of 3100	1860	RuntimeBroker.exe	87
PID 1860 wrote to memory of 3100	1860	RuntimeBroker.exe	87
PID 1860 wrote to memory of 3100	1860	RuntimeBroker.exe	87
PID 940 wrote to memory of 1080	940	RebelCracked.exe	92
PID 940 wrote to memory of 1080	940	RebelCracked.exe	92
PID 940 wrote to memory of 1080	940	RebelCracked.exe	92
PID 940 wrote to memory of 3740	940	RebelCracked.exe	93
PID 940 wrote to memory of 3740	940	RebelCracked.exe	93
PID 1080 wrote to memory of 744	1080	RuntimeBroker.exe	94
PID 1080 wrote to memory of 744	1080	RuntimeBroker.exe	94
PID 1080 wrote to memory of 744	1080	RuntimeBroker.exe	94
PID 1080 wrote to memory of 744	1080	RuntimeBroker.exe	94
PID 1080 wrote to memory of 744	1080	RuntimeBroker.exe	94
PID 1080 wrote to memory of 744	1080	RuntimeBroker.exe	94
PID 1080 wrote to memory of 744	1080	RuntimeBroker.exe	94
PID 1080 wrote to memory of 744	1080	RuntimeBroker.exe	94
PID 3740 wrote to memory of 3908	3740	RebelCracked.exe	95
PID 3740 wrote to memory of 3908	3740	RebelCracked.exe	95
PID 3740 wrote to memory of 3908	3740	RebelCracked.exe	95
PID 3740 wrote to memory of 4844	3740	RebelCracked.exe	96
PID 3740 wrote to memory of 4844	3740	RebelCracked.exe	96
PID 3908 wrote to memory of 2196	3908	RuntimeBroker.exe	98
PID 3908 wrote to memory of 2196	3908	RuntimeBroker.exe	98
PID 3908 wrote to memory of 2196	3908	RuntimeBroker.exe	98
PID 3908 wrote to memory of 2196	3908	RuntimeBroker.exe	98
PID 3908 wrote to memory of 2196	3908	RuntimeBroker.exe	98
PID 3908 wrote to memory of 2196	3908	RuntimeBroker.exe	98
PID 3908 wrote to memory of 2196	3908	RuntimeBroker.exe	98
PID 3908 wrote to memory of 2196	3908	RuntimeBroker.exe	98
PID 1572 wrote to memory of 3940	1572	msedge.exe	101
PID 1572 wrote to memory of 3940	1572	msedge.exe	101
PID 1572 wrote to memory of 5116	1572	msedge.exe	102
PID 1572 wrote to memory of 5116	1572	msedge.exe	102
PID 1572 wrote to memory of 5116	1572	msedge.exe	102
PID 1572 wrote to memory of 5116	1572	msedge.exe	102
PID 1572 wrote to memory of 5116	1572	msedge.exe	102
PID 1572 wrote to memory of 5116	1572	msedge.exe	102
PID 1572 wrote to memory of 5116	1572	msedge.exe	102
PID 1572 wrote to memory of 5116	1572	msedge.exe	102
PID 1572 wrote to memory of 5116	1572	msedge.exe	102
PID 1572 wrote to memory of 5116	1572	msedge.exe	102

C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
"C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4252
- C:\Users\Admin\AppData\Local\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3344
- - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3540
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:5340
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:5440
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5604
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        5⤵
        
        PID:5612
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      4⤵
      PID:6088
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:540
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        
        PID:5204
- C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
  "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3100
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        5⤵
        
        PID:5856
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:5908
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        6⤵
        
        PID:6040
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        6⤵
        
        PID:6072
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        5⤵
        
        PID:5156
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:5528
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        6⤵
        
        PID:6112
- - C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
    "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1080
    - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:744
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        6⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5908
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        7⤵
        
        PID:5768
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        6⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        7⤵
        
        PID:4768
  - - C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
      "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3740
    - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3908
      - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3340
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        8⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        8⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        7⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        8⤵
        
        PID:3212
    - - C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        5⤵
        Checks computer location settings
        
        PID:4844
      - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        7⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        7⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        8⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6480
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        9⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5284
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        9⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        8⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        9⤵
        
        PID:2200
      - C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        6⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        8⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        8⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        9⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        10⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5228
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        10⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        9⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        10⤵
        
        PID:6060
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        7⤵
        Checks computer location settings
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        9⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        10⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        11⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        11⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        10⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        11⤵
        
        PID:6204
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        8⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        10⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        10⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        10⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        10⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        11⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        12⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5992
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        12⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:6256
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        12⤵
        
        PID:7148
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        9⤵
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        11⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        12⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6756
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        13⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4208
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        13⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        12⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        13⤵
        
        PID:6488
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        10⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        13⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        14⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        14⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        13⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        14⤵
        
        PID:6188
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        11⤵
        Checks computer location settings
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5536
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        13⤵
        
        PID:5628
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        13⤵
        
        PID:5652
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        14⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        15⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        15⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5732
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        15⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        15⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        15⤵
        
        PID:5124
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        12⤵
        
        PID:5548
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5280
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        15⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        16⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        16⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        15⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        16⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        13⤵
        
        PID:5292
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5584
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        15⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        16⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        17⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:5544
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        17⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        16⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        17⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        17⤵
        
        PID:5504
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        14⤵
        
        PID:5316
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        17⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        18⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6168
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        18⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        17⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        18⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        15⤵
        Checks computer location settings
        
        PID:5960
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        18⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        19⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        19⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2496
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        19⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        18⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        19⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        19⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5512
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        16⤵
        
        PID:6056
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        19⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        20⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        20⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        19⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        20⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        17⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5832
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        19⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:5608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        20⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        21⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5856
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        21⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:3424
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        21⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        21⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:7508
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        18⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        21⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        22⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        22⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        21⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        22⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        19⤵
        Checks computer location settings
        
        PID:5808
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        21⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        22⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        23⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        23⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        23⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        22⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        23⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        23⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        20⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:6044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:7012
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        24⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6628
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        24⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        23⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        24⤵
        
        PID:6064
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        21⤵
        Checks computer location settings
        
        PID:5940
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        24⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        25⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        25⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        24⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        25⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        25⤵
        
        PID:6484
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        22⤵
        
        PID:5484
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6596
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        24⤵
        
        PID:7100
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        24⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:7120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        25⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        26⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7672
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        26⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        25⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        26⤵
        
        PID:8132
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        23⤵
        Checks computer location settings
        
        PID:6620
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5852
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        25⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:6996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        26⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        27⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        27⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5820
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        27⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        26⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        27⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        27⤵
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        24⤵
        
        PID:6376
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6716
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:7112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        27⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7668
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        28⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5220
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:7436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        27⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        28⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:7148
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        25⤵
        Checks computer location settings
        
        PID:6868
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6724
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        27⤵
        
        PID:7132
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        28⤵
        
        PID:424
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        29⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        29⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        29⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        28⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        29⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        29⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6096
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        26⤵
        
        PID:6840
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5824
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        28⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        29⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        30⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7032
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        30⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        29⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:6724
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        30⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:7144
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        27⤵
        
        PID:5592
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        29⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:5196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        30⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:6960
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        31⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3044
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        31⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        30⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        31⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        31⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6608
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        28⤵
        
        PID:6244
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:7080
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        30⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:6128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        31⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        32⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        32⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        32⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        31⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        32⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        29⤵
        Checks computer location settings
        
        PID:6240
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5728
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:6904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        32⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        33⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        33⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6744
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        33⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        32⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        33⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        33⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5812
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        30⤵
        
        PID:5456
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6248
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        32⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:5616
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        31⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5348
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        33⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:6864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        34⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        35⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        35⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        35⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        34⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        35⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        35⤵
        
        PID:6208
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        32⤵
        
        PID:6364
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        35⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        36⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        36⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6716
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        36⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        35⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:5588
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        36⤵
        
        PID:5844
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        33⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        34⤵
        Suspicious use of SetThreadContext
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        35⤵
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:6860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        36⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5340
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        37⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        37⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4532
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        37⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        36⤵
        
        PID:4284
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        37⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        37⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        34⤵
        
        PID:6784
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        35⤵
        Suspicious use of SetThreadContext
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        36⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        37⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        38⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        38⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        38⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        37⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        38⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        38⤵
        
        PID:6984
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        35⤵
        Checks computer location settings
        
        PID:5284
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        36⤵
        Suspicious use of SetThreadContext
        
        PID:6600
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        37⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        37⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:6616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        38⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        39⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        39⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        39⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        38⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        39⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        39⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        36⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        37⤵
        Suspicious use of SetThreadContext
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        38⤵
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:6692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        39⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        40⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        40⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        40⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        39⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        40⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        40⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        37⤵
        
        PID:6124
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        38⤵
        Suspicious use of SetThreadContext
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        39⤵
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:6600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        40⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        41⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        41⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        41⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        40⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        41⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        41⤵
        
        PID:6120
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        38⤵
        
        PID:5340
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        39⤵
        Suspicious use of SetThreadContext
        
        PID:6784
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        40⤵
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        41⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        42⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        42⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7452
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        42⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:3368
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        42⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        42⤵
        
        PID:7396
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        39⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        40⤵
        Suspicious use of SetThreadContext
        
        PID:5164
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        41⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        41⤵
        
        PID:6604
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        41⤵
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:6236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        42⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        43⤵
        
        PID:8516
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        43⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2872
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        43⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        42⤵
        
        PID:7644
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        40⤵
        
        PID:6244
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        41⤵
        Suspicious use of SetThreadContext
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        42⤵
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:6432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        43⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        44⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        44⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6076
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:6792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        43⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        44⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        44⤵
        
        PID:6828
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        41⤵
        Checks computer location settings
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        42⤵
        Suspicious use of SetThreadContext
        
        PID:5556
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        43⤵
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        44⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        45⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        45⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        45⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        44⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        45⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        45⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        42⤵
        Checks computer location settings
        
        PID:6188
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        43⤵
        Suspicious use of SetThreadContext
        
        PID:6436
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        44⤵
        
        PID:5204
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        44⤵
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:5596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        45⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        46⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        46⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        46⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        45⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        46⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        46⤵
        
        PID:6868
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        43⤵
        
        PID:5132
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        44⤵
        Suspicious use of SetThreadContext
        
        PID:7148
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        45⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        46⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        47⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        47⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5152
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        47⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        46⤵
        
        PID:920
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        47⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        47⤵
        
        PID:5936
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        44⤵
        
        PID:6852
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        45⤵
        Suspicious use of SetThreadContext
        
        PID:5664
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        46⤵
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:6308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        47⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        48⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        48⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7144
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        48⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        47⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        48⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        48⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        45⤵
        
        PID:6436
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        46⤵
        Suspicious use of SetThreadContext
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        47⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        48⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5536
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        49⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        49⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        49⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:5112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        49⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        49⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        46⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        47⤵
        Suspicious use of SetThreadContext
        
        PID:6076
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        48⤵
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:6060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        49⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        50⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        50⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:7368
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        50⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        49⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        50⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        50⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        47⤵
        Checks computer location settings
        
        PID:664
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        48⤵
        Suspicious use of SetThreadContext
        
        PID:5660
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        49⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        50⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        51⤵
        
        PID:8532
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        51⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:8816
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        51⤵
        
        PID:8716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        50⤵
        
        PID:8220
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        48⤵
        
        PID:6084
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        49⤵
        Suspicious use of SetThreadContext
        
        PID:6204
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        50⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        51⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:8112
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        52⤵
        
        PID:8300
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        52⤵
        
        PID:8968
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        52⤵
        
        PID:9072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        51⤵
        
        PID:9708
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        49⤵
        Checks computer location settings
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        50⤵
        Suspicious use of SetThreadContext
        
        PID:6460
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        51⤵
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        52⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        53⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        53⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        53⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        52⤵
        
        PID:952
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        53⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        53⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6660
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        50⤵
        Checks computer location settings
        
        PID:5676
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        51⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        52⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6900
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        51⤵
        Checks computer location settings
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        52⤵
        Suspicious use of SetThreadContext
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        53⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        53⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        54⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:180
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        55⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        55⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5040
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        55⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        54⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        55⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        55⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        52⤵
        Checks computer location settings
        
        PID:6660
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        53⤵
        Suspicious use of SetThreadContext
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        54⤵
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:6096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:7976
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        56⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        56⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        56⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        55⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        56⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        56⤵
        
        PID:7332
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        53⤵
        
        PID:7136
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        54⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        55⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        56⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        57⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        57⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        57⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        56⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        57⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        57⤵
        
        PID:7404
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        54⤵
        Checks computer location settings
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        55⤵
        Suspicious use of SetThreadContext
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        56⤵
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        58⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        58⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        58⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        57⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        58⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        58⤵
        
        PID:7840
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        55⤵
        Checks computer location settings
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        56⤵
        Suspicious use of SetThreadContext
        
        PID:6608
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        57⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5708
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        56⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        57⤵
        Suspicious use of SetThreadContext
        
        PID:5496
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        58⤵
        
        PID:6652
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        58⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        59⤵
        
        PID:9564
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        57⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        58⤵
        Suspicious use of SetThreadContext
        
        PID:5460
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        59⤵
        
        PID:6204
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        59⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        59⤵
        
        PID:6760
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        59⤵
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:7016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        60⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        61⤵
        
        PID:8364
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        61⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:9208
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        61⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        60⤵
        
        PID:9888
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        58⤵
        
        PID:5720
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        59⤵
        Suspicious use of SetThreadContext
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        60⤵
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:6816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        61⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        62⤵
        
        PID:8276
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        62⤵
        
        PID:8908
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        62⤵
        
        PID:8956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        61⤵
        
        PID:9780
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        59⤵
        
        PID:6924
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        60⤵
        Suspicious use of SetThreadContext
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        61⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        62⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        63⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        63⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3368
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        63⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        62⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        63⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        63⤵
        
        PID:6092
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        60⤵
        Checks computer location settings
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        61⤵
        Suspicious use of SetThreadContext
        
        PID:5544
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        62⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        63⤵
        
        PID:7328
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        64⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        64⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        64⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        63⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        64⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        64⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        61⤵
        Checks computer location settings
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        62⤵
        Suspicious use of SetThreadContext
        
        PID:5936
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        63⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        63⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        64⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        65⤵
        
        PID:8588
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        65⤵
        
        PID:8700
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        65⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        64⤵
        
        PID:6768
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        62⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        63⤵
        Suspicious use of SetThreadContext
        
        PID:6312
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        64⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        65⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1068
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        66⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        66⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        66⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        65⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        66⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        66⤵
        
        PID:7332
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        63⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        64⤵
        Suspicious use of SetThreadContext
        
        PID:6984
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        65⤵
        
        PID:7316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        66⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        67⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        67⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        67⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        66⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        67⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        67⤵
        
        PID:5188
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        64⤵
        Checks computer location settings
        
        PID:7228
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        65⤵
        Suspicious use of SetThreadContext
        
        PID:7060
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        66⤵
        
        PID:5860
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        65⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        66⤵
        Suspicious use of SetThreadContext
        
        PID:7360
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        67⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        68⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        69⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        69⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        69⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        68⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        69⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        69⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6020
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        66⤵
        
        PID:7392
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        67⤵
        
        PID:5764
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        68⤵
        
        PID:5340
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        68⤵
        Drops desktop.ini file(s)
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        69⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        70⤵
        
        PID:8604
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        70⤵
        
        PID:8388
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        70⤵
        
        PID:8520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        69⤵
        
        PID:9096
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        67⤵
        Checks computer location settings
        
        PID:7232
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        68⤵
        
        PID:7236
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        69⤵
        
        PID:5540
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        68⤵
        
        PID:7188
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        69⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        70⤵
        Checks processor information in registry
        
        PID:6056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        71⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4088
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        72⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        72⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5728
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        72⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        71⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        72⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        72⤵
        
        PID:7460
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        69⤵
        Checks computer location settings
        
        PID:6572
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        70⤵
        
        PID:7776
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        71⤵
        Drops desktop.ini file(s)
        
        PID:7904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        72⤵
        
        PID:764
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        73⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:8916
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        73⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        72⤵
        
        PID:9852
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        70⤵
        
        PID:7724
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        71⤵
        
        PID:5172
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        72⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        73⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        74⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        74⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        74⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        73⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        74⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        74⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        71⤵
        
        PID:5808
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        72⤵
        
        PID:7672
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        73⤵
        
        PID:8180
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        73⤵
        Checks processor information in registry
        
        PID:6488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        74⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        75⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        75⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5112
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        75⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        74⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        75⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        75⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        72⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        73⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        74⤵
        Drops desktop.ini file(s)
        
        PID:7224
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        73⤵
        
        PID:7652
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        74⤵
        
        PID:7900
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        75⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        76⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        77⤵
        
        PID:8612
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        77⤵
        
        PID:8280
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        77⤵
        
        PID:8500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        76⤵
        
        PID:9060
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        74⤵
        
        PID:5392
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        75⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        76⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        76⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        
        PID:7544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        77⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        78⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        78⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7940
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        78⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        77⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:7800
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        78⤵
        
        PID:7788
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        75⤵
        
        PID:5664
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        76⤵
        
        PID:7812
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        77⤵
        
        PID:6872
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        77⤵
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        78⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1612
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        79⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        79⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:8452
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        79⤵
        
        PID:8660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        78⤵
        
        PID:9772
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        76⤵
        
        PID:6876
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        77⤵
        
        PID:6012
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        79⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        80⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        80⤵
        
        PID:9112
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        80⤵
        
        PID:9164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        79⤵
        
        PID:8888
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        77⤵
        
        PID:7688
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        78⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        79⤵
        Drops desktop.ini file(s)
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        80⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        81⤵
        
        PID:8260
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        81⤵
        
        PID:8948
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        81⤵
        
        PID:9024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        80⤵
        
        PID:10188
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        78⤵
        Checks computer location settings
        
        PID:6020
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        79⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        80⤵
        
        PID:5412
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        80⤵
        
        PID:5420
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        80⤵
        
        PID:7240
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        80⤵
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        
        PID:5196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        81⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        82⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        82⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        82⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        81⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        82⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        82⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        79⤵
        
        PID:6908
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        80⤵
        
        PID:7436
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        81⤵
        
        PID:8028
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        81⤵
        Drops desktop.ini file(s)
        
        PID:7992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        82⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        83⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        83⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        83⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        82⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        83⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        83⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        80⤵
        Checks computer location settings
        
        PID:7172
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        81⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        82⤵
        Drops desktop.ini file(s)
        
        PID:6296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        83⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6792
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:6060
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        84⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        84⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        83⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        84⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        84⤵
        
        PID:5972
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        81⤵
        Checks computer location settings
        
        PID:8040
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        82⤵
        
        PID:7504
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        83⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:5712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        84⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        85⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        85⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3444
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        85⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        84⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        85⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        85⤵
        
        PID:5828
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        82⤵
        Checks computer location settings
        
        PID:6456
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        84⤵
        
        PID:7872
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        83⤵
        
        PID:8128
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        84⤵
        
        PID:6628
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        85⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        86⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4892
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        87⤵
        
        PID:8488
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        87⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:9192
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        87⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        86⤵
        
        PID:8984
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        84⤵
        Checks computer location settings
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        85⤵
        
        PID:5324
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        86⤵
        Checks processor information in registry
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        87⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        88⤵
        
        PID:8428
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        88⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        88⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        87⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        85⤵
        
        PID:6316
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        86⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        87⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        87⤵
        
        PID:6504
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        87⤵
        
        PID:7360
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        87⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        88⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7484
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        89⤵
        
        PID:8312
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        89⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        89⤵
        
        PID:9044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        88⤵
        
        PID:9860
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        86⤵
        Checks computer location settings
        
        PID:856
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        87⤵
        
        PID:5840
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        88⤵
        Checks processor information in registry
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        89⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        90⤵
        
        PID:8524
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        90⤵
        
        PID:8432
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        90⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        89⤵
        
        PID:10196
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        87⤵
        Checks computer location settings
        
        PID:5220
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        88⤵
        
        PID:8044
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        89⤵
        Drops desktop.ini file(s)
        
        PID:7812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        90⤵
        
        PID:4692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        91⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        91⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:8456
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        91⤵
        
        PID:8632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        90⤵
        
        PID:9796
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        88⤵
        Checks computer location settings
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        89⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        90⤵
        Drops desktop.ini file(s)
        
        PID:7684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        91⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1460
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        92⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        92⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6864
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        92⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        91⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        92⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        92⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        89⤵
        
        PID:6572
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        90⤵
        
        PID:7848
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        91⤵
        
        PID:6592
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        91⤵
        Drops desktop.ini file(s)
        
        PID:6628
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        90⤵
        
        PID:6300
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        91⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        92⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        
        PID:5432
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        91⤵
        Checks computer location settings
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        92⤵
        
        PID:7696
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        93⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        94⤵
        
        PID:9828
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        92⤵
        
        PID:8124
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        93⤵
        
        PID:7348
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        94⤵
        Checks processor information in registry
        
        PID:7668
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        93⤵
        
        PID:6848
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        94⤵
        
        PID:7560
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        95⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        95⤵
        Drops desktop.ini file(s)
        
        PID:6800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        96⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        97⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        97⤵
        
        PID:8704
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        97⤵
        
        PID:8760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        96⤵
        
        PID:8288
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        97⤵
        
        PID:10064
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        94⤵
        Checks computer location settings
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        95⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        96⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        95⤵
        Checks computer location settings
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        96⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        97⤵
        Drops desktop.ini file(s)
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        98⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3972
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        99⤵
        
        PID:8556
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        99⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3908
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        99⤵
        
        PID:8504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        98⤵
        
        PID:9992
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        96⤵
        Checks computer location settings
        
        PID:6896
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        97⤵
        
        PID:5400
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        98⤵
        
        PID:7024
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        98⤵
        Drops desktop.ini file(s)
        
        PID:8184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        99⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        100⤵
        
        PID:8268
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        100⤵
        
        PID:9016
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        100⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        99⤵
        
        PID:10112
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        97⤵
        
        PID:8060
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        98⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        99⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        99⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        98⤵
        
        PID:7260
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        99⤵
        
        PID:7512
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        100⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        101⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        102⤵
        
        PID:8672
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        102⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:8092
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        102⤵
        
        PID:8768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        101⤵
        
        PID:5308
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        99⤵
        Checks computer location settings
        
        PID:6992
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        100⤵
        
        PID:6200
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        101⤵
        Checks processor information in registry
        
        PID:8064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        102⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        103⤵
        
        PID:8648
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        103⤵
        
        PID:9000
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        103⤵
        
        PID:8628
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        100⤵
        
        PID:7040
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        101⤵
        
        PID:5876
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        102⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        101⤵
        
        PID:7792
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        102⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        103⤵
        Checks processor information in registry
        
        PID:7108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        104⤵
        
        PID:372
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        105⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        105⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:8848
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        105⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        104⤵
        
        PID:9652
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        102⤵
        Checks computer location settings
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        103⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        104⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        105⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7112
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        106⤵
        
        PID:8692
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        106⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:8728
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        106⤵
        
        PID:8712
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        103⤵
        
        PID:7160
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        104⤵
        
        PID:5588
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        105⤵
        
        PID:5256
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        105⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        106⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        107⤵
        
        PID:8792
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        107⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        107⤵
        
        PID:8992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        106⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        104⤵
        
        PID:5360
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        105⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        106⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        106⤵
        Drops desktop.ini file(s)
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        105⤵
        
        PID:8140
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        106⤵
        
        PID:7276
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        107⤵
        
        PID:7064
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        107⤵
        
        PID:6660
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        107⤵
        
        PID:5940
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        107⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        108⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3420
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        109⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        109⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:8572
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        109⤵
        
        PID:9184
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        106⤵
        
        PID:7996
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        107⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        108⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        107⤵
        
        PID:7724
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        108⤵
        
        PID:5828
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        109⤵
        Drops desktop.ini file(s)
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        110⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        111⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        111⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        111⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        110⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        111⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        111⤵
        
        PID:7988
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        108⤵
        
        PID:6020
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        109⤵
        
        PID:6820
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        110⤵
        Drops desktop.ini file(s)
        
        PID:7288
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        109⤵
        Checks computer location settings
        
        PID:7200
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        110⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        111⤵
        
        PID:6184
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        110⤵
        
        PID:6896
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        111⤵
        
        PID:7384
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        112⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        112⤵
        Checks processor information in registry
        
        PID:5556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        114⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        114⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:8876
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        114⤵
        
        PID:9060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        113⤵
        
        PID:10020
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        111⤵
        Checks computer location settings
        
        PID:5536
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        112⤵
        
        PID:712
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        113⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        113⤵
        Checks processor information in registry
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        112⤵
        Checks computer location settings
        
        PID:8124
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        113⤵
        
        PID:5624
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        114⤵
        Checks processor information in registry
        
        PID:7012
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        113⤵
        Checks computer location settings
        
        PID:6940
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        114⤵
        
        PID:6696
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        115⤵
        
        PID:6420
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        115⤵
        
        PID:5280
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        115⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        115⤵
        Drops desktop.ini file(s)
        
        PID:6756
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        114⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        115⤵
        
        PID:712
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        116⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        116⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        
        PID:5928
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        115⤵
        
        PID:5768
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        116⤵
        
        PID:7416
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        117⤵
        Checks processor information in registry
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        116⤵
        Checks computer location settings
        
        PID:7676
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        117⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        118⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        
        PID:7888
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        117⤵
        
        PID:6564
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        118⤵
        
        PID:7232
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        119⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        118⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        119⤵
        
        PID:7248
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        120⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        
        PID:7028
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        119⤵
        Checks computer location settings
        
        PID:5392
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        120⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        121⤵
        Drops desktop.ini file(s)
        
        PID:8436
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        120⤵
        Checks computer location settings
        
        PID:8212
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        121⤵
        
        PID:8304
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        122⤵
        Checks processor information in registry
        
        PID:9432
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        121⤵
        Checks computer location settings
        
        PID:8636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xf8,0x12c,0x7ff8fd1146f8,0x7ff8fd114708,0x7ff8fd114718
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2272,18141363483004746162,11566873266965119348,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2260 /prefetch:2
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2272,18141363483004746162,11566873266965119348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2272,18141363483004746162,11566873266965119348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
  2⤵
  PID:620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,18141363483004746162,11566873266965119348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,18141363483004746162,11566873266965119348,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,18141363483004746162,11566873266965119348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
  2⤵
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,18141363483004746162,11566873266965119348,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,18141363483004746162,11566873266965119348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,18141363483004746162,11566873266965119348,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,18141363483004746162,11566873266965119348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2272,18141363483004746162,11566873266965119348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  PID:6024
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2272,18141363483004746162,11566873266965119348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  PID:5452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,18141363483004746162,11566873266965119348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2012 /prefetch:1
  2⤵
  PID:5132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,18141363483004746162,11566873266965119348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
  2⤵
  PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2272,18141363483004746162,11566873266965119348,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1876 /prefetch:8
  2⤵
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2272,18141363483004746162,11566873266965119348,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=1720 /prefetch:8
  2⤵
  - Modifies registry class
  PID:6064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,18141363483004746162,11566873266965119348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,18141363483004746162,11566873266965119348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:5236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,18141363483004746162,11566873266965119348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1
  2⤵
  PID:6848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,18141363483004746162,11566873266965119348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:5976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,18141363483004746162,11566873266965119348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:7028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,18141363483004746162,11566873266965119348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1716 /prefetch:1
  2⤵
  PID:5776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2272,18141363483004746162,11566873266965119348,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6444 /prefetch:2
  2⤵
  PID:6512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,18141363483004746162,11566873266965119348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:8092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,18141363483004746162,11566873266965119348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6928 /prefetch:1
  2⤵
  PID:5148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,18141363483004746162,11566873266965119348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6940 /prefetch:1
  2⤵
  PID:6328

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4584

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x470 0x404
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc
1⤵
PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\040b5477f88fab961bb3378764c3009c\Admin@KVIWLPUJ_en-US\Browsers\Edge\History.txt

Filesize
3KB

MD5
2d0a2930a1f597b9c9541410c2118847

SHA1
28f7fbdc25e0b992b361eb20785df17262f10d0d

SHA256
b6a1e8109ea1964bf83ca4948b447ec3ffe462e34c2e5b3b99aec726b3815b30

SHA512
92b99316b3d0c66c597bf9d859e38b66c1fbdd8a80ee24ecc027f3054a8d1939622d7548cbbfe77233bfe4a960f972636fad1ed53c96f5b90a03ac9ea20a084f

Download Submit
C:\Users\Admin\AppData\Local\040b5477f88fab961bb3378764c3009c\Admin@KVIWLPUJ_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\040b5477f88fab961bb3378764c3009c\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
4KB

MD5
502bbf0967533d62513328ca61c7c6c5

SHA1
08ced84d575346e438a28bd04b70fc1529749486

SHA256
72af503c2fd0a4eb45bd6ef538f04d4b9a05a8e72e3642e9fe236a9b5eeb94a1

SHA512
f67313f10bf3c4f84df9987f881c6ae9e7755aadcd31282e9d1930f9d6896def5b26ec2980142c0d8cbddf94257992e1b8124abfb0b27fd79158b83fd456e82f

Download Submit
C:\Users\Admin\AppData\Local\040b5477f88fab961bb3378764c3009c\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
4KB

MD5
f55af0248644292a75961c71e485fea3

SHA1
304470e54f5db48d2e7e38b57bbd7147bdea3c5f

SHA256
204457b4ed78efb0d11d371690644241af2e51cb8684cf6b601417bad3a7bc17

SHA512
ab427894f44b238c4d52c776970536e19a078775d67aa773fc416a752221da2531982a34618a9016f1bd486dafedbe6f45bf66f35ce9ede4ef798c0624a99892

Download Submit
C:\Users\Admin\AppData\Local\040b5477f88fab961bb3378764c3009c\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
1KB

MD5
2ca354243aeec8f7332c018e36f19a96

SHA1
24aa232b3b41a1ef525db01287d7126277400d32

SHA256
08cf91600105b5848fd6215d4bade3490bac063658e206cad8327628fcaee9f7

SHA512
d1368ae2197dcdf5ab5aad10506cd1f955d583d6f7c8ee63d08326c1a8c5f542f11c36d446950703006a3a61d499f1c683028f62d55a619f2bf49d70dfb0a556

Download Submit
C:\Users\Admin\AppData\Local\040b5477f88fab961bb3378764c3009c\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
4KB

MD5
9a2d048f01c0644228cd8a91da1789ac

SHA1
3bfdd647ca19c68187e744174c84c4716ae668fd

SHA256
13947fe846538190aa799e79d621e90f64dace38c8a06d120cb14447e7574f0b

SHA512
29fd611de04429284bbcab9b0fe30aa0159a52e586c8ac759766efa635dbc021f132559e9dda7e3bbd96791133c354551fc9b657aa087b4b0fe90886fe0645f4

Download Submit
C:\Users\Admin\AppData\Local\11d9d4f3b4d40f0301d279a4756db7d8\Admin@KVIWLPUJ_en-US\Directories\Temp.txt

Filesize
21KB

MD5
9e31ae0c96bef1c44400ffeee130a753

SHA1
3388e23861f2d237643f0d388405f8048683f0da

SHA256
76997bd13c61ba5749732b155d5e17f6d8ad823f2a043239f3c71a212ac7c860

SHA512
25996d09ecf6095c8dcfe08cbf01a61bfa43400c80858818727e3945bcd64a23161239221509a3d13deaba487ffd68a7525c527ebdd2e508fc4844c43a31e5e6

Download Submit
C:\Users\Admin\AppData\Local\11d9d4f3b4d40f0301d279a4756db7d8\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
64B

MD5
8733ea33831c3af95ad45dd72a432448

SHA1
47437adfebabd118295732582a5cee97a408d285

SHA256
0c511addc1203f1917dd941cfbd6ee1fdaf3fed6fcb1c5db41865b20eecec924

SHA512
add72bfd41c6e7335e72fe07b9179bb70865bb9e76612a41dcbb36ce71cf9fd17f0ce1d3a6cd6b528fc86e7a6fb37d737344247cff783b7526c7e3d89bea0e75

Download Submit
C:\Users\Admin\AppData\Local\11d9d4f3b4d40f0301d279a4756db7d8\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
4KB

MD5
6cc80de0d442c4d73b3af39501fc6263

SHA1
cf5a8c2e8967051d69fc5dab1256783d0dbdf6f8

SHA256
97b93546f8d548af2e5f57bd515bed24f11974609858507fc1b802e5eeed28c4

SHA512
bb29ce58fd1f0ff1fddb52fef9e47c49e1ac3202187de1c9619b258a82eba4d3bf165eb7fb5123626e7a4efc1e260abdb739725028532932448b4bc3c8f7eadf

Download Submit
C:\Users\Admin\AppData\Local\11d9d4f3b4d40f0301d279a4756db7d8\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
590B

MD5
ac047df30a9d8885f4571384e2613c21

SHA1
9e5b6041e09994b76f64d7a9656456816e8e6524

SHA256
0b300d58fa4ed349416bd6f178db5f0063a1b7017a64c076fcdb70492cada07e

SHA512
1c10b66ffb351b270aa5519ede6e170707d3e20cbdb4a40b8e05f5b22c36d846ee9d43dc26dbd22c961f9986b835b5fe466b7cb77ae27104f4ce2baabbc886e5

Download Submit
C:\Users\Admin\AppData\Local\11d9d4f3b4d40f0301d279a4756db7d8\Admin@KVIWLPUJ_en-US\System\ScanningNetworks.txt

Filesize
744B

MD5
3f383a535c396d15c7596a856ddb43a7

SHA1
d436d92b9be2cbe46abe5f7470b3537e7137666e

SHA256
fbea413a53f6444ffb0a4c20fd11954739487b868328a7fb47de177d6b699bfc

SHA512
b3c70942bcf2e5c7ec6426ce8a6e21ec4b74c09b1b7bd264bad96019216a8938544cad29aa62cfd86c4100806d261493e77980b434091b8ae78682896eae42db

Download Submit
C:\Users\Admin\AppData\Local\1a33a219d23adc17f0a4eb418b7c9575\Admin@KVIWLPUJ_en-US\Browsers\Edge\History.txt

Filesize
2KB

MD5
ca8405f753a895f6e4a6e1d3ff27c4d7

SHA1
711c0d55c0a5c7063e5b86cad16e7455c44af20a

SHA256
6e1601b65a3bace13ab2cec61932e4c0c82f692ca3b3b7a8c99b71f3aa66932a

SHA512
1dea084f4199533a45acfafcdb15b3f533e33f3555602cc537cc042f0105e870dd25c44f3fe133c384e091c3bd06c3758fc665018ac734ec489b67653d7cbadd

Download Submit
C:\Users\Admin\AppData\Local\1a33a219d23adc17f0a4eb418b7c9575\Admin@KVIWLPUJ_en-US\Directories\Temp.txt

Filesize
12KB

MD5
9f45bdf2d08670a845d8e5980eef08c1

SHA1
9c8f255132b62f6a0903eb12da4019767a5d1987

SHA256
4cd92c7acf8d395764693e2c25352f48435ef5052d610b0b5aabd298b40bca19

SHA512
4355972c38aea0475810b06e5bac103f6b5984bda8dab9ca55b660561413f3f343b12bb211a865025d6701304ac40f053507ef567771675bcbdbf40d9caa0c06

Download Submit
C:\Users\Admin\AppData\Local\1a33a219d23adc17f0a4eb418b7c9575\Admin@KVIWLPUJ_en-US\Directories\Temp.txt

Filesize
20KB

MD5
7136acf15e7e4b290f7b72f87bd70f5e

SHA1
502e5231f6651c9f1c51738dc701b8cc00315f67

SHA256
f9fe7404c70b2e90fe7f0e859c0bb3f78bf64884f68c5cc73044bbfc0fdc3d52

SHA512
8a0267dbc464e7769e19aa4cae86e3d22b54017afbaa4f548878176bf773074d389ba1c92879a23b864ab6080a4edef6a0eecf4ef9fb03745f525c069e59498c

Download Submit
C:\Users\Admin\AppData\Local\1a33a219d23adc17f0a4eb418b7c9575\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
4KB

MD5
219fd405e2ba17f64f7b3ab186999c65

SHA1
628fe7da07803a59d1f7e9be722d72718f0dc609

SHA256
692ab1f958c30150fe8d2c41b3b097737eb2c1a9b22b77af310e1535da159e35

SHA512
bc413245e35b54e00e7b8ed342d53ba1c481e4e35259cba478345cbc4f0f438982edd2d812719ff4180970eeec82854369c3c7f1ea2a736649447b5a9f45a683

Download Submit
C:\Users\Admin\AppData\Local\1a33a219d23adc17f0a4eb418b7c9575\Admin@KVIWLPUJ_en-US\System\ScanningNetworks.txt

Filesize
252B

MD5
995b1400cc02a81c8267b34915717a14

SHA1
e63065ebfc971bbcb9cd94bc253e05d5af998e35

SHA256
c411d6863e5fc88789c1bc8824585ccfd7af6a399ff47053578f145807ecf647

SHA512
d9565e9d447d1ae902616d54692c4b3a02227e06ae95191b33fe7167f680dd4c36ff8eb0d08f4bd8abb1956f0599d6549001bf17aadf94bd7e5af1293677326e

Download Submit
C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\Directories\Desktop.txt

Filesize
444B

MD5
80ed801750b2b3457c8054bf4d91b8db

SHA1
6a0070e569e18f1b911fbbd3adb688858f1fe21b

SHA256
5f6a55dfdd6153239d4fa9fe8ad960578f3489f1ced3e8242199a453b1e37ea5

SHA512
48cb28bbbc031e83761f91b29b6661ec1f7cdb2d05bc9d2d41a4b788df830c3a88af6cf75568f37ce56f73c560e7014bb70153cd32927e1dc4d0471b2a7dea1f

Download Submit
C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\Directories\Documents.txt

Filesize
395B

MD5
51c257d89aa1f3169ddf4e2ec8399502

SHA1
6e997ce387e752567ee349eff52161ff78e24da9

SHA256
d379e17dd2758efdd080e57a279fed21045b7b7915e5bdbef68919540e74f648

SHA512
84aa9ec31c1979d169f1e80fd0fb3e48e1566aa9c554e5203d1694c54e96e0c1a8b1de7ca6a7e656f7d1ff8013c6cc9223e90806b0e90ebc0b0e3f0f2c85facc

Download Submit
C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\Directories\Downloads.txt

Filesize
596B

MD5
1e39672f0b01928029558bfa5e9d87fc

SHA1
5626432f024b181baf9fd4580c19f90731481b1b

SHA256
4af03377eff7c2b31a674ac0034d26df255f7bec40607e46c7504d53d3af46b6

SHA512
eb9e44858553c1f91d32098400a94b79ba05404fbcce1aa0b0056fa2dac7dcad7072e3c74f32ad72eacfa5bfd182f2b14cd9d5e6800aa327b0670783e51916a8

Download Submit
C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\Directories\OneDrive.txt

Filesize
25B

MD5
966247eb3ee749e21597d73c4176bd52

SHA1
1e9e63c2872cef8f015d4b888eb9f81b00a35c79

SHA256
8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e

SHA512
bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

Download Submit
C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\Directories\Pictures.txt

Filesize
330B

MD5
3602ec4fb10a1ede91eb82ef027c6c5d

SHA1
1e51d35740251abf7f5c37ada8af48ff78379129

SHA256
ef621896a157254189300b1186ab4ca70e42b4b3dec85f3f48f0e8d0593cccd4

SHA512
f67fd424494c67b3b2ac90acff891c0d79ee12db04dac0a88c818bdb822ef28e5b490ecba499190b38dda469facdbad92b9800bdc02d0928e4279fffb1a42eab

Download Submit
C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\Directories\Startup.txt

Filesize
24B

MD5
68c93da4981d591704cea7b71cebfb97

SHA1
fd0f8d97463cd33892cc828b4ad04e03fc014fa6

SHA256
889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

SHA512
63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

Download Submit
C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\Directories\Temp.txt

Filesize
3KB

MD5
f35ec03bae35218b269e7a98d520bfc7

SHA1
82444764a823cf6df0d414794a382d916aee4ae3

SHA256
a8021c34bfd5cbc16d18ebe21ca32eae3dc2b4f9b89e9f6de2318ef1101b44a3

SHA512
cc3aa36b0d851deb83f39b2fc02798406932391c5b72b8fd1d0e0fd9e379d8fe75a5f0449cc4248587e34265db548a48f7605e5e4d54363ef82c6c57a2db3cc6

Download Submit
C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\Directories\Videos.txt

Filesize
23B

MD5
1fddbf1169b6c75898b86e7e24bc7c1f

SHA1
d2091060cb5191ff70eb99c0088c182e80c20f8c

SHA256
a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

SHA512
20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

Download Submit
C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini

Filesize
282B

MD5
9e36cc3537ee9ee1e3b10fa4e761045b

SHA1
7726f55012e1e26cc762c9982e7c6c54ca7bb303

SHA256
4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

SHA512
5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

Download Submit
C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini

Filesize
402B

MD5
ecf88f261853fe08d58e2e903220da14

SHA1
f72807a9e081906654ae196605e681d5938a2e6c

SHA256
cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844

SHA512
82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

Download Submit
C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini

Filesize
282B

MD5
3a37312509712d4e12d27240137ff377

SHA1
30ced927e23b584725cf16351394175a6d2a9577

SHA256
b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3

SHA512
dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

Download Submit
C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini

Filesize
190B

MD5
d48fce44e0f298e5db52fd5894502727

SHA1
fce1e65756138a3ca4eaaf8f7642867205b44897

SHA256
231a08caba1f9ba9f14bd3e46834288f3c351079fcedda15e391b724ac0c7ea8

SHA512
a1c0378db4e6dac9a8638586f6797bad877769d76334b976779cd90324029d755fb466260ef27bd1e7f9fdf97696cd8cd1318377970a1b5bf340efb12a4feb4a

Download Submit
C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini

Filesize
190B

MD5
87a524a2f34307c674dba10708585a5e

SHA1
e0508c3f1496073b9f6f9ecb2fb01cb91f9e8201

SHA256
d01a7ef6233ef4ab3ea7210c0f2837931d334a20ae4d2a05ed03291e59e576c9

SHA512
7cfa6d47190075e1209fb081e36ed7e50e735c9682bfb482dbf5a36746abdad0dccfdb8803ef5042e155e8c1f326770f3c8f7aa32ce66cf3b47cd13781884c38

Download Submit
C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini

Filesize
504B

MD5
29eae335b77f438e05594d86a6ca22ff

SHA1
d62ccc830c249de6b6532381b4c16a5f17f95d89

SHA256
88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4

SHA512
5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

Download Submit
C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
335B

MD5
5fc9e5acc554bbf17f4f4d07dd97a531

SHA1
9b66c16da81869e366de18a94e1197513bca65ab

SHA256
42ce49e7a8046f2c450b5d43e4b32c2549ab70e9b786e9246907d70a29fbbed7

SHA512
87dda1d4afab974b15e371eb1eb0ca92a0870d067a2af2fa591a77bc645fab3f5d7e855054a848eaa631e834da8ef2506b56efc9f08719f629dc83be4e263256

Download Submit
C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
462B

MD5
16f7831e5e861f1217e328817f3856f3

SHA1
63d7003be309c655e07f32aa542e9ae4368108c1

SHA256
768331cd39ece005b5a1a5ad23257087ecfdd4e9db8d99f2841d1561537cc08e

SHA512
10f15f67437406311500e32971b43cf36ab267f53f976503dcbf34be40415ae065d5ac50bf0caa01546398c2753ae2a6794fe232d265ba866f87c8f2e044fee2

Download Submit
C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
663B

MD5
3ec5c014fab56f7dbf4c7d13bba1142e

SHA1
75786cdcda25170caa9a515df8ee1f8835e21f69

SHA256
78037f8bc3562301ccfa9ab7cf7327c9cbd9b78821bb873d72520022ed80fddc

SHA512
8e6a03abb6fa26c83e37f75a8f019378c116d26a578fb9d3488ab908c4558d079bd30b928026ac55589cf0a042c4f9e3a23612886ff2936840f39a5754e42a6f

Download Submit
C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
869B

MD5
1766148d708e4c8f1995a97d96f7521f

SHA1
d16f8aa9d8eb8551880a5e7f8c97abb0a5f20070

SHA256
e21e6511042a78f336b8aef7076cbaf2bb1e7a1319c7caf78a598fd6dda2d4b7

SHA512
9cbc606d30b4412856407876dff5d3465c11aa2e273193880a2bc64d474579a150890e3b9b8a37d41ee6883ca34b28a7c6cc79fe4b6edc62da1f26b77d76cca6

Download Submit
C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
933B

MD5
22fce1fca16eefdde5776de73a96e62b

SHA1
697f15e19973b2826a3d0c4a258eae55e56bc6c5

SHA256
8b8c40228e19532a079368656bf58500fef1fca2105bc246dacb9f7fcae5954c

SHA512
6dfb497124c8ffb170a3766bdf51056a55524f869ca0f480e6af54aad2427abd4a4e61d50815fa6eb4b32b897ee17afda75a174c154c8d27db4de0b2229fdeaa

Download Submit
C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
997B

MD5
7f76a985bb5af144f1751a920e047ce1

SHA1
972193c793f8eb0bc1ea41e357e05d8068481f7d

SHA256
19aea625bd12d2f44ae3a28bc71ef56f3f56c518a7983a5fc7c0d21ed73e4a78

SHA512
f8b38501e240bf7756f60c45c79e144058e6758900048b87c20aa6884f101264a32e1b65f412e0eaf28869b70ffe50194c57fc06203221b309e942679eb571c3

Download Submit
C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
1KB

MD5
12725c4a1e39503a56ad0bd74aab6d09

SHA1
31ff98378105df849ac74d461db9268349b77b3e

SHA256
22beaedc0ad90a39e5262504c844d0b83d53a2d5b0ba3de5169de1fb1742c895

SHA512
4ceba3f4901f74c4a9ca3ea1efc17aa98859bab8c371ad9dee89ce2e7089fb785c3971ccdca404dc4b31a43877dc3a95db40c199300f34f219ad59347de6de2d

Download Submit
C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
1KB

MD5
bef24a4f0fa3ec6ba02fb370613632d3

SHA1
21fda0d2b40244361bf04e7ae7f9e6777ee974c1

SHA256
8633f0cab8409d1cdb33ee09b91839283ebdfc71a9bf6b4f9fc5da299b514dad

SHA512
1e7d7a299c2286039ba170cb39edc8d1155dc1f4069b3898f73579dffeb7d5d3f9c28e59cefa622204a37c51b799373c8a67da7a05e7066cf990fb5e499b6d9a

Download Submit
C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
1KB

MD5
1c8f29e7e0f7c6dee0c8fc3921ca6f52

SHA1
ec57b0f1693961ac5a0e1c6fe2407d020f19fe05

SHA256
87a4658c9cb86d322cd36ce8913594d6134af10aacdf7df24500e4ab2c8ff4f5

SHA512
195aa525bbfa0f219a888903436b73ad409494bbd9c002bb793c9a359f5b6aee45c1ef8e12f70b4ada410f2f21e4971ad590fa7be930be0fb8e1d9a50ce54773

Download Submit
C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
1KB

MD5
1a96eb6aef2701af4ae34c118628394f

SHA1
73198181c6797a9ec45cfa749141b32a0ed09944

SHA256
0d091a0d8218c540053df12682e64cb40030a663ddd95fea2b7e23a25192808f

SHA512
00f5aa0bd1f81bd35ed784bd097dd76443e84fe42902f35c2998ac874d42017c62591adb65d554c6848f13f017cd9fe25c6f6e9553aa2d01826d1e8ac5a4bed7

Download Submit
C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
1KB

MD5
a11e3e938ebe46662389bab27c28ee9f

SHA1
fd22ce1279d661ff0b066ea2be7eb804d1ca8666

SHA256
fef6f48b601e279a36b26ab63f9a7e35fd87a23394ecc15002447e22ff741f33

SHA512
8f70e9c068ba7bb8d12e6c8a142788576fa71e488f7ee145faa6b27928384d5e516d34632db5150a903df07c35b9ebc103263884871573b6947636def92135ec

Download Submit
C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
2KB

MD5
a39bffdf98f9774d082f6709ca2bc95e

SHA1
77fbf492d07e9efbe2c26dbc266624d2a46fdb57

SHA256
4c46d153cd75eb2adb0ce68b02d63e00827cf0b266cb2f094749506211bc26ed

SHA512
bf18e7060e4aa0a2b7d2b6116fcda75620c68d6f787886e83ecce22f29c41371e7161636da0740401240b49a64cc77f1127f3e248160380ac837e13c7879d878

Download Submit
C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
2KB

MD5
9dab8378d00875a03ef1b5b024033b16

SHA1
22e4f19231a608931791619c3b104ee2ca81da92

SHA256
de2259b758b812ff0f5957a23515eca5d1f440dc520967afc1a63533b0597468

SHA512
35240a4ecaf5c16cfea93e5aba96589556d47f68a7b2624a0c71c7868446148b43a8f047670416dd0e06275f16776bc90fd55f102126482cdd00ee0229f7a83d

Download Submit
C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
2KB

MD5
aaf2e9455e7eae2576c40e4c12638c2c

SHA1
94fdab269b02e6171e66e12bc1fcfc9a7e81238a

SHA256
8a510b90ddae4f1e36dcca5d328f9979f693bebf751f2971dff7cd0f963a4929

SHA512
70f065b74a77338f38797041326c09241418686ea030698d0ff7064e6e1d19120ffdf32f4712d99d5e65167a952b73968ad0ba7d4607f9bd9fcba2e02a1c1922

Download Submit
C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
2KB

MD5
f44f23693df34157c9d4fd721972f17e

SHA1
bd47ce576672eef024693e31cf8495b7203c7618

SHA256
8e53bba7060315d84d7b21fcbb0f84b58ddd747bf527f66d9a3b7bb149c350ea

SHA512
346539a2c3e9eb75ef2d7ca226d6ec00e19d14ab5adbf1d02d336d0766acd8db8f89f72be20c14bc7eb6029fc2fbfae570e6f3e3a63ac95136506ec42c7b8b95

Download Submit
C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
4KB

MD5
1cad8c63f402884a8ca288e7e1155d86

SHA1
90e3e2e573494e91243c8f7b40a21be6bdd33c1c

SHA256
7298b920aad82137b0c6d6a9456214893173e2016b2c5636136a24dbfd322219

SHA512
1bccdbbc858d28d09bdc014a80f5f4354f1959db3de10a359c350ecb33a94e0f965ccf282ab7c1d434378d65f60a4e852b911ab9100723bbe597ccb8b6df93b7

Download Submit
C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
551B

MD5
c96a7006767dbd1ee099d03574b0544b

SHA1
875f4f1afbd18c1f9ff74d4f79bcf836198b50d4

SHA256
8bd8f6069396409d24b5d8e401ece753569eb6ed56eec0a07baaca0ce739a22b

SHA512
c80e6ba7a8a26c50203ef1161fa81f8433b8fc6e4372923b89431b1660ff5dc073e4db37ef0f485d56a60e61ec043d694a330c7a8acc58a5dedf1d8fc34a0b19

Download Submit
C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
1KB

MD5
8ec5d2685c6456ee3276bd55fa8f586a

SHA1
41a41d0f6275b228ddc49fabf419138622ad936c

SHA256
0b5a8a9395d349b7e02e11b39e3ec71e121a24fb9fd135782367786e6f716725

SHA512
91adb99a0329034fca1aaa8cc902b86a3781d5e6ef8ed7af18ac25db7b41737d78843bc746e2e2bd4b6d3a2edb7eb9d2fec94be58800351768ec5561ef8f1ea9

Download Submit
C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
4KB

MD5
78c52b86f462abb01d210efea093157c

SHA1
7ffadb7474bfd74c2f674b45acae1ea043638798

SHA256
e8dfc984c3cd163fddfe5c3b7b20c32a930a39e5aaeab7fce8b51c4f0aaf8084

SHA512
a1cd847f5a16ea8281fffda119ceab5a8cab0ca66636580a5982a4f1c755a2dd2e9ca72c4542c94f6b63a33667a54a3470257a44b4099ef38c5977f3973cbddc

Download Submit
C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
296B

MD5
7174b9372d58dd802cbf1d1a6d736999

SHA1
c7bd855856ad6cb922232bc48b51c391e8696d51

SHA256
442a3a561c2c82c2944c9c858cd4d96124d45d5d1138882f3ff5a2978578119f

SHA512
ac41cfc916571a7df34045d16f8691cd8e8700ec9d2ca5d2ca6b30630cb394561b60a85bbaa74374e07eaf8ecb7c1d56bccd8eadb407a42bbcf98115559c7b35

Download Submit
C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
948B

MD5
31b958bc620a55c8c95e6ffae29884de

SHA1
c2fdf3bb8c42214427ddfa7055faaa364c497401

SHA256
2709d31d2eb8ebf6e0e2c98ae791e2691a3c5e54a23b0df7ed2590c652c2f3f4

SHA512
9a35a71322492040c0ee0888c7b7d769a443debd26c35497f0e328b915c856ca5869266e7115b2b43a9ecfd9cbb8b512a78ba93640bd047036f9110ab75b9774

Download Submit
C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
4KB

MD5
6a4e4aff290bc82fc387258dc789231b

SHA1
a17502b950acfbf77221debbd0cd6bb37e3aeb02

SHA256
63bddcbb6eed11183ebcd2b60113f68200bca435a78c0cce46e0609bafc6ddea

SHA512
8a65e3ed2575651196a9403ea7145fa9888a20c970195239f93361fc55391134aa95be910656bbd71f85b238d0cbeb1b81db641a55f281995c4e18fae9370c54

Download Submit
C:\Users\Admin\AppData\Local\7172c801c7048ee96d98d0fcf0037428\Admin@KVIWLPUJ_en-US\System\WorldWind.jpg

Filesize
86KB

MD5
c96bfda878e0983f4ea4dbe1e388d194

SHA1
384561626bd97ddf98f1ba85e4220e837a3b8e2c

SHA256
819082b484b385ccf56a6a099dd2ada102c4319d53dd5c757c73e344dd91bd69

SHA512
b8bd3e3722cbc2ce1bd0d828bbb5ef04d0e6cfd525c1d0284b0d4a0c8a3fc3b5b3c8c4e8b5b8caffe19c8674a06a40bae61f6b95da7a6f7e40019223da962db7

Download Submit
C:\Users\Admin\AppData\Local\74539204bf59aa420e781862240f3dc7\Admin@KVIWLPUJ_en-US\Browsers\Edge\Cookies.txt

Filesize
5KB

MD5
d750eb5b3ae9a82ead99437d5e3ab193

SHA1
fef00b2d438f2546e23df7138c41d24f6ade7afa

SHA256
5871c13ddd020759cde6ecf1fd60456a54dd5bbb52b9e336de5d9db06e55a545

SHA512
c821a8b5ad7f48281d0b35fc1911efc9b2c19a583a6e4c5209340d2371f1f0231735c9d1aaffc70e9db3a5ae1d8efc85e71afbaa3bc1fb9e61eb6e3c0bef992a

Download Submit
C:\Users\Admin\AppData\Local\74539204bf59aa420e781862240f3dc7\Admin@KVIWLPUJ_en-US\Browsers\Edge\History.txt

Filesize
3KB

MD5
646315973efa6d63526f0b61f9b97bff

SHA1
1319307e64f9552fdd81a4565c0429807ff343d8

SHA256
286d978b41689239237f888a3be31cd22dae1a04c7b0034d3f045104223a9b76

SHA512
3808ea2ebd464ebeb8a98159f06a91be0ec03a036e5ebdd52c862107e431484bbff95c14b4b87b753f2e3fe9222abb6fb42d301d3955b87b363c2ec2c8070691

Download Submit
C:\Users\Admin\AppData\Local\74539204bf59aa420e781862240f3dc7\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
4KB

MD5
48595f553569982b1ae8c5a2e7420ed2

SHA1
7d91002a9219b005a0e88a16d8916cde535e696d

SHA256
9cc2a37fbf770912589314a17ff7936ea4ff158525788d5a46d8809e34238a35

SHA512
23c37946d37236742fd6a5e69d16f93fcdf08a9ca712cff730ef433d85af8cd34ae4e19b27a5ffa5155422b4f72c3bf42931cb455ab5bf9de1642a3e22c557ae

Download Submit
C:\Users\Admin\AppData\Local\74539204bf59aa420e781862240f3dc7\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
4KB

MD5
c2c633933e97d231ed5251c144cd2ac2

SHA1
40640a02327237661d9077bfba28c4027c8a48f1

SHA256
811ac73c183106d069290c75a1590b34f21611d17e6d7f725135e72d2adc38f2

SHA512
1eb25e5fa9d16de536d6e22fc788eddfc0229c3abe6c39de44e4a7438e216157756ea9edb01abed78c48d8a75202a65e436328cb446dc7f0993ce4adb7158d3b

Download Submit
C:\Users\Admin\AppData\Local\74539204bf59aa420e781862240f3dc7\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
4KB

MD5
8a5b3726d264a648ede9314cf66fc2b8

SHA1
ae02d3e3214756352165d2281b5e16d3d987e107

SHA256
c85623a452f73c19fe1133fde9cabc97950a77189b3e3facebc5350723bb7c70

SHA512
4602399e89692646cc77346cfd003e035181f567be1a8061a73ca3ef27a795dbd1d35b691b6c9c0d60b35e6bdd664c0203c5a085c77bfca826099517a4cbfa62

Download Submit
C:\Users\Admin\AppData\Local\74539204bf59aa420e781862240f3dc7\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
1KB

MD5
e2c8e7555a2c71bdd66027e1401c2111

SHA1
2f2099aedfb7c4f8f65b2b6330bc0a3885c5dad4

SHA256
de5f552e33bce630f45e85cb77e7bb97047a6e96e8e63f5c3349c5c3ba639bfd

SHA512
159ab16280aab1398d652cca406aa9f85c2ed49dba77fd6f1a23177bbfe2b2a02c3c3e1a759ce5c0279aad8f55db75f271e6ae56c5d81e7cf7d43b13072bc713

Download Submit
C:\Users\Admin\AppData\Local\91c4aa4bb6b92f9696b156a183171088\Admin@KVIWLPUJ_en-US\Directories\Temp.txt

Filesize
14KB

MD5
87b4bde12df26553952ac40a29b74964

SHA1
ad6137f5318fdb26610db33e4da6158a32ee791d

SHA256
04c07a2a162cce5a99f9ee79127b19b4839693ccbdb921743169eb30ca0d074a

SHA512
3790d44c385cb6df9715f7877d14cdab239f5f146f03f9a63ec317b62bf158deaea2d8eb30acbdba6110c0391b4c85978d78757c78d7f9f794ab4f63c46e2dbd

Download Submit
C:\Users\Admin\AppData\Local\91c4aa4bb6b92f9696b156a183171088\Admin@KVIWLPUJ_en-US\Directories\Temp.txt

Filesize
25KB

MD5
45b8c3884bffa18401f3b102e4383551

SHA1
b3e3eeba458796af492679978ce9af5fc1610c3b

SHA256
0900d5b9e2e9de21c2204eef9d95107879d09a0f55763738faef0a7b5509ef57

SHA512
4400503f01dae75d314b6392c78ea5b410b591b5d22d81642453e0ac691505963d103cdd72c57b8829cddf6eb8fde1b103c4b073fe91bf3933d986f52b95685d

Download Submit
C:\Users\Admin\AppData\Local\91c4aa4bb6b92f9696b156a183171088\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
360B

MD5
b8c9e8918430acf8115542465dcc6771

SHA1
2d18da062fa395dfd4be8f0baf2b9d7d8a07a30c

SHA256
c5574c06e9d59087d6a06f5fea87b78b4e107c508c161f03481d34cb1d9fe372

SHA512
1b767dd6f611f6a742a5e72d7b630ef3fc7a7abe5ff969e5595944c804c60437518ba40f2df549a3a0c0d343174cd6c411d714fbbc1515b0d1c69c6c6cbd6cce

Download Submit
C:\Users\Admin\AppData\Local\91c4aa4bb6b92f9696b156a183171088\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
452B

MD5
f73b772cf30b3bf8a02aa7fd58948c3a

SHA1
af17033df30e3ed0255673a7b4ae15821d645a62

SHA256
19cc4766c948d720d6f0c51a83c28c6d0625df7b8d6fbfcc0f583dba843e4dad

SHA512
26e717a2a023c2e05b89022ee0f21301651e9cb20fac46756ec23f8d5e6cdaf48436f82a478b6ff5118ec15c56e116b17d7ce935d04400fc806c84dcdd6c5cee

Download Submit
C:\Users\Admin\AppData\Local\91c4aa4bb6b92f9696b156a183171088\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
516B

MD5
b25eefa35b048ecdbbde643e9099e507

SHA1
0c6342cf59f474d69159fef883e0306fac9f70b6

SHA256
a34c09521d48aed52a310e5eafccb714254073389b5bf32842a7b908025fe981

SHA512
7b17776557dcaeed2826a1ace5fe7cbc2d292e42a63f4e805c69e40db7fe418df3818cc66052b5f2bdf92d550e23f984ea6923efd66223f1f7a93a1a132a6ee7

Download Submit
C:\Users\Admin\AppData\Local\91c4aa4bb6b92f9696b156a183171088\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
580B

MD5
9e8107e857e359689c47422ecd7bff81

SHA1
5a513bb6e906a8a11d8e88a2628a933cf910b1cc

SHA256
eeac91f2ace9aa6a9a7d9bbdbc9cd022489e4cf52b3b417c67ebf5f4eba3895c

SHA512
451020aedb72e24093022d43bc66e0fa8c80d67a8ebfdddc2450397000d03fdf1daafd8dce4b61a5a0c418874ff7194a4cf3beb09736b262d9b51f16b64afc9c

Download Submit
C:\Users\Admin\AppData\Local\91c4aa4bb6b92f9696b156a183171088\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
644B

MD5
4853532bc660d486e4ac818e5a0e9208

SHA1
b948f4546d570c0ea03bbb4afd060f943910d311

SHA256
7257d025768a922256da53a10d51905de55f5fb9446255614260e8e9562811c7

SHA512
961d8863e7f4b06a219225807f8a2e1cae9690d725a6334ac2dc989c0b44f5f56a3c34739ba1fca114408118d920c07ee83db76d1dc43426a62b56de61eb3310

Download Submit
C:\Users\Admin\AppData\Local\91c4aa4bb6b92f9696b156a183171088\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
4KB

MD5
60d7a13d09d206072e8c696911b57a95

SHA1
02cc8c36d586f6ae5e0fe0d78e8c06119cf34ba9

SHA256
7bbddcd3868e7975cfe602e4d360d468822e0ff51afc73dc73c033c7356c2986

SHA512
6bd110baceab61c3bbeb7834b9849e0e9383a64bc29bb407747cadb0f0b1cbb278cdb9b7466c4ab48c586e84c552a78bcd5c092aac40aedd7a1c2038d92780b6

Download Submit
C:\Users\Admin\AppData\Local\91c4aa4bb6b92f9696b156a183171088\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
220B

MD5
16f8a33a90f34a7edb36289c5ce6cef6

SHA1
24c7d473b99d2b7fe62cbc781c6461b180767036

SHA256
9ee6b6d7aef2df8e5e135eae8f018f75d569b719638f88149d53c9cd21c5e285

SHA512
13e54e5828a5b8c64e5fcfb6e15a3a5fa33cc60a07dd668f5976a167fac4af0bf7b3b6afee8c6491838bdfef8ca7afbd73f609699b30a60e8dca7975309fdc01

Download Submit
C:\Users\Admin\AppData\Local\91c4aa4bb6b92f9696b156a183171088\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
4KB

MD5
49c64e007570fdaa545cdc4106424cd4

SHA1
a7c8ae84e5be8050b53e4f60021663c42de0a4ef

SHA256
31ef71c41abd45365278fae5bbc757e20ce082574b2adf36174f621f5e8259f4

SHA512
54a128d1e6ca1d64c5ed2a31a702aa9b744c7af84d01207e30536b1542fae7cbcf0cf0b96af6ce3118c508b5fba3fa88165a4428421433c2d2b7461d3738801c

Download Submit
C:\Users\Admin\AppData\Local\91c4aa4bb6b92f9696b156a183171088\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
213B

MD5
822191ed130bf7754753dbc9263a5ecd

SHA1
353b11ee870aca66da22f584cf6d73b53d827590

SHA256
6c6f15829fb4c04497630b808ceb2aaea862325d0d5f4bc04aa799d91138c8d3

SHA512
94a1eb32051d42a8fe018b407d218637bcabcc1e9b57c9f4566b8240631a54d9ecef46d5a788f884ae3013c12496dc553b6d3a9987d21d8818e574656c10302f

Download Submit
C:\Users\Admin\AppData\Local\91c4aa4bb6b92f9696b156a183171088\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
4KB

MD5
4f7ec87d5c770c97ebc8bcbbceb1ae6d

SHA1
43d52b7c8155ea892c4401aba437f2681d0447b1

SHA256
66bac335e6c76f7835286835821044f0245892876791108f38f1f990091f6fc4

SHA512
5963f1288143c1263de8caef3cface520d00ab19fc7ede823d037747fa2066cf1cf93535482f009190c2111f0ddda4f34fd807aef2dbb91df778774a8e11aab8

Download Submit
C:\Users\Admin\AppData\Local\91c4aa4bb6b92f9696b156a183171088\Admin@KVIWLPUJ_en-US\System\ProductKey.txt

Filesize
29B

MD5
71eb5479298c7afc6d126fa04d2a9bde

SHA1
a9b3d5505cf9f84bb6c2be2acece53cb40075113

SHA256
f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3

SHA512
7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

Download Submit
C:\Users\Admin\AppData\Local\91c4aa4bb6b92f9696b156a183171088\Admin@KVIWLPUJ_en-US\System\ScanningNetworks.txt

Filesize
84B

MD5
58cd2334cfc77db470202487d5034610

SHA1
61fa242465f53c9e64b3752fe76b2adcceb1f237

SHA256
59b3120c5ce1a7d1819510272a927e1c8f1c95385213fccbcdd429ff3492040d

SHA512
c8f52d85ec99177c722527c306a64ba61adc3ad3a5fec6d87749fbad12da424ba6b34880ab9da627fb183412875f241e1c1864d723e62130281e44c14ad1481e

Download Submit
C:\Users\Admin\AppData\Local\91c4aa4bb6b92f9696b156a183171088\Admin@KVIWLPUJ_en-US\System\WorldWind.jpg

Filesize
21KB

MD5
1f4327f5de4bf5a06c2638463df6c7c8

SHA1
dd81afdeaeae95043f346da218beb2466bd4ad49

SHA256
6bcdb669eaa874ad40bfab6547fdeffb1459a1135ea97b8356bacee74441a680

SHA512
47e583009d7f9031824906004be702fc533ea2b68dd54324f2d487feb923432be3e07da30f26d647f22b2ac01ea535b526bb15b827783587271cb8241de64ad3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RebelCracked.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RuntimeBroker.exe.log

Filesize
706B

MD5
9b4d7ccdebef642a9ad493e2c2925952

SHA1
c020c622c215e880c8415fa867cb50210b443ef0

SHA256
e6f068d76bd941b4118225b130db2c70128e77a45dcdbf5cbab0f8a563b867ff

SHA512
8577ecd7597d4b540bc1c6ccc4150eae7443da2e4be1343cc42242714d04dd16e48c3fcaefd95c4a148fe9f14c5b6f3166b752ae20d608676cf6fb48919968e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
150B

MD5
ad0d2e807e12b8bbec4265281bd7b315

SHA1
2869712843952efc3b493659c35ef3cfa5987077

SHA256
d8a40525c91ca898b92c8412c4886f00522da40e49ca2d59fa10aaaec68cb67e

SHA512
45c868d497508a887069f5983afbd43ef5efc80558b8005d9efac2cc08ad30d3b1898d49bff10c90c887a51728c5ba7f869e4aa781e3d292b9b4c2ba73831516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\c80cca93-5c99-481a-9525-6051272c7d7a.dmp

Filesize
4.1MB

MD5
500eca96dae12c2607b3b4d984f81505

SHA1
e1435e6d4125717111b561474c7e79c65e81aebd

SHA256
a2e3cd289c0738cb2caec2336965c0eccf0003145ae064249f1f682e8b989305

SHA512
0e26eb79f11591eb5dca2a9dd854ff316a2ac4bc968a2c058485d55b4a61916f6a718469e9fd18bc3ed31bbbcfa4566833763b2c4800106e25bd5a2b0c72deec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
27KB

MD5
c471760f39dccfe1bb90884fcb84983c

SHA1
ea3d957e18630d1cd836a359bcc1a7db733508bf

SHA256
2c5cf54dfe536ff32ac1852f999a5dfc76ac39654587a7b85416f0f054912142

SHA512
7e1519cca8272e9b19dbaa072d1715d012b1cc8370d949dfc09767788a4a191377f4e0e67aad2f2c44d6acacf64e948e2b5b8d5ed2ec67abda6fe9ed7a0061fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
65KB

MD5
c600ecaff5cfe229bf2d3a48eccbce58

SHA1
7f210b30e6462c7cdb8f4627aaf6a7a82b7d09e6

SHA256
7e6fae08d88bcc74c86be2e0453dbcf23c60ab3215779d13b02a417a07be6661

SHA512
2e7a2d61e974032a836955b86b6e5b743cfb5781f18736a02a0a482d405710f32057fcd0b05995839ff73ac842236b2d132b6bd45e862d4883b2f03bcfed28bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
82KB

MD5
08a0b6ed2a07cefb67b1ac9d36124894

SHA1
8ce0199197ad66b283b0f7f7570efcd8ab612b68

SHA256
a38beccb0ee266a6dfbe4df48b0cbed6ecdce6afa51890c3e165f1c2c9f60b07

SHA512
fe17bdb49d911d28095fb0298d8ce270a858e1d435affbf77a20c66d7897d3d14f22dadb3d8a97cec973895d151f35052ae592e18886252e8e94378e38c07b37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
101KB

MD5
93dba8ab43d1cd60eb9ef8056b040339

SHA1
dcc110e0a61ae4624fd3924505ca3e58559f96e7

SHA256
686dc290b0c60d5b9e4cebe706cd9d3439221572d98fe6f7b509d690cca3838e

SHA512
13127088bb6b6f8c4164d457c85642c8504cdc5496e8dd8dcc0363050efc405f3e76ee2ae0220ddf785924efbcdfc253315a3f0abce0833f6745cd50d433aba0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

Filesize
31KB

MD5
7f4d3cf023a4c3a56b05467b199432c4

SHA1
650d5da3f8c9aeb4374b72bb7dfd36e462eb4778

SHA256
9d4aea918858e80c10b7553f5669e675d18b29be314ddf9920a8516636a83cd2

SHA512
fbfd9daed03bb67916c1af6de16f2e2ae48f80418105ca95ca3f2ca30a54fc1872e2bc6eef7dcc75e36377289f3e9e9c0faef4ad8e5de5dabe651ed8c6e7feb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000030

Filesize
16KB

MD5
48c80c7c28b5b00a8b4ff94a22b72fe3

SHA1
d57303c2ad2fd5cedc5cb20f264a6965a7819cee

SHA256
6e9be773031b3234fb9c2d6cf3d9740db1208f4351beca325ec34f76fd38f356

SHA512
c7381e462c72900fdbb82b5c365080efa009287273eb5109ef25c8d0a5df33dd07664fd1aed6eb0d132fa6a3cb6a3ff6b784bffeeca9a2313b1e6eb6e32ab658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000032

Filesize
29KB

MD5
f85e85276ba5f87111add53684ec3fcb

SHA1
ecaf9aa3c5dd50eca0b83f1fb9effad801336441

SHA256
4b0beec41cb9785652a4a3172a4badbdaa200b5e0b17a7bcc81af25afd9b2432

SHA512
1915a2d4218ee2dbb73c490b1acac722a35f7864b7d488a791c96a16889cd86eee965174b59498295b3491a9783facce5660d719133e9c5fb3b96df47dde7a53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000033

Filesize
60KB

MD5
5d061b791a1d025de117a04d1a88f391

SHA1
22bf0eac711cb8a1748a6f68b30e0b9e50ea3d69

SHA256
4b285731dab9dd9e7e3b0c694653a6a74bccc16fe34c96d0516bf8960b5689bc

SHA512
1ff46597d3f01cd28aa8539f2bc2871746485de11f5d7995c90014e0b0ad647fb402a54f835db9a90f29c3446171a6870c24f44fb8bbb1f85b88e3ade9e0360e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000034

Filesize
20KB

MD5
29be3f4c1685374185295c0577a0fbc4

SHA1
c720338b90479756d89c4c0bd6e1b2c126e741e2

SHA256
84234bc202cd90772c3dad4cca1b2e1330d811546ed6574be8a6dd8706356d80

SHA512
6c8e59a0453b5ea2dfb99dae65a114d5b05e28428fc0b8d0012ed155115137f5f54abb232f7efae0e5c7c9775e7c5e3373c2f582b59c62625206445f1f5d9894

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000054

Filesize
27KB

MD5
47d642c518bc540b2d83318e70e308f8

SHA1
0bf41770e6fdbce99f0f75209b66b88ceb658e85

SHA256
a78a842b5a830e569c10164c5f49fafc34f9d9f93d9cfe5108f1088ec470306b

SHA512
e56ab754dd745d726952cde7c42e8946be07d0220b4a5972ce38d38f03adbf895fecb8e8e39b12a82ad1abcd47819cafc78e9e933ef18a25f6c2014f5e8737fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00007e

Filesize
111KB

MD5
5abcf8c2effbe1b208f521d6d5912171

SHA1
465dae46f53d4b0a97a0f42fa11cd2442d636213

SHA256
cd731f70ef3f1dabcd8a31eefa4ac9d5aaa954b81073947310aff54f98815c61

SHA512
90de93855431b6343d0550ce82e7fc14b2ceaac246b9a5aa9f95682d0f01a547dd60b75ec4d9330458f50edf112986dacecad212653bed8e68a7c60c7b6203dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000f8

Filesize
21KB

MD5
4af4fb5b2a03757a82d274987f2c1a49

SHA1
e51e9257096a89100b397eae92cc8792293abc29

SHA256
15f80a57b2ec8a89b7f09cefb97491760a8bad40756b481a1ce999ffadbf0a28

SHA512
6f2389c7867969168cceabcd310aaf2f27c172656f28c10371ea5c317226e69f44e74a5bfe1b592c1438ad3463e267ce675a310a1f989d7a6cce74cc8e406f93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3d3c3fb446694839_0

Filesize
260B

MD5
7e5c110eafa31bb230af5645e15e938d

SHA1
739b38cc2ca5854e08ee0ad9adcf55ad1440a172

SHA256
4df6c47b2591f38164df17c2f7e285d4ac5c38722d556390420acd9a2d22d407

SHA512
cbb8798987dcacc64de66efe5a2993a5caa005fb7c1deefe5b0dd06662c9b8dfc230ac4e57a6e0186254d6108a66d98c58f8219534317e63d92b1e7086d51a65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3d6e1a4601df0a0a_0

Filesize
9KB

MD5
078d988c5b6f0321b4e9b41a3aefee8c

SHA1
3b40b1f6edc7f4179afdc51239376799fdba7485

SHA256
b8785193bf5271c7862457ccd6593b96d3014e1826e29ab65953bd8c009ad6e6

SHA512
a9352aea14bffac7331f3cd0538151c747dbfb7bfe0665bbcf4d7aac934da97a347b58106b542d8e70389a9eaa25079279f2e4efee886d3bd5c6b099a14b32e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\4a49d31835f09602_0

Filesize
322KB

MD5
273fdcc708edd0aeedd9252132c95c60

SHA1
8218b93f3c0af43ddfdbc27879e328e82bcfc7cf

SHA256
0bf8f7cb598f8dae576b6ac220964e032b9d06e64ed809cab8154f9a3fe08344

SHA512
54fde4f7d30a1950e426ec6012d914e7c2045df98a9a47cec2e85aead339c1a2e083c2fba72f42a97ce3e83faf7dd30163961dc456aac4ffce4cbc072978ad4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\51dff2d12ed661bd_0

Filesize
456KB

MD5
1c5246866c93daa6774da137ccd08116

SHA1
3d2cd320017f62a253f69e00b9553a2b489e708e

SHA256
4936b98512dcf577da0d023e05c9940562e4f0fab4df291914eca025df5b5f1b

SHA512
ae603e86a1a1ff608389a5b4a4515a2a631aaf5135342fefe3d206c33f5a2d09edc0d11ab7cefd1378d9e1e0dbafd50e583f048977cd9b0d9e24da5602656e41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\7f878c7420b45bb8_0

Filesize
45KB

MD5
2468d91fcd2a4135055852c9890237d3

SHA1
83a44078a539e5cee8d7f84763fabc47e32bc409

SHA256
c420ac75c46f9a86293b6cff363154b2f7c1f38d99dfcd87858a0d4ada5ed202

SHA512
6a4e068825d3a8911c1ad241a06de50e8336e6de31732365e3336e932f3c7bca3601e347007d947dd3490ffe2fd6acd94c5c63245bb15fd7ee71268d75245295

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9cb60fccb2ccb621_0

Filesize
296B

MD5
f329adecdfae3c9c3b184ffa1dd98b1b

SHA1
1d22591b5aee331dd7053b503deb820d6d4025d4

SHA256
cff1719ba06e2e55408c0e1662139d10358b2fb68502d2abc346b9d3aa098b10

SHA512
c397a7ba30f52f1ee5ba1b3406c9167b01e04fe821e69e978065485b7117100f3e115061006bf945e2b3d6893ff938a0f5a847e23033754ac1cadd19803e28d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\a10a720a1bb4ca6a_0

Filesize
294B

MD5
0b86c2bee8467e1106d80f736ee1e91a

SHA1
e387df36753cc7b804484ed4d137234160e28559

SHA256
6ad76783c60aeefeb087ff9cd7bede80ff2e19955355f0c3ed902667b067d9ec

SHA512
7c2513eec41f9bc53240ddfed52811ee6d5b6afa49f07012eec05f1305551c0a2f8d088ad1aace22529f963d0815a0c6249fcd621d9cf1fa727e0660f8a9b13d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\b2f43249207d54b0_0

Filesize
106KB

MD5
e9c98840be07007dcd28547d5693a61e

SHA1
5de310f49a8ca8abc632be3e5bab2248b88b4978

SHA256
b86c5fb9e0eef8009d87bfa53f7403f3bc6c708aded78b0186c6473a82af6135

SHA512
4ae9d372a5697829df7df86cf3edc8a3e811578bc65de26c9874b2cf3cfe52a9b454da72c181a43111fc8a5de49d9bda49276420d9c5c00a4b1ea5be047d08cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\b57c78baf0829aca_0

Filesize
279B

MD5
cebb7fe972b8cd41c810a66511ada433

SHA1
aa467b436553d04b998d4504011ccbf7fac4055c

SHA256
b79293392173914f20e096a51e359807339ebbd517393ec9bd254c61dd898b9d

SHA512
9b68471610d28907dc0d17abef43d47e2a02ed26f261a92ede24e0b2b19fe169e8d2cf74e1021d46edd57926807d01e56a4db32fe89e82002d6e7b3f20e65284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\cb5dbe863d928f37_0

Filesize
3KB

MD5
2eb40c33fa69653726b01c1079a14986

SHA1
1526b36ef765335865bf288203929f16abb1d415

SHA256
d1c210ce0982fc8169a7ade3a8d9bb20fafad1ab2f43842cd3884aa57b038851

SHA512
6640629c27bc6dbda0f09b9436d35b0d75ba92a4da62489e79a197a1231d6bee6c5307a226a3dd291c6d4966816360468d1e997efa9eabc9ec307d339cb8e870

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d1dd71c190f8848e_0

Filesize
93KB

MD5
23396293bfe7607dce57b4ad08c39968

SHA1
fe3a62d0b2b5a7105751fc69c0a038f9f04b17da

SHA256
b10726b68360d549bd5458ed9eabaf22bc884ced121dcf5bfe547206ba7e2213

SHA512
9de9866421293ac511f2e177361e21b58e451ef75f070531c29d9b645fef95f31b29367a33b658676c395c8d3768de631e80cd260de1bb0766e7563019dbd188

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
b0da67488e1c5dce58614a0ff1873306

SHA1
e32b0f41f09cdd8a25946409a13d6beda41be464

SHA256
44bf71cbf4c449d82ba6e5b99ed089ba51812c676d7ba12aaed3f4881a8e280e

SHA512
a7c48c343d6c5d7e8d38681d8044050278ec2371ac5cd16f1dfeda1617c04582b3b4b7469dbfc5290c08df0321f714fa8576244ac10393e15c86810ea790322b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
11e71e00ae93f898a70f9e25b45c7dba

SHA1
0fe932d10d0f51562f25e4126136cb1412f79ea9

SHA256
2460a3ee752ad352c84963a25d863f729de546b68be40f0c1af9c7c3c5b48637

SHA512
c362be44fa630fb1f35b6bab972e554bda0339250c41cc00ccda3db28490490e4789e8b8ff8cc148dde89dbd1fb248690890798fa4b51e3b4d8e31b93fb1a669

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
4931b3e76665cae10a88ace35e47f0f8

SHA1
a751be8ddec461ce7fde9200887673325140a08f

SHA256
dcb0ecfc265a9c7d2913fb231e5596fb173a70ca35b3bd6ad357ae321f29464a

SHA512
7696e69a82542ae1a9aa93fcc227d42d0a827d3c917c7b287cef362169b917263ccfd32caede81e9fc8a8d7371ee0e8063e67a2125070c534549a6bb3bf6755b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
a4adf2d8a57e57e6be7a7fefc7b14670

SHA1
0c5d7db177ef9ff8b1858255be35f07a21c3886e

SHA256
0f80fe228d0f16517d1b19e95d8ebbf855b46b97f18e2be3daa343e1912a0330

SHA512
cf1070e0300c09a07c415236e22c486f9a46928e58737d03df8c2c43c48ed90a1e07abaea8ff2f7e33017395a61fb50ddb0ec7d1d55360d382f1bf0c94e3d80d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
f111968fa51c4c4f36bbc3161fa640be

SHA1
5283d94944dab8596fdad2f9d22d959839899172

SHA256
c3c5318eba77085d5aef1e8f194c6a34577b2ad0c922f67b5c634fa4c43f1a42

SHA512
a01f863332df4528f6af474ca5db11a7c1141c8fcef229b733ddccc4cf2f830ca8271fb81c05d53757f08e5e7c225adf5ca8ae69413040612cdfe31ec5728ed5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
d55d581af5909f86bb15380f8e17a3c0

SHA1
2828fba57aca9605b137311f406b67ec13db2a2c

SHA256
cbb06903a468a8ef13f119c279c9dfe9cf2bf765590bf4fe59195f277db2fd4c

SHA512
1030f6ff2341bd093b6b8b370d3de24ca190578daadd1a4f7baaa9617054b29676ea8751f2504b6bad3fce4c698442872e191d5dcd2dbdc147c5788c2e346797

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
570437eb8e2f94bb9893f7ee5183b7fe

SHA1
915885afc5e4398669dbbd3a4760b718ee7304ec

SHA256
e11305932ec4218f0ead14800a3d1fb19afd8e9600920c23e6ef0c6f38afdc0a

SHA512
3191322fc466932a10b3c5c3a4bbe7995650207f8f5bdb0087330e801bb6ad045ee4d5482260c4f0b8f4827874bb4dbf1aec130432725031fe16be7bbdccf347

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f4610764622a375ee4555c2749517d23

SHA1
2303e31e73808ebc884d18a000d6367fc31ba6b6

SHA256
cb4eeb55d6e043183c7e3e0d03f32c9b748c7a112a85fd9f210f82a4f9389ecc

SHA512
28a9250534f5bace6a71ca86f711178ae787c302f5a7e17cf1e8b652e25186f8324815210cf70d938844f5aa6431da5736a5180261b908cb2857a9c418691824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
547a7d0a218226be8941f06f7f46fc5d

SHA1
ca145b32c9e671fd455287f79a9f9c6b5445019e

SHA256
56082521c28f3f015ecc1357c42913a11fa9ab46c47fad25369c4466a027c1ce

SHA512
db594357a7c7c3d6c84d0d8930c80b7b0d64efebab893f1da49ee0e94eb94c8aa9eea5235dd74ca5f9b8f118044d81ff591acc7ddfbb11cacb399fa64942a7a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
95865245291e3924005d060bac078b7a

SHA1
85ef9b0c8247d2f57af9e11661fac185a306d4b1

SHA256
7d123b880df53786aac0aa088dd9e97422aab7f76637e143bec23cf96cf9ac98

SHA512
956993b24da128c74d65b184364be3317d9d5b937c6491510676e1a3f532e82ac8186a099ab8cee929a783189d95d426e7ae9f11f592a45d8fa85b6b3d074665

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
ef776353dffdbed402e12229f6442ce1

SHA1
7a07fbfdfc8b3ba8feaf950b53c288da6fa043c0

SHA256
f6b8a5165ec11653b963a1c96b895c8d81f27e1cf26f2ff18aec8ccf003217ef

SHA512
2bb6f09fa2705f4069d195e4fcaaa72a370c7d1290d6409411f948fc288b5b1b4a48105b3345d9e404f8d6d970d4481c8c99cc062175dace83a97d78000c2464

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
35d5b7b18ed783f4fd0ebd5433d448c0

SHA1
9b7994073a79ebdf87810847a44f6b390c17d6c9

SHA256
df28236216cae937988b2c115c022d659ef5e77b82abb382be40072351ad99db

SHA512
0db8e98a2710117003a32f363d32e559933a7272f2c256b131f00def58761334a8ee8d9346979f5e7a84c6227efe864425f00046f55005e337ba1f669200bd3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
34677327b09c436e858fd583509443ea

SHA1
9333bf30f284aea8c38f65c1284a55d37e4790bb

SHA256
1dcc7d89be4661b9e3af6499edf79c2bce62ee5dca7d42940e3391ddeeb14a48

SHA512
0179a582bdcd6374b48f640806534c9a7cd30e60b5813e74032464765a588ee69b07d30bb112892eb8a39d4bb6c21a9e2cea75aad9f755dfc6bb5c0854c59399

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
e8a8e02d82047f62486cc2fc8b042683

SHA1
57a24589ceb906be79bec07814372552c45abcd1

SHA256
2de0dd12c698e323122bdd56d14ca53681bb4f881690db421fff4b2b730f15d2

SHA512
196e8997997615718b6aad2c694b5dd5651fb1901196810f64934391e9e6950d3bd51059410946c31cf3d7450891b7d0f3209104ed24b74f25b355b39f827d83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1770ff756b18b534708994dca18644e6

SHA1
19b0348cb282f9a8802bfadba7975a498fc5971f

SHA256
852dd840cb5acc893f3d2144a37f93a9840431f7d976813f31a4bbf76c747780

SHA512
79f8e5b3dc12e7bea7216edcf4913ce9f069f4b7945b9276e44693657179f7176151729c0b40c9ac726e369b942490269ed574912863a01cd512caca8fbf2016

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
484064eabf6b48793c5aaa4054fe5ca9

SHA1
af8a2f6ed06c694d85ab45eea697cc4a7cc078e3

SHA256
6c4211b6ec5ffae04a5c24e583fcb9fc827eaa98f550e98d873b36d1edc7581c

SHA512
3282fb969cb832270c0efb8bd23eaf1e9b01edf53c5639a40c354a7f707ad409836695937d229ac1908b7ba0c97c6943ceb47c8ea4b17d33a554a1e4e415510e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
da7b4a9e5274668e75e12407767d3d73

SHA1
022a50d676db7e81e1c9693b975424fc585264d7

SHA256
ae6f1c3e736546c2cd6b02c7a563b5b1b01506ede4e9bb1ea3438a456a437228

SHA512
60fa69628d81a2acbe112ead65db13353a1970a42d6b8a77e60dce9ed006f6d18ade6ffa14979d0c7c4c395b3aae3fba5f1af6b10aadcc3f7c916518da3d0fcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
4ab32799b188769995e4053a38effe40

SHA1
8ba04c1c2f992657a7fa053253f80a30822b21bd

SHA256
c47a949465d93e04bf9c1d436f62dc455e47fcf2a817b296f2aea8e45f10a24c

SHA512
1fe8a47289c25ee7da1b2ae474f737fa8bc985cf130000f769ca4286f93d0d7df3af97f1ecafcbed71e7a4b02ce86fefc5afbed3bdc40d24b5641f29c27fb13d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\2cc80dabc69f58b6_0

Filesize
4KB

MD5
33d506e3de0a9ad3181d14765d16001c

SHA1
fdb3ae056ed669778af55cbafa5e3b9052675c06

SHA256
7a9dce420059d9233927d6b49040c1f517ffe4f448846e254f2d68f8e3fabd04

SHA512
9eb28a8f44d803212401d6b79d2a8040e072980dfe2d754a62702c9ebb9fd5a60d15ea4263bb945742afd022b0180ddad699eb6993264234011d10a32fde9449

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_0

Filesize
2KB

MD5
cccfb0ccd31d3e4028fbbbf499bbf8ed

SHA1
39050f89ec4d97d5608d5da5b72ffe1429bb4f58

SHA256
422b01122acba337dfb97254a0f2ad03efaa7327f960b912bb3979aaaa3321e6

SHA512
79f831474ec9ddd5d6cdf262c11e9bb007807498185979bcf5bde154eff7c1e8538ffd0e9e2aff715f80706cee3103d818411d1bbd0ef7ad7ead43996268b389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_1

Filesize
3KB

MD5
7056b7863727d3619e4af4e0accbb4d0

SHA1
b3ba01d389945f0bdaf3174a22638e4d2c3ae767

SHA256
01c8700f3df77e06127ea4cd0f9fecb932812c18a9e2e52cc6d6f68e1b7e08fc

SHA512
93c857703654ac103db25fdf3e03d3d8e1d192a5557f383c29a3c4c14be2369db9f039b7c21a36819d7676dae9d65a98eeeea1d1ce406894194a5714a56f20c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
439d74ac893fe42f48ce89bbd6ac3b59

SHA1
30af50c644ec1b0d2e3385d22420fa89d1eb2ad2

SHA256
b59e5a1824d1b20407d7e8362b62a7a5e9bbf87b3e9d8c5368e2142a67b2dbc7

SHA512
0fa56a7ca856d94c60f1f5801f0d7df2d952db04b6215fc42b81e188b1fc202d57ecbf1cb824ace432fbb8611db8fa1e0ae1dd93324bc06d2407139c629511c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58b273.TMP

Filesize
48B

MD5
7981e9049cbfba0035842787047665d5

SHA1
d6560c6276df07ec8850caab7a318699e3c20131

SHA256
16cf4755a3ebca4ead8ed1b42e9659b5441592c0bf34675c80be183cba0d9e9e

SHA512
b40dd61f33aec8de60290d8b609d6e2194f05542dc0ba485f8751ce681192789d99227c059f668898e1f83e4544b61d2f4ac807cd62e2808cfbf867dcdede963

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
eb64f19c7173f711b951fd12db927c3c

SHA1
3927e16de824759d4b7a7b88f33ee5597dd4c506

SHA256
fda5608df7137eea16e91602bd68c2d43d5e023e072a7518c666e1e78189f1d1

SHA512
f40d3c8fe64bcbb96b83c5d037c6b0a05418ad6c35592f9400004cbe8530c94bbc0814b1cc29059b17ffeed70886e24ca6e67ac22ad8f0962fe491f32e0b853f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d2a656c963a28b53a9e44fc3039caed9

SHA1
7b1841a6dc1e2477584e07117909199467343f32

SHA256
a08b5b4cf39f4009809793f4a50c8a582365382e0d9247071ec4cb49c6726042

SHA512
8128e2fbc19c29cfb2623d59c9149405723ce7a5ec7f117778c7bffcef0eefb644877da6b6a0576e721a0ae7fa15ca456c09273a17b7d5ed59aad15cb7da7711

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
53c2b0a053dbd08ed4cac19176a62bb8

SHA1
2263b50c6fea5a281b0d54a3ae3023922222f0d2

SHA256
ca16f3395a75fccbcf6f50ce2e51b1ba82e79bf07f3c7ec9de2048523139083b

SHA512
08e6391f5d6969f50692ef6ce8b75638b25631ab1d73c32b5387339253b26913ffaefe5127b94e1de63f7659588faadd9b3e32a0cb5b8f134cdf637879242935

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b50398aafb4edc080453af6893455763

SHA1
95799cb723dc197b0da20cd5999e874d6408717e

SHA256
c9aa5741aa897f0d54d85ad93bd6173d4de4b36ea3f5f3e61286b8d1742253e4

SHA512
676ade0129cbc8ba6ad3cbb6f75196e97fa95769aa179e5e9ffe5a11b45a999ffb2730baf2fcad405355e6993d9246208053ddce57c18908d21cbed99b46f8b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
89b2639cfaf0397e331e1823f7c6e010

SHA1
cd4e3a9e484ff84c73b835562a78a30776853776

SHA256
ecf3098f51fafe0a5b65385003ca4e2a63a171aa40f1714f5e340227b4e7abe4

SHA512
07f2cd7921feb805271a0b89b4f124f221cbb9527e645bda7948b3c86d26e8856bf0f38d9cfe7d6e5a6563c320e045269bbbb75b88b10d1c9ef117e478c93e2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c34cb5b67ecdd8a52792265314455a1d

SHA1
c7a95b251f4f301f961a10e4b5d91cfef82f1a03

SHA256
3cb57dc897289388c043504f2970b25583af66c5f62d24443dc8446daa94396b

SHA512
4732fc4bd23d1169759863bd0c2c027ae61ef72d080f9999499e1e3c2ea7d8f5cc351f57948e8bdcbe8edd5bbc6cb4ea1584fe4a6e74d0be76093d782845f1b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3479a3b43317426370af2e8a3b792e9e

SHA1
00cdcf79d4c2745b2102957a8d6bc1db003c7dcb

SHA256
34f4fae1de34fb35976806474b80107cfd3bd2a1baf497126ddc7c72a79f4aa6

SHA512
634b6ea90e982a4ab14be3256102ff9166e89a5ea1caa17b40571e6d112f425f5082a7976bf7458a5bdf3f3b83cfa3bf46ab75e4556fc27b0f912a9fe5fd5681

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2f2d2436c91171a753b979a2833a4000

SHA1
f14c20292557bbc267cde1e5dc5b93351299c75f

SHA256
72b6fe5aaf98aff46f0df0465b0f0de269aee2ce71728894f75c1c2f033e7ce4

SHA512
129e3d21f8142b219540489392c8314f397588253273008d2333b877fcdee10dfd7cd74859659f8830cb27473fda09215e96c3893022e209494faf6f28b25c9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ec331563c9d383a269daaff8224c6d9d

SHA1
1dae33f30e354d2a46d63085ba3ec6ae4806efd6

SHA256
a42a24024e4c81854f67bee024c2e3bcf5b2894ec695a471555a28d1fe16aefd

SHA512
ed2198229ad84e8e440a7e863acbc18eea513ef26e5b0f11e389edc6a42bf8c1be453fe2e4737a11e0e644232d2e59ebb68ca0832bc833f724d733d0e4cf7dc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe589e3f.TMP

Filesize
702B

MD5
927e567a07985f21af41a70319cd95f4

SHA1
d181484857c17c24a2e2900e85f68d8531a71847

SHA256
87b70008f2a7a60a5b2bf9dd5915323ac848d9ecdc0f15760bc52e48b347d905

SHA512
ae417e6ec040f7de1f73a67fb31953247a9dfe626e532899f21b5e6519543149a0826b45154b2f562e1b39d2ba35231953a0b231958fbab76e00949c170a1043

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\dd7dde2d-bd77-4f9f-839f-627bf63edde8.tmp

Filesize
702B

MD5
84ce166f7c2a8781661d1d07617a2a48

SHA1
0e160c247818b78a2dbb2eb25554bd84b26a3fcb

SHA256
c65bac47ab3ec43948849de438bb77cb86abf29d62dffbfea9cd66239a84751d

SHA512
ac996448f2fa3eaa820e047e62db5393b593c969891379ca210bdba69bf2d606665acdec61fa9e733d6e22a412ab30f2fbeacec14047ba2955fca059bc12701e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2111aa25c95c2af303a44f3de3b75676

SHA1
cbe14ee179d9315120d62666c9fa77706ffbbadd

SHA256
6aa39e0e10949437d9ce726b4ab73ba921457ca91859683e168a3b139f57e0e9

SHA512
b4a6a2c77cd82e6f1ce4a24f0a98169848ff963e92b07811751c794ea7ae5d574eac382ec0dcfd124d15112d2c94109684653ba8915ddf91a4ed0ebf5947bb6c

Download Submit
C:\Users\Admin\AppData\Local\RuntimeBroker.exe

Filesize
330KB

MD5
75e456775c0a52b6bbe724739fa3b4a7

SHA1
1f4c575e98d48775f239ceae474e03a3058099ea

SHA256
e8d52d0d352317b3da0be6673099d32e10e7b0e44d23a0c1a6a5277d37b95cf3

SHA512
b376146c6fa91f741d69acf7b02a57442d2ea059be37b9bdb06af6cc01272f4ded1a82e4e21b9c803d0e91e22fc12f70391f5e8c8704d51b2435afc9624e8471

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
ae71e46d9a9c60a6fb840b70cad13b91

SHA1
2a213ae784f5242cc21d9b934706be25ce760f62

SHA256
357e7a24b49900c79fc7cb36548dd6f0607a80dd7e852bf28ebd9a9e46335906

SHA512
625dca8ad62b6cc1572d3be14df6926d18129b66198be13e215dac77f2250ca5f0400cb74961cfd45a68ddda8766364ce7454d74b8315298d6f69ef0bf83bde5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2697.tmp.dat

Filesize
32KB

MD5
ea0e33eb808c08ef7d7bdac27de6275b

SHA1
d98ac2ef276c4a9c4fa5ee61250a150ad39bbbbc

SHA256
46eb5a83e745615b49eed7ec81262670a3ef5a0e5bd481f7c59a7343abcf4c67

SHA512
c80df8aac470cb3c19bf272e8e8e226a6193fec75e8ea2d4729b48c9fc2cd9ee7569b45cfc4a70a51638fff69a2a2d5a4ac70e660e5bef5e021945c8cbda85df

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3E5F.tmp.dat

Filesize
32KB

MD5
517b4abcbb49ee12b2dc7f41282b5e92

SHA1
f4e6c7233e9785dd74d2fcf4cd8afbe143d9354e

SHA256
5398b398d844ecc38ac2b0422d8eb4d6ebd080aaab84cb7503730056d8e87ef1

SHA512
8a1be542be62b4cc11f0a2d802eb252e6b6af9b6c90a516c1496565e79959b0d43f0a193817addaf8947b16d6742efc9d899748f742d7ecff2a38d2ae041aeec

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4594.tmp.dat

Filesize
32KB

MD5
12fa697ec221bc815ea57140ec1c480a

SHA1
17453686216d66ee315a00d34e1f70d3ad11be79

SHA256
a852351d428bf540a970778ee51ef571a6033c3bd428017d192fbb3b6e0f7e29

SHA512
2951c466245a15d236249cc841af24befa87fc906f317659daab9913e03a626820e2229fd44c96471ba84881a74a2d183faca6b2ce7a95b5a7c93d9d8a8a4b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp65FD.tmp.dat

Filesize
116KB

MD5
2d52cb7169ee595db0be8c416f92cbb9

SHA1
103a40cccb79f71750a01ab27381f382ead13177

SHA256
9a8afa71184888b90f592a5d60fe717e1b628bacd0370af4fa04ba6ed4bc9ba7

SHA512
7b884e691e882d04e1415851e91d6030193ac75bebacf53dcb45049310e054c669309accf8312eeee602d84ce1a39d758645d857c0ff991db815b6e09160a8d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp765D.tmp.dat

Filesize
124KB

MD5
b6ccc6c79c28c78e5ace53ff61b9ba0b

SHA1
a5961b0d6faef7f72ba485a9734b47f9519b3e0e

SHA256
4c0af9a09f86b2e00f7597e088e9d2442764ca4d58fae6a17582341389d687ba

SHA512
104fc39bcb6dc39d9ee0f47a1cd2c6115310187c2c0ad89f3641a779456bbb8462a22dbae57f7f82cb24e66e4cfa9a8f3a9008102400652bbaa93829d37fa62b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB110.tmp.dat

Filesize
114KB

MD5
c3311360e96fcf6ea559c40a78ede854

SHA1
562ada1868020814b25b5dbbdbcb5a9feb9eb6ba

SHA256
9372c1ee21c8440368f6dd8f6c9aeda24f2067056050fab9d4e050a75437d75b

SHA512
fef308d10d04d9a3de7db431a9ab4a47dc120bfe0d7ae7db7e151802c426a46b00426b861e7e57ac4d6d21dde6289f278b2dbf903d4d1d6b117e77467ab9cf65

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB122.tmp.dat

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB125.tmp.dat

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBD17.tmp.dat

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBD2D.tmp.dat

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBD2E.tmp.dat

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBD2F.tmp.dat

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBD5F.tmp.dat

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD7B6.tmp.dat

Filesize
32KB

MD5
0e985d30d2112034f032eff652d27104

SHA1
ee8a2f04f59d99e8cb5e64ac386106d9363e827f

SHA256
ff6155588e65cad2de9725cc31dbc9b51938fe02751905be6ac2a09dde8a39bb

SHA512
2fc2bbdcef6c15a3acc88783ee8f11a1b209178ea56d11f083e3030c8fbd684571ca5a48384119170a7be55a9e32be901dd94ee10ecb27f34e9fbf6c6b931543

Download Submit
C:\Users\Admin\AppData\Local\b2a4129d590c5a0f13623e3ce4b6fd11\Admin@KVIWLPUJ_en-US\Directories\Temp.txt

Filesize
15KB

MD5
6a1a97992926f44dfc753beba8d12da8

SHA1
0523f81f9ecd5446652c9749cd8ed5ee2449acb6

SHA256
4c03e9371ed8daa4d87ca896345fe9af008ffe00d0a36089c27a41410a367d9a

SHA512
e58740e5c5d4be762878559db6374a13c3eec902139b727e9c326d3c847b0e3615b141e1233110851035d74d57c7049472d2389378a220f713960862dd180c0e

Download Submit
C:\Users\Admin\AppData\Local\b2a4129d590c5a0f13623e3ce4b6fd11\Admin@KVIWLPUJ_en-US\Directories\Temp.txt

Filesize
18KB

MD5
eabb48ba96366f95e9752da9047383a6

SHA1
47b49ac93024e105720cd33d1fc74a79854abf37

SHA256
aedb2f25594b697d39dd714b45530a511eb0d2fa0fa9dfc80b7a037eaed9140d

SHA512
bc83be23b9b0ac38512be49047ff75934dde0222e56b61f7cfe0557826784b86ef4600cf6fbe76b7fd7890c7e27c5f514bc42aa4dba0f6e22f016a56c358c437

Download Submit
C:\Users\Admin\AppData\Local\b2a4129d590c5a0f13623e3ce4b6fd11\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
1KB

MD5
f935bd3216aaee895397294fdc5f813b

SHA1
934f135a55fd8c333a88b5d4de10894d14ffa68d

SHA256
a9d7497419e0316c9c0e2247b332289b8011e45cf46ab49099cb0862043f5e1f

SHA512
ede9b7bd26a232bd6b0ab7a7e0cef99366869ba1a75b8db1a2c633ba1c358a041310196ec4bf1058299e528d19ae5f950a778b3574e12117d0e9b7665db55f4c

Download Submit
C:\Users\Admin\AppData\Local\b2a4129d590c5a0f13623e3ce4b6fd11\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
4KB

MD5
caeb0d9ace40be1f3f458bfa9bbbc000

SHA1
b239795603808c9da7a4652d325aedfcc0db0235

SHA256
b67697c1cd13ec7fd8a2430fba0c7c10120222c1c0948acdee5c49aba6601f9f

SHA512
0a82fe2584f4f9150e9134b3dd9e872006dabb1a60d55c434e5debcffd3c3cee350f84be0e7c25a80676811e8a4b3899f0af8b9c6bd888a318a88eb69ef53fc2

Download Submit
C:\Users\Admin\AppData\Local\b2a4129d590c5a0f13623e3ce4b6fd11\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
793B

MD5
47926591e8689320b349472d40e8e2ad

SHA1
51e0eb37f5bb8d1ec573571e882616b87cf2ef11

SHA256
83fdaf568ab795b5fa75548870cbe2b89f83ee0266fe21c7c0941ffb468b1a17

SHA512
51538e4a91ca7ce2fe38550fe25f0a4f64533f29643caed02e3ddaa6428f2936feebb5ea9458006e3e43ed304d40243a20c6f70e165f64487108fd0bc930cc8f

Download Submit
C:\Users\Admin\AppData\Local\b2a4129d590c5a0f13623e3ce4b6fd11\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
213B

MD5
dfb6de6f4a972424304a3747d4e6283e

SHA1
47eef1986b0fd9beb97341f5258ebecd498b24ea

SHA256
c3641fa1f34ffb193861c49ce2acc20ac2688da6218fdc6a94ea0627c2a0f6dd

SHA512
9408e7d34e77a9444105f6c5d8dc66c8e1f3ba1948a724509a9381cdbf98aa4402b75ccfc2fc2fb8c15647dc12d334137fb88d3d60d0124402ef1738175078cb

Download Submit
C:\Users\Admin\AppData\Local\b2a4129d590c5a0f13623e3ce4b6fd11\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
4KB

MD5
294d3bd46e62886c8d739fbae45f8986

SHA1
5d327c2f4f04edcca627b4e916a0ca309d2e8c57

SHA256
f7457334c6393ab7d60def05c236ccc04f4b79fed808a58b551777802a1c7070

SHA512
2687ec825b1dfd067004e2dab9111069c8db85a93f91fa6040a2e19ae65081c960bb6f062c1924e6c5661ff310939a8990cec04e1493904eae8b3d5eacd3b97e

Download Submit
C:\Users\Admin\AppData\Local\b2a4129d590c5a0f13623e3ce4b6fd11\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
4KB

MD5
b4ff0ded26f834fd4b05bc3382ab4bd2

SHA1
ebac12c3e2232c68c4bb4fe9ba222a4b87740cd4

SHA256
047ef41e511c1dba4fb3c9f219924b9c3834d38fd93978f24f37adf97463c9de

SHA512
f046ac87f0d0f9d344a7900f72eaa77beea376c13a68e14bca29211867198c61abdd6fca39a0fd30dcfe42eba2fe1e31bfa8534cba9e646313a05553a6e4d0ae

Download Submit
C:\Users\Admin\AppData\Local\b2a4129d590c5a0f13623e3ce4b6fd11\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
1KB

MD5
4324c91f6b3444bc6d1ed417761a1206

SHA1
bca7366d51c05d4268a6fc72a773fcc27e8756d2

SHA256
8afb5012ecaba5c5a52e37e44bc3324cdeadde1733778f64c6330ea38462b589

SHA512
fc1af2ca40a2a07a7b17a61b489915c0ce931b07d8bc6764be6e41380cbb5d9b485037e761fcbaa9b12529f1674755c2d7ef910b4d2bc1c41e0e968dae85d49f

Download Submit
C:\Users\Admin\AppData\Local\b2a4129d590c5a0f13623e3ce4b6fd11\Admin@KVIWLPUJ_en-US\System\ScanningNetworks.txt

Filesize
336B

MD5
5a797ae1e94ebe63a312f693c71f4e54

SHA1
eea24b3ffc49f643478b87693f0038c7b7b58bf8

SHA256
6afa03d057cf856f4df972e92a87c41445261ffb0c101f878b67016ac072aa53

SHA512
17be4d42023ef71008c648edbcf975bafc8bd8a226a3c31de2709a5b74a48cca648b0b1e4c330a208057075b90518e683ae5dc049e4b6e5e8e93ecf3faf5b489

Download Submit
C:\Users\Admin\AppData\Local\b2a4129d590c5a0f13623e3ce4b6fd11\Admin@KVIWLPUJ_en-US\System\Windows.txt

Filesize
169B

MD5
4aeecc135d2d50f50234f2bf0d9e8c5a

SHA1
ee832840d253558a0b318d0badc3e1369e6d11b3

SHA256
6789c2b469f018568baf1714c86045b80b0e22592b7ae83891ca0b049b878839

SHA512
f833c315cb1abe56d6b6d241b0865b314980263abf8b030f3e14aff1a4f3cfde2ec78d8a820bc8e63c08043cd453c99e088bbe9093eec41a3d482e5f0008b740

Download Submit
C:\Users\Admin\AppData\Local\c15762fec1d88668b7893daae5a1a79f\Admin@KVIWLPUJ_en-US\Browsers\Edge\Cookies.txt

Filesize
5KB

MD5
1f61aa8dd6b0ff973ecbc2c50fe79141

SHA1
4c1977872c97d89317271b69bb1d02c95cc57ac7

SHA256
25a309c40d0fc6eec4d6bd29c917a0d84937cc5fe96616e2acadd3f3dc3045fd

SHA512
8e110d89183214d76e427d28b75f0608d119cf31e971703be85ae3a53d84fa6d9dc30feff92a37f27554f22c19dd7a0f43523c8d439410e998389b8b346bd0da

Download Submit
C:\Users\Admin\AppData\Local\c15762fec1d88668b7893daae5a1a79f\Admin@KVIWLPUJ_en-US\Browsers\Edge\History.txt

Filesize
735B

MD5
1c866cf4a8b45c3a42e14c30a88f2cf7

SHA1
18206f72ee7b8071aeec44617c3d09358d367e23

SHA256
7cd20f914defca6ced1f68d8fbbb60b5c292b55987244c437c1e18f937ea9aaf

SHA512
91a32f7331c3bc9e5aad9fb0871594503217971d0662dc06deba8741ad5037fa9c30a1683bc4ba33f2c0bfd072f71312535ad0ba3d7780d94c9d358ce768d32f

Download Submit
C:\Users\Admin\AppData\Local\c15762fec1d88668b7893daae5a1a79f\Admin@KVIWLPUJ_en-US\Browsers\Edge\History.txt

Filesize
2KB

MD5
ed31b26f02fc3aba8eb765b4d735036a

SHA1
2f89f1cc5e8e8d0c4b65ac3555f58ccb783f9f40

SHA256
d919f342f16ee5c116670577165bec757db7e627dc4db02f1ca227d0cf2255ca

SHA512
e325ea4e4e20c3b3226683500bb14522e61cd2a689e9126494309a838ccecacb98f5baa79cd03cd993d61910f71f3e538971f960098c7a1688377f3548190771

Download Submit
C:\Users\Admin\AppData\Local\c15762fec1d88668b7893daae5a1a79f\Admin@KVIWLPUJ_en-US\Directories\Temp.txt

Filesize
9KB

MD5
daebada9762f1fe2d73461d8c4215542

SHA1
63d5a4b9c82fe2dadfd2f81e5c9361aaaca148ed

SHA256
5c2f1afb12d23d9a765eb223f2c51db2732a46e2b53b809db90fb3601d239424

SHA512
609bda9efd192ae1543b57295b0e4e60e18138d5f039b6af4ef681cbc69758c7b9ca782e34f52732cca2e194410ab3c2461f21b48703600ffc7690fa63f7c9d7

Download Submit
C:\Users\Admin\AppData\Local\c15762fec1d88668b7893daae5a1a79f\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
4KB

MD5
23a068180b67d3b75735c7dd087acd97

SHA1
576018fcfba797075d4e3eed36078144e5a2dec2

SHA256
37cbbd3fd248e849702ccc9abcc8237c2d3f3297b5b0a1009a267634eac4b413

SHA512
d2f0f2f1740ce1105c069856b4102d31d6c61aad061d01932447e155cbdea7d9fdd1f29af4dbf06a7c2f6ef61d58cd15536dead2b9db07184136b47834773a5c

Download Submit
C:\Users\Admin\AppData\Local\c15762fec1d88668b7893daae5a1a79f\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
4KB

MD5
0839e88006c4a11e4477c6fc50925605

SHA1
e78c420fb0bee8cf797cfd4cdf1e289d463cd4bd

SHA256
a98ef6140a0da56fd54e3961e2da9bb7ecd9ef4b5ab7f199a604b84e34380310

SHA512
c6640bc6c4c7b7d1f88e8d50d72cbdd29d3fc6245e867b3d09cc972740f788df42be5abd7c5af6bc7446039e004a209e4d6bd289c06097bdc8daaf84f05772cb

Download Submit
C:\Users\Admin\AppData\Local\c15762fec1d88668b7893daae5a1a79f\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
971B

MD5
7143da6c5da9b6e5b6ad2e42c415691a

SHA1
1cabdb71622a7b5687c14ecc0fd0531f9d896d9d

SHA256
d1a32b357fe39e7df8410dfe283b8e704b18ece75f2421330edd4bd8ac3eb884

SHA512
1a98c6374772991c40491f7ef7144f9bf4ac293a941ec171067de4e071359200398531f3b27bec0a0122fe559660eec73aff62efebe2642229d827779d119842

Download Submit
C:\Users\Admin\AppData\Local\c15762fec1d88668b7893daae5a1a79f\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
2KB

MD5
1852e3fd24d7cf822381378d4c0980d5

SHA1
07320da409a386a0f64a6d24f44646172becde00

SHA256
5dc7092a1051c5f18423691b68f6bba699bfddb5a4756b69b5f8a9626f8ce0c1

SHA512
29ee07a435963032f2238b5dc993c9234266fc43631e2fe95040ca329a95055145325afd37db506c677d8043544f53714ca0c9c394664d602c062e5e36653d5d

Download Submit
C:\Users\Admin\AppData\Local\c15762fec1d88668b7893daae5a1a79f\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
4KB

MD5
fb68b18f261cbbac0dfbbb395f9fab63

SHA1
6428ccd81be5868c70a9dfeebc69b0667adde896

SHA256
5d97f68fc97cbde02b23b7519d7eb4b9ca745ead0c4b70e591ac4b37bb00d2a8

SHA512
b8bb433e6a5182ad15c1da87b3da01b74fd703aea570248455ddd84dbfea33605cae29c724ba0d0623cc4f1e73bb1cf2f9dfec714b66dd6620fe0d674d1f5a77

Download Submit
C:\Users\Admin\AppData\Local\c15762fec1d88668b7893daae5a1a79f\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
4KB

MD5
7ce0bf13677fa6c3496b9011ed9369df

SHA1
e48ddee1ba75b3dc8b53bd2287230d8455ac93f9

SHA256
a8abc02cccfe6ce20159da99d979ec90a9281baa6b89b0ac688dcb5ff8522ecf

SHA512
e9bd72253c40fa424555b9c5b1f61e94dba4ceb36b4aadb0a1a5d1eebdf8671669e9bd5505c87840b39dc0642596aa52e34eb2f00934c0c9bb8c33915e6ee7e5

Download Submit
C:\Users\Admin\AppData\Local\c15762fec1d88668b7893daae5a1a79f\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
149B

MD5
436b0edd3148563d8c3dbd9ffab28c11

SHA1
bcdbf20865f5d75e234fadb771532d5fd9e25554

SHA256
09417affe72ecd6634ecc881f6b5caeb065e50f6618abfb2707f2c55738ff66b

SHA512
fdb34da2d6263c2934751bbd4ae2a48710320d78b330f8e367db70e062e5e16f1bc62b37094ef9ccdcae9e1fcbf1b5285134bc185f030146b35002f7711cb9af

Download Submit
C:\Users\Admin\AppData\Local\c15762fec1d88668b7893daae5a1a79f\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
4KB

MD5
2f651b1e7b0fd3104ba04647e830ffeb

SHA1
5a249f7efb44d020daa7fe3ae3f511430ce4a5d2

SHA256
67feeeda86d2959f39cc519bb911735c98cb9e7df70b8e131e7eda6f672c8416

SHA512
bd40d02aa825d3b422295fa363321c04cd34c8d149e72628218fd369b95cbf7758254d47ba112f3684d76bce6f7c48140d8f18ca6616fbb6501a6bd2ede4d553

Download Submit
C:\Users\Admin\AppData\Local\c15762fec1d88668b7893daae5a1a79f\Admin@KVIWLPUJ_en-US\System\ScanningNetworks.txt

Filesize
168B

MD5
9f11565dd11db9fb676140e888f22313

SHA1
35ae1ce345de569db59b52ed9aee5d83fea37635

SHA256
bd652c6bfa16a30133dd622f065e53aee489e9066e81ecb883af1c3892af727d

SHA512
d70edbd84693afbdb90424b9f72a4bd4a51bd27c719506e17a58b171c251046aea23ca7228ccd8b98b47cd8eb1227bc2d90a07c4f50e8b080f9a41d253935ace

Download Submit
C:\Users\Admin\AppData\Local\ed7282cf3c7caab5b23a16ba43529fdc\Admin@KVIWLPUJ_en-US.zip

Filesize
37KB

MD5
9c9a5b68dcd98f1381cd4555735235b1

SHA1
6078d6219c67f906fbf0d9c12ebe35cc7bc168e5

SHA256
76f4f76b9ce58be9783d64e9781d4d4d04fdd066dfb2839e31003d548b59bb6e

SHA512
b8dde322285671842e2b436d68d3823b5ae327602bf3e0380445986325ac00c1305c28aca46508d5ad6f8709f7ed164c0e3daf5dcbe1a048145d524b5bafbcec

Download Submit
C:\Users\Admin\AppData\Local\ed7282cf3c7caab5b23a16ba43529fdc\Admin@KVIWLPUJ_en-US\Browsers\Edge\Cookies.txt

Filesize
1013B

MD5
1159cabe241f13d2f898acdf6f8ac234

SHA1
2bc85bf5de2f18a9a7467c05310a87e2e654dd00

SHA256
5f4a9cc25cb42916e1799bd0a8ed0db25a9a466204fa6f5fa20b0db9593a2788

SHA512
570785f4ff11fd4451a16b217bdae6e26fa0361284cb96fa1197e3e3f885d69c76c8efaeade1deac74ab0c2b32f0045cbac582f3b740f776279fa262f3d116bd

Download Submit
C:\Users\Admin\AppData\Local\ed7282cf3c7caab5b23a16ba43529fdc\Admin@KVIWLPUJ_en-US\Directories\Temp.txt

Filesize
17KB

MD5
2f302f779f1ab62f08a9b18420c5aa28

SHA1
1c7a1307c2fd266189fd40fe3ad9a5212449077a

SHA256
2b5bd5a15621c1bc6129120b523eba086cd810e9400c838877508095730e6c9f

SHA512
fa586853c505d6920e97bfc7e02dbccf8b77f2a0e94c309efd646f3af4ad161cdcaa708d5786ab80d892ec4f9683236a50b7430d31a90eeb904341f97d5c0f44

Download Submit
C:\Users\Admin\AppData\Local\ed7282cf3c7caab5b23a16ba43529fdc\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
4KB

MD5
e368a8e26cabc548e7250e6b7f1b3119

SHA1
3b50c067a28e1a893fcce47d996fd2cfdcd41d94

SHA256
45d3b06e9eced1794dcaa336d950144b6d4ded569aaee383d1e4ea53ba22cff3

SHA512
fe6ae67240c028f8e3c76bdf7826276d6207fdb31db240954b926a7cf6c22dd641f51ddf8d842a17f4df63f1bfb23f68dbc3f9afbd8837dca5ba0b65d933d3a9

Download Submit
C:\Users\Admin\AppData\Local\ed7282cf3c7caab5b23a16ba43529fdc\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
2KB

MD5
5ccac50727a49558df03c1a6d5df8687

SHA1
c0b6456a453ed28c033a4057e468cd974d6bb0ba

SHA256
be201eb43d852e974f38060e5c484e625438034b161d2d987d1fc13b95f6cb5d

SHA512
c343c71fcd0e0a1c580f40d69a44b667c8771c5aee5561c4eb5854ab7aba232e5bccaa96fcf5003e1811e285808ff5e6c28856f3a67606559f4b1c61ea1983e0

Download Submit
C:\Users\Admin\AppData\Local\ed7282cf3c7caab5b23a16ba43529fdc\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
2KB

MD5
9afe340623ee78643e60e1901b88a462

SHA1
328ed4ea032a7e27c0c1b6c0371053570c44c304

SHA256
bb53d05ccb4a6e1e31006f5f274a8851a1fec0b5a855f413079426411cb2cd6d

SHA512
9fc04301b9404bb0d994f9bac8dae5670abb5fafc55beef4fbd81e1a413adb0f788d37105dae753eeb30d0cc0549179309304b1220b912005028514e9a989c9a

Download Submit
C:\Users\Admin\AppData\Local\ed7282cf3c7caab5b23a16ba43529fdc\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
494B

MD5
4925abce5897d3d4e89cf635e2caa5ff

SHA1
0bf5e769249ea47ca27eb1854b5c2f915497c419

SHA256
784ab8dc59e67c8fffc608548d7d17e8624a43acf835241a71dcfbb1dbd08b21

SHA512
b7e9884a26d57a6dd168ba48fcc79f66906f498df071acc482b7a223953a281753f22bad6331ee30c04b224b6fb7fe69ef3809613a89713d2cd382a1f8c28b46

Download Submit
C:\Users\Admin\AppData\Local\ed7282cf3c7caab5b23a16ba43529fdc\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
4KB

MD5
601ae7ced0a12e1667a89faa5f88444b

SHA1
9ce0941306b9e140f387ee862047b37bee7c8aac

SHA256
48daf787a70f355d61ec1a9311413b8d99d4b94f7ef74335e451982b32600b87

SHA512
ba740be1b351f99a8ef9404ed2d69c12d17471cd6b74e0cab2e0e18932bab9fc11079733c3f5df8027dd2046a3c914031b53734722555b731950d031033684f0

Download Submit
C:\Users\Admin\AppData\Local\fc7cdc24b837ca3d660e8a7c947b53b5\Admin@KVIWLPUJ_en-US\Browsers\Edge\Cookies.txt

Filesize
5KB

MD5
89ffdb57373bc610fb3fc939791fe17a

SHA1
cd401f64f1ba64cc01362e57683752d4fae4bf95

SHA256
3111b01550442890996897a421935f4f7b0333af6ac9366425c9e1dfa8817033

SHA512
83769de7d96ec36caa130fd0492c22a200c4af08f53a3a11832ed1c4332e68ae66f39099fe724d473a290b0ce39b7b70353700021a2721223ff3261599996fb8

Download Submit
C:\Users\Admin\AppData\Local\fc7cdc24b837ca3d660e8a7c947b53b5\Admin@KVIWLPUJ_en-US\Browsers\Edge\History.txt

Filesize
625B

MD5
a8a8ff63d5247f28498661d31973f93c

SHA1
7ac011f2bbeab251541f2ab93984f9c44bed4d29

SHA256
af0c66f046a833a683b003e625206e9fb7f7809db9f32173cb33936b24b79f17

SHA512
d93c5b886ff9afcc83b052b277aa4c1ff4b135c262c79f1570a0203db746b0c14591b5c23d00b05610a33d59f77f0702eed1b3e43c4455cb6c96fb38b5472e9e

Download Submit
C:\Users\Admin\AppData\Local\fc7cdc24b837ca3d660e8a7c947b53b5\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
4KB

MD5
114c76f094fd1c8004c18dcf035db43d

SHA1
31181f1eebeaa0af88a67ce3dd4fae2d4b93582f

SHA256
97a9ba4cacdb8d8e7e39d4b9f7ca33d0eb5088aadbdfac088c7763da9e5f282a

SHA512
5d4ffef30a6bbb06c0eb88ab5acaeee8e5eedec5f391665a633143eb1b54493110f741692e6848e605659354925f3285af2d9f8f7429ffd6d50c81cb686a4381

Download Submit
C:\Users\Admin\AppData\Local\fc7cdc24b837ca3d660e8a7c947b53b5\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
64B

MD5
522712e02c62be11fc8bc6fd67af67d7

SHA1
ec25c07818ad6edb2e8b8b09d4d1f7648d273732

SHA256
b7795e060f49a415775cc3f056f7aad7e469ca536cd8cbd2ce8d9779af903abe

SHA512
e4a933aab8e9654c05cf909ef90680ae91a370a28f05469738178b0627d40197cf9226a56225bd2d2ba2cd227746601f1ef3217b4dc6220adfcc15b4107f6932

Download Submit
C:\Users\Admin\AppData\Local\fc7cdc24b837ca3d660e8a7c947b53b5\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
135B

MD5
0fd80e20951bd7670f6ff2a1474539a0

SHA1
ef43dd36454db4977fcae716453a366ec0d5033f

SHA256
6515ca80f7bfc5338311dcdd437b6f9c87969877d6c9d543162f82a232a708dd

SHA512
cc8c4fc3a8c30456af22878d6f6a4bee2c21f54ff6166e71866e237832937ffd29707d3e4c8454d07bbfd98f1fe4385689e51f54867d1c9a2adb4607cd26bdcf

Download Submit
C:\Users\Admin\AppData\Local\fc7cdc24b837ca3d660e8a7c947b53b5\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
149B

MD5
bc824ba260a1d79e3eede06889d71fd2

SHA1
c5e0bd4a8706f662c1c5a735749121d3868cce0f

SHA256
a5bcd3d4f23b576fbb9a79e566e5aeeba2d08285647bb12194c28e40a880d34e

SHA512
c667ccdbcef782aa5acc0e956fd505a8b11746f677dc95417932e3fb13757ee928e639912d969a6c4555f199513588a359d590f8bc8f3d575f28e3aeca19e789

Download Submit
C:\Users\Admin\AppData\Local\fc7cdc24b837ca3d660e8a7c947b53b5\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
4KB

MD5
11ab7cf651a85b2321a87380217b4e5c

SHA1
641d6b8b8864470767055c99bb3eef8ccc94da6d

SHA256
c22a1fb9e4dc065eb480a0d526dfe532bae64ae0201e8600ae6ccde752a373c3

SHA512
8028ed2efc18e0a87aa45fb434c28a68a50c7218b71a20dda5fe6ee7bcd26289dc1ad562bb84d8c187251936994e0065607b20929c9a90d473cdbe2530d924e0

Download Submit
C:\Users\Admin\AppData\Local\fc7cdc24b837ca3d660e8a7c947b53b5\Admin@KVIWLPUJ_en-US\System\Process.txt

Filesize
4KB

MD5
136c9216d4e183843e3577d0377ce7f9

SHA1
61304830e799c86a3c6e049c1c67ec0c407b9ccb

SHA256
d6fa7e28944aabb86dfeae65c254d7a0dba701a07e2858cd110c11d23d9f086b

SHA512
7f2a0be32bdfdbd5196ffa3e4e1154a467ee0120e9ee056d159074d16dbe014f8ab6901eb833cfe60c3a594ada638528240a8f2aeac57c89c5d8bc04479b0473

Download Submit
C:\Users\Admin\AppData\Local\fc7cdc24b837ca3d660e8a7c947b53b5\Admin@KVIWLPUJ_en-US\System\ScanningNetworks.txt

Filesize
372B

MD5
d16c9de7c92bb82d6146da459bc5dcea

SHA1
e95191321db7ca94aa245b67cfc0c3bdd5747973

SHA256
5fd760e5b0a4dd73916e1c3a618c4c36e2fb516bccedb9f36dca75232950abaf

SHA512
09a7528f7a2c8e44eebae86fbc387169e07586c885cadbe546525195cde8a8da7314d3cb9e099639bdbdd3a6dd08823b1fc3b76dec37bb5fbc10724f9198febf

Download Submit
C:\Users\Admin\AppData\Local\fc7cdc24b837ca3d660e8a7c947b53b5\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2700-17-0x00007FF8FF0F0000-0x00007FF8FFBB1000-memory.dmp

Filesize
10.8MB

Download
memory/2700-32-0x00007FF8FF0F0000-0x00007FF8FFBB1000-memory.dmp

Filesize
10.8MB

Download
memory/3344-21-0x0000000005F20000-0x0000000005FB2000-memory.dmp

Filesize
584KB

Download
memory/3344-20-0x00000000063D0000-0x0000000006974000-memory.dmp

Filesize
5.6MB

Download
memory/3344-18-0x0000000000F10000-0x0000000000F68000-memory.dmp

Filesize
352KB

Download
memory/3344-19-0x000000007493E000-0x000000007493F000-memory.dmp

Filesize
4KB

Download
memory/3344-22-0x0000000005ED0000-0x0000000005F1A000-memory.dmp

Filesize
296KB

Download
memory/3344-23-0x00000000060D0000-0x000000000616C000-memory.dmp

Filesize
624KB

Download
memory/3344-24-0x0000000006050000-0x000000000605A000-memory.dmp

Filesize
40KB

Download
memory/3540-1484-0x0000000006D40000-0x0000000006D52000-memory.dmp

Filesize
72KB

Download
memory/3540-36-0x0000000005E00000-0x0000000005E66000-memory.dmp

Filesize
408KB

Download
memory/3540-1262-0x0000000006420000-0x000000000642A000-memory.dmp

Filesize
40KB

Download
memory/3540-25-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3664-225-0x000000001B8A0000-0x000000001BA49000-memory.dmp

Filesize
1.7MB

Download
memory/4252-16-0x00007FF8FF0F0000-0x00007FF8FFBB1000-memory.dmp

Filesize
10.8MB

Download
memory/4252-0-0x00007FF8FF0F3000-0x00007FF8FF0F5000-memory.dmp

Filesize
8KB

Download
memory/4252-3-0x00007FF8FF0F0000-0x00007FF8FFBB1000-memory.dmp

Filesize
10.8MB

Download
memory/4252-1-0x0000000000600000-0x000000000065C000-memory.dmp

Filesize
368KB

Download