asyncrat | 9d9a79f4ae9bf7a992945f6c06c5bec642c05e4e828217c50255dabfa3677006

max time kernel
390s
max time network
974s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2024 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RebelCracked.exe
Size

344KB
MD5

a84fd0fc75b9c761e9b7923a08da41c7
SHA1

2597048612041cd7a8c95002c73e9c2818bb2097
SHA256

9d9a79f4ae9bf7a992945f6c06c5bec642c05e4e828217c50255dabfa3677006
SHA512

a17f1144a0e3ce07c7ed6891987c5b969f291e9991442c33750028d35e2194794e8a649c397e8afc9f8ce19d485c453600c75cab4fcead09e38414d85819251a
SSDEEP

6144:lOcpeK8lucxAtLNFHUVuI/2zj1z6jZ755NofmWx4PCQL23wBw7R0ljTwrVuAdJKp:QcpSnx0LNFDQ60Ntbo5d7gBw7R7rbdJk

Score

10^/10

asyncrat stormkitty default discovery persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/4692-25-0x0000000000400000-0x0000000000432000-memory.dmp	family_stormkitty

Blocklisted process makes network request 12 IoCs

flow	pid	Process
151	2664	RuntimeBroker.exe
152	2664	RuntimeBroker.exe
153	2664	RuntimeBroker.exe
159	2664	RuntimeBroker.exe
161	2664	RuntimeBroker.exe
162	2664	RuntimeBroker.exe
604	8016	RuntimeBroker.exe
605	8016	RuntimeBroker.exe
606	8016	RuntimeBroker.exe
607	8016	RuntimeBroker.exe
610	8016	RuntimeBroker.exe
611	8016	RuntimeBroker.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RebelCracked.exe

Executes dropped EXE 64 IoCs

pid	Process
988	RuntimeBroker.exe
4692	RuntimeBroker.exe
3064	RuntimeBroker.exe
4856	RuntimeBroker.exe
856	RuntimeBroker.exe
3480	RuntimeBroker.exe
3272	RuntimeBroker.exe
2672	RuntimeBroker.exe
4312	RuntimeBroker.exe
1288	RuntimeBroker.exe
3548	RuntimeBroker.exe
2612	RuntimeBroker.exe
3768	RuntimeBroker.exe
1496	RuntimeBroker.exe
2080	RuntimeBroker.exe
1248	RuntimeBroker.exe
2536	RuntimeBroker.exe
808	RuntimeBroker.exe
5500	RuntimeBroker.exe
5580	RuntimeBroker.exe
5180	RuntimeBroker.exe
5304	RuntimeBroker.exe
6140	RuntimeBroker.exe
2352	RuntimeBroker.exe
5644	RuntimeBroker.exe
6140	RuntimeBroker.exe
5996	RuntimeBroker.exe
5796	RuntimeBroker.exe
4356	RuntimeBroker.exe
5956	RuntimeBroker.exe
5552	RuntimeBroker.exe
5676	RuntimeBroker.exe
5924	RuntimeBroker.exe
2664	RuntimeBroker.exe
5812	RuntimeBroker.exe
6084	RuntimeBroker.exe
1840	RuntimeBroker.exe
5984	RuntimeBroker.exe
2824	RuntimeBroker.exe
3080	RuntimeBroker.exe
1244	RuntimeBroker.exe
3444	RuntimeBroker.exe
2808	RuntimeBroker.exe
4896	RuntimeBroker.exe
4964	RuntimeBroker.exe
1496	RuntimeBroker.exe
6044	RuntimeBroker.exe
5812	RuntimeBroker.exe
3004	RuntimeBroker.exe
5636	RuntimeBroker.exe
3992	RuntimeBroker.exe
6068	RuntimeBroker.exe
5328	RuntimeBroker.exe
5224	RuntimeBroker.exe
4376	RuntimeBroker.exe
4172	RuntimeBroker.exe
3416	RuntimeBroker.exe
5440	RuntimeBroker.exe
3452	RuntimeBroker.exe
4556	RuntimeBroker.exe
5428	RuntimeBroker.exe
6096	RuntimeBroker.exe
5520	RuntimeBroker.exe
1228	RuntimeBroker.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\8fb59d67cfe559e22530d7f5a0ec92bd\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	Process not Found
File created	C:\Users\Admin\AppData\Local\df4a22ee210f0651e0f96cfed7d44fe6\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\9ebcbf67b2297a4a6bc4feb069231747\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\a88f79e67bdd207514f04badd41e2959\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	Process not Found
File created	C:\Users\Admin\AppData\Local\656d76ece5ee2f4e0f454a346b44ba43\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\a88f79e67bdd207514f04badd41e2959\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\b7518339e437082f220ef3d4b601feb9\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\9ebcbf67b2297a4a6bc4feb069231747\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	Process not Found
File created	C:\Users\Admin\AppData\Local\df4a22ee210f0651e0f96cfed7d44fe6\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\8fb59d67cfe559e22530d7f5a0ec92bd\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\7d4e116d7913a9dab7bf3ab58c16012d\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\f264d17220d4bb49ec07eb0a702c8273\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\b7518339e437082f220ef3d4b601feb9\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	Process not Found
File opened for modification	C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\df4a22ee210f0651e0f96cfed7d44fe6\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	Process not Found
File opened for modification	C:\Users\Admin\AppData\Local\f264d17220d4bb49ec07eb0a702c8273\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	Process not Found
File created	C:\Users\Admin\AppData\Local\7d4e116d7913a9dab7bf3ab58c16012d\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\f264d17220d4bb49ec07eb0a702c8273\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\9ebcbf67b2297a4a6bc4feb069231747\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	Process not Found
File created	C:\Users\Admin\AppData\Local\7d4e116d7913a9dab7bf3ab58c16012d\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	Process not Found
File created	C:\Users\Admin\AppData\Local\f264d17220d4bb49ec07eb0a702c8273\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\656d76ece5ee2f4e0f454a346b44ba43\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\7d4e116d7913a9dab7bf3ab58c16012d\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\f264d17220d4bb49ec07eb0a702c8273\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\9ebcbf67b2297a4a6bc4feb069231747\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\a88f79e67bdd207514f04badd41e2959\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\656d76ece5ee2f4e0f454a346b44ba43\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\b7518339e437082f220ef3d4b601feb9\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\656d76ece5ee2f4e0f454a346b44ba43\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\f264d17220d4bb49ec07eb0a702c8273\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\7d4e116d7913a9dab7bf3ab58c16012d\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	Process not Found
File created	C:\Users\Admin\AppData\Local\7d4e116d7913a9dab7bf3ab58c16012d\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\8fb59d67cfe559e22530d7f5a0ec92bd\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\df4a22ee210f0651e0f96cfed7d44fe6\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\f264d17220d4bb49ec07eb0a702c8273\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	Process not Found
File created	C:\Users\Admin\AppData\Local\656d76ece5ee2f4e0f454a346b44ba43\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\8fb59d67cfe559e22530d7f5a0ec92bd\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\7b09d57dff625c59e41b5d8cc41e4ef2\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\b7518339e437082f220ef3d4b601feb9\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	Process not Found
File created	C:\Users\Admin\AppData\Local\8fb59d67cfe559e22530d7f5a0ec92bd\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\a88f79e67bdd207514f04badd41e2959\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	Process not Found
File opened for modification	C:\Users\Admin\AppData\Local\f264d17220d4bb49ec07eb0a702c8273\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	Process not Found
File opened for modification	C:\Users\Admin\AppData\Local\a88f79e67bdd207514f04badd41e2959\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\b7518339e437082f220ef3d4b601feb9\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\df4a22ee210f0651e0f96cfed7d44fe6\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\a88f79e67bdd207514f04badd41e2959\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\b7518339e437082f220ef3d4b601feb9\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\656d76ece5ee2f4e0f454a346b44ba43\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\df4a22ee210f0651e0f96cfed7d44fe6\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\7d4e116d7913a9dab7bf3ab58c16012d\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	Process not Found
File created	C:\Users\Admin\AppData\Local\7d4e116d7913a9dab7bf3ab58c16012d\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\9ebcbf67b2297a4a6bc4feb069231747\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	Process not Found
File created	C:\Users\Admin\AppData\Local\8fb59d67cfe559e22530d7f5a0ec92bd\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\656d76ece5ee2f4e0f454a346b44ba43\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\b7518339e437082f220ef3d4b601feb9\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\8fb59d67cfe559e22530d7f5a0ec92bd\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\a88f79e67bdd207514f04badd41e2959\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\a88f79e67bdd207514f04badd41e2959\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	Process not Found
File created	C:\Users\Admin\AppData\Local\a88f79e67bdd207514f04badd41e2959\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\8fb59d67cfe559e22530d7f5a0ec92bd\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
79	pastebin.com
359	pastebin.com
387	pastebin.com
610	pastebin.com
196	pastebin.com
574	pastebin.com
755	pastebin.com
178	pastebin.com
466	pastebin.com
344	pastebin.com
468	pastebin.com
632	pastebin.com
693	pastebin.com
767	pastebin.com
793	pastebin.com
341	pastebin.com
406	pastebin.com
482	pastebin.com
618	pastebin.com
106	pastebin.com
474	pastebin.com
595	pastebin.com
792	pastebin.com
58	pastebin.com
378	pastebin.com
639	pastebin.com
761	pastebin.com
560	pastebin.com
100	pastebin.com
213	pastebin.com
400	pastebin.com
461	pastebin.com
497	pastebin.com
494	pastebin.com
592	pastebin.com
615	pastebin.com
753	pastebin.com
72	pastebin.com
212	pastebin.com
332	pastebin.com
477	pastebin.com
495	pastebin.com
652	pastebin.com
719	pastebin.com
81	pastebin.com
161	pastebin.com
184	pastebin.com
206	pastebin.com
640	pastebin.com
56	pastebin.com
93	pastebin.com
496	pastebin.com
580	pastebin.com
774	pastebin.com
170	pastebin.com
570	pastebin.com
721	pastebin.com
743	pastebin.com
666	pastebin.com
694	pastebin.com
781	pastebin.com
194	pastebin.com
272	pastebin.com
464	pastebin.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
44	icanhazip.com
623	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 988 set thread context of 4692	988	RuntimeBroker.exe	84
PID 3064 set thread context of 4856	3064	RuntimeBroker.exe	89
PID 856 set thread context of 3480	856	RuntimeBroker.exe	92
PID 3272 set thread context of 2672	3272	RuntimeBroker.exe	102
PID 4312 set thread context of 1288	4312	RuntimeBroker.exe	111
PID 3548 set thread context of 2612	3548	RuntimeBroker.exe	116
PID 3768 set thread context of 1496	3768	RuntimeBroker.exe	274
PID 2080 set thread context of 1248	2080	RuntimeBroker.exe	127
PID 2536 set thread context of 808	2536	RuntimeBroker.exe	133
PID 5500 set thread context of 5580	5500	RuntimeBroker.exe	368
PID 5180 set thread context of 5304	5180	RuntimeBroker.exe	144
PID 6140 set thread context of 2352	6140	RuntimeBroker.exe	157
PID 5644 set thread context of 6140	5644	RuntimeBroker.exe	171
PID 5996 set thread context of 5796	5996	RuntimeBroker.exe	327
PID 4356 set thread context of 5956	4356	RuntimeBroker.exe	196
PID 5552 set thread context of 5676	5552	RuntimeBroker.exe	211
PID 5924 set thread context of 2664	5924	RuntimeBroker.exe	1193
PID 5812 set thread context of 6084	5812	RuntimeBroker.exe	235
PID 1840 set thread context of 5984	1840	RuntimeBroker.exe	238
PID 2824 set thread context of 3080	2824	RuntimeBroker.exe	250
PID 1244 set thread context of 3444	1244	RuntimeBroker.exe	1671
PID 2808 set thread context of 4896	2808	RuntimeBroker.exe	1276
PID 4964 set thread context of 1496	4964	RuntimeBroker.exe	663
PID 6044 set thread context of 5812	6044	RuntimeBroker.exe	298
PID 3004 set thread context of 5636	3004	RuntimeBroker.exe	316
PID 3992 set thread context of 6068	3992	RuntimeBroker.exe	324
PID 5328 set thread context of 5224	5328	RuntimeBroker.exe	332
PID 4376 set thread context of 4172	4376	RuntimeBroker.exe	344
PID 3416 set thread context of 5440	3416	RuntimeBroker.exe	1622
PID 3452 set thread context of 4556	3452	RuntimeBroker.exe	363
PID 5428 set thread context of 6096	5428	RuntimeBroker.exe	373
PID 5520 set thread context of 1228	5520	RuntimeBroker.exe	1033
PID 5880 set thread context of 800	5880	RuntimeBroker.exe	1580
PID 5436 set thread context of 376	5436	RuntimeBroker.exe	405
PID 2976 set thread context of 3960	2976	RuntimeBroker.exe	409
PID 684 set thread context of 4316	684	RuntimeBroker.exe	420
PID 5408 set thread context of 5380	5408	RuntimeBroker.exe	1336
PID 6512 set thread context of 6588	6512	RuntimeBroker.exe	930
PID 6148 set thread context of 6244	6148	RuntimeBroker.exe	453
PID 6912 set thread context of 7036	6912	RuntimeBroker.exe	460
PID 6700 set thread context of 6768	6700	RuntimeBroker.exe	463
PID 6548 set thread context of 6644	6548	RuntimeBroker.exe	466
PID 5644 set thread context of 536	5644	RuntimeBroker.exe	475
PID 7128 set thread context of 6240	7128	RuntimeBroker.exe	490
PID 6408 set thread context of 5208	6408	RuntimeBroker.exe	513
PID 7112 set thread context of 7160	7112	RuntimeBroker.exe	534
PID 6976 set thread context of 6352	6976	RuntimeBroker.exe	1597
PID 6716 set thread context of 4852	6716	RuntimeBroker.exe	543
PID 6596 set thread context of 7092	6596	RuntimeBroker.exe	1288
PID 6508 set thread context of 5824	6508	RuntimeBroker.exe	555
PID 6512 set thread context of 6424	6512	RuntimeBroker.exe	565
PID 5868 set thread context of 6796	5868	RuntimeBroker.exe	579
PID 6480 set thread context of 1684	6480	RuntimeBroker.exe	595
PID 6744 set thread context of 6652	6744	RuntimeBroker.exe	1089
PID 1652 set thread context of 1720	1652	RuntimeBroker.exe	634
PID 6488 set thread context of 212	6488	RuntimeBroker.exe	1325
PID 1672 set thread context of 6760	1672	RuntimeBroker.exe	1594
PID 5352 set thread context of 6740	5352	RuntimeBroker.exe	659
PID 5632 set thread context of 5656	5632	RuntimeBroker.exe	810
PID 5192 set thread context of 3212	5192	RuntimeBroker.exe	1690
PID 6236 set thread context of 6776	6236	RuntimeBroker.exe	684
PID 4024 set thread context of 6312	4024	RuntimeBroker.exe	694
PID 4104 set thread context of 7124	4104	RuntimeBroker.exe	707
PID 6076 set thread context of 6384	6076	RuntimeBroker.exe	720

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 64 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
6308	netsh.exe
8092	netsh.exe
2972	cmd.exe
6044	cmd.exe
2664	cmd.exe
5592	cmd.exe
6088	cmd.exe
6272	cmd.exe
3104	cmd.exe
424	netsh.exe
7904	Process not Found
460	netsh.exe
6356	netsh.exe
3264	cmd.exe
2436	Process not Found
3040	cmd.exe
2552	cmd.exe
2444	netsh.exe
5228	Process not Found
8924	Process not Found
5300	Process not Found
6520	netsh.exe
6408	cmd.exe
5360	netsh.exe
668	Process not Found
2756	Process not Found
6588	netsh.exe
1852	Process not Found
3480	Process not Found
464	Process not Found
5512	netsh.exe
6152	cmd.exe
7204	netsh.exe
7892	cmd.exe
5924	cmd.exe
1368	Process not Found
5072	Process not Found
5144	cmd.exe
8020	cmd.exe
6592	netsh.exe
8180	cmd.exe
5524	netsh.exe
3180	cmd.exe
6852	netsh.exe
7620	netsh.exe
816	Process not Found
4416	cmd.exe
7764	netsh.exe
8508	Process not Found
3312	netsh.exe
5504	netsh.exe
7256	cmd.exe
4844	netsh.exe
7472	netsh.exe
800	netsh.exe
5904	netsh.exe
7344	netsh.exe
7960	cmd.exe
3444	Process not Found
7232	Process not Found
7680	netsh.exe
6660	netsh.exe
6608	netsh.exe
4416	netsh.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4928	msedge.exe
4928	msedge.exe
1960	msedge.exe
1960	msedge.exe
4692	RuntimeBroker.exe
4692	RuntimeBroker.exe
4692	RuntimeBroker.exe
4692	RuntimeBroker.exe
4692	RuntimeBroker.exe
4692	RuntimeBroker.exe
4692	RuntimeBroker.exe
4692	RuntimeBroker.exe
4692	RuntimeBroker.exe
4856	RuntimeBroker.exe
4856	RuntimeBroker.exe
4856	RuntimeBroker.exe
4856	RuntimeBroker.exe
4856	RuntimeBroker.exe
4856	RuntimeBroker.exe
4856	RuntimeBroker.exe
4856	RuntimeBroker.exe
4856	RuntimeBroker.exe
4692	RuntimeBroker.exe
4692	RuntimeBroker.exe
3480	RuntimeBroker.exe
3480	RuntimeBroker.exe
3480	RuntimeBroker.exe
3480	RuntimeBroker.exe
3480	RuntimeBroker.exe
4692	RuntimeBroker.exe
4692	RuntimeBroker.exe
3480	RuntimeBroker.exe
3480	RuntimeBroker.exe
3480	RuntimeBroker.exe
3480	RuntimeBroker.exe
4856	RuntimeBroker.exe
4856	RuntimeBroker.exe
4692	RuntimeBroker.exe
4692	RuntimeBroker.exe
4856	RuntimeBroker.exe
4856	RuntimeBroker.exe
4692	RuntimeBroker.exe
4692	RuntimeBroker.exe
2672	RuntimeBroker.exe
2672	RuntimeBroker.exe
2672	RuntimeBroker.exe
2672	RuntimeBroker.exe
2672	RuntimeBroker.exe
2672	RuntimeBroker.exe
2672	RuntimeBroker.exe
4692	RuntimeBroker.exe
4692	RuntimeBroker.exe
2672	RuntimeBroker.exe
2672	RuntimeBroker.exe
4692	RuntimeBroker.exe
4692	RuntimeBroker.exe
1396	identity_helper.exe
1396	identity_helper.exe
4856	RuntimeBroker.exe
4856	RuntimeBroker.exe
3480	RuntimeBroker.exe
3480	RuntimeBroker.exe
1288	RuntimeBroker.exe
1288	RuntimeBroker.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4692	RuntimeBroker.exe
Token: SeDebugPrivilege	4856	RuntimeBroker.exe
Token: SeDebugPrivilege	3480	RuntimeBroker.exe
Token: SeDebugPrivilege	2672	RuntimeBroker.exe
Token: SeDebugPrivilege	1288	RuntimeBroker.exe
Token: SeDebugPrivilege	2612	RuntimeBroker.exe
Token: SeDebugPrivilege	1496	RuntimeBroker.exe
Token: SeDebugPrivilege	1248	RuntimeBroker.exe
Token: SeDebugPrivilege	808	RuntimeBroker.exe
Token: SeDebugPrivilege	5580	RuntimeBroker.exe
Token: SeDebugPrivilege	5304	RuntimeBroker.exe
Token: SeDebugPrivilege	2352	RuntimeBroker.exe
Token: SeDebugPrivilege	6140	RuntimeBroker.exe
Token: SeDebugPrivilege	5796	RuntimeBroker.exe
Token: SeDebugPrivilege	5956	RuntimeBroker.exe
Token: SeDebugPrivilege	5676	RuntimeBroker.exe
Token: SeDebugPrivilege	2664	RuntimeBroker.exe
Token: SeDebugPrivilege	6084	RuntimeBroker.exe
Token: SeDebugPrivilege	5984	RuntimeBroker.exe
Token: SeDebugPrivilege	3080	RuntimeBroker.exe
Token: SeDebugPrivilege	3444	RuntimeBroker.exe
Token: SeDebugPrivilege	4896	RuntimeBroker.exe
Token: SeDebugPrivilege	1496	RuntimeBroker.exe
Token: SeDebugPrivilege	5812	RuntimeBroker.exe
Token: SeDebugPrivilege	5636	RuntimeBroker.exe
Token: SeDebugPrivilege	6068	RuntimeBroker.exe
Token: SeDebugPrivilege	5224	RuntimeBroker.exe
Token: SeDebugPrivilege	4172	RuntimeBroker.exe
Token: SeDebugPrivilege	5440	RuntimeBroker.exe
Token: SeDebugPrivilege	4556	RuntimeBroker.exe
Token: SeDebugPrivilege	6096	RuntimeBroker.exe
Token: SeDebugPrivilege	1228	RuntimeBroker.exe
Token: SeDebugPrivilege	800	RuntimeBroker.exe
Token: SeDebugPrivilege	376	RuntimeBroker.exe
Token: SeDebugPrivilege	3960	RuntimeBroker.exe
Token: SeDebugPrivilege	4316	RuntimeBroker.exe
Token: SeDebugPrivilege	5380	RuntimeBroker.exe
Token: SeDebugPrivilege	6588	RuntimeBroker.exe
Token: SeDebugPrivilege	6244	RuntimeBroker.exe
Token: SeDebugPrivilege	7036	RuntimeBroker.exe
Token: SeDebugPrivilege	6768	RuntimeBroker.exe
Token: SeDebugPrivilege	6644	RuntimeBroker.exe
Token: SeDebugPrivilege	536	RuntimeBroker.exe
Token: SeDebugPrivilege	6240	RuntimeBroker.exe
Token: SeDebugPrivilege	5208	RuntimeBroker.exe
Token: SeDebugPrivilege	7160	RuntimeBroker.exe
Token: SeDebugPrivilege	6352	RuntimeBroker.exe
Token: SeDebugPrivilege	4852	RuntimeBroker.exe
Token: SeDebugPrivilege	7092	RuntimeBroker.exe
Token: SeDebugPrivilege	5824	RuntimeBroker.exe
Token: SeDebugPrivilege	6424	RuntimeBroker.exe
Token: SeDebugPrivilege	6796	RuntimeBroker.exe
Token: SeDebugPrivilege	1684	RuntimeBroker.exe
Token: SeDebugPrivilege	6652	RuntimeBroker.exe
Token: SeDebugPrivilege	1720	RuntimeBroker.exe
Token: SeDebugPrivilege	212	RuntimeBroker.exe
Token: SeDebugPrivilege	6760	RuntimeBroker.exe
Token: SeDebugPrivilege	6740	RuntimeBroker.exe
Token: SeDebugPrivilege	5656	RuntimeBroker.exe
Token: SeDebugPrivilege	3212	RuntimeBroker.exe
Token: SeDebugPrivilege	6776	RuntimeBroker.exe
Token: SeDebugPrivilege	6312	RuntimeBroker.exe
Token: SeDebugPrivilege	7124	RuntimeBroker.exe
Token: SeDebugPrivilege	6384	RuntimeBroker.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3796 wrote to memory of 988	3796	RebelCracked.exe	82
PID 3796 wrote to memory of 988	3796	RebelCracked.exe	82
PID 3796 wrote to memory of 988	3796	RebelCracked.exe	82
PID 3796 wrote to memory of 4868	3796	RebelCracked.exe	83
PID 3796 wrote to memory of 4868	3796	RebelCracked.exe	83
PID 988 wrote to memory of 4692	988	RuntimeBroker.exe	84
PID 988 wrote to memory of 4692	988	RuntimeBroker.exe	84
PID 988 wrote to memory of 4692	988	RuntimeBroker.exe	84
PID 988 wrote to memory of 4692	988	RuntimeBroker.exe	84
PID 988 wrote to memory of 4692	988	RuntimeBroker.exe	84
PID 988 wrote to memory of 4692	988	RuntimeBroker.exe	84
PID 988 wrote to memory of 4692	988	RuntimeBroker.exe	84
PID 988 wrote to memory of 4692	988	RuntimeBroker.exe	84
PID 4868 wrote to memory of 3064	4868	RebelCracked.exe	85
PID 4868 wrote to memory of 3064	4868	RebelCracked.exe	85
PID 4868 wrote to memory of 3064	4868	RebelCracked.exe	85
PID 4868 wrote to memory of 1988	4868	RebelCracked.exe	86
PID 4868 wrote to memory of 1988	4868	RebelCracked.exe	86
PID 3064 wrote to memory of 1724	3064	RuntimeBroker.exe	87
PID 3064 wrote to memory of 1724	3064	RuntimeBroker.exe	87
PID 3064 wrote to memory of 1724	3064	RuntimeBroker.exe	87
PID 3064 wrote to memory of 5096	3064	RuntimeBroker.exe	88
PID 3064 wrote to memory of 5096	3064	RuntimeBroker.exe	88
PID 3064 wrote to memory of 5096	3064	RuntimeBroker.exe	88
PID 3064 wrote to memory of 4856	3064	RuntimeBroker.exe	89
PID 3064 wrote to memory of 4856	3064	RuntimeBroker.exe	89
PID 3064 wrote to memory of 4856	3064	RuntimeBroker.exe	89
PID 3064 wrote to memory of 4856	3064	RuntimeBroker.exe	89
PID 3064 wrote to memory of 4856	3064	RuntimeBroker.exe	89
PID 3064 wrote to memory of 4856	3064	RuntimeBroker.exe	89
PID 3064 wrote to memory of 4856	3064	RuntimeBroker.exe	89
PID 3064 wrote to memory of 4856	3064	RuntimeBroker.exe	89
PID 1988 wrote to memory of 856	1988	RebelCracked.exe	90
PID 1988 wrote to memory of 856	1988	RebelCracked.exe	90
PID 1988 wrote to memory of 856	1988	RebelCracked.exe	90
PID 1988 wrote to memory of 1040	1988	RebelCracked.exe	91
PID 1988 wrote to memory of 1040	1988	RebelCracked.exe	91
PID 856 wrote to memory of 3480	856	RuntimeBroker.exe	92
PID 856 wrote to memory of 3480	856	RuntimeBroker.exe	92
PID 856 wrote to memory of 3480	856	RuntimeBroker.exe	92
PID 856 wrote to memory of 3480	856	RuntimeBroker.exe	92
PID 856 wrote to memory of 3480	856	RuntimeBroker.exe	92
PID 856 wrote to memory of 3480	856	RuntimeBroker.exe	92
PID 856 wrote to memory of 3480	856	RuntimeBroker.exe	92
PID 856 wrote to memory of 3480	856	RuntimeBroker.exe	92
PID 1960 wrote to memory of 5000	1960	msedge.exe	96
PID 1960 wrote to memory of 5000	1960	msedge.exe	96
PID 1040 wrote to memory of 3272	1040	RebelCracked.exe	97
PID 1040 wrote to memory of 3272	1040	RebelCracked.exe	97
PID 1040 wrote to memory of 3272	1040	RebelCracked.exe	97
PID 1040 wrote to memory of 3556	1040	RebelCracked.exe	98
PID 1040 wrote to memory of 3556	1040	RebelCracked.exe	98
PID 1960 wrote to memory of 1520	1960	msedge.exe	99
PID 1960 wrote to memory of 1520	1960	msedge.exe	99
PID 1960 wrote to memory of 1520	1960	msedge.exe	99
PID 1960 wrote to memory of 1520	1960	msedge.exe	99
PID 1960 wrote to memory of 1520	1960	msedge.exe	99
PID 1960 wrote to memory of 1520	1960	msedge.exe	99
PID 1960 wrote to memory of 1520	1960	msedge.exe	99
PID 1960 wrote to memory of 1520	1960	msedge.exe	99
PID 1960 wrote to memory of 1520	1960	msedge.exe	99
PID 1960 wrote to memory of 1520	1960	msedge.exe	99
PID 1960 wrote to memory of 1520	1960	msedge.exe	99
PID 1960 wrote to memory of 1520	1960	msedge.exe	99

C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
"C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3796
- C:\Users\Admin\AppData\Local\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4692
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      PID:5388
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:5828
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3312
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        5⤵
        
        PID:4156
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      4⤵
      PID:2044
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3716
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        
        PID:5724
- C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
  "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
      4⤵
      PID:1724
  - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
      4⤵
      PID:5096
  - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4856
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        5⤵
        
        PID:5752
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:5244
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        6⤵
        
        PID:5412
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        6⤵
        
        PID:5140
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        5⤵
        
        PID:4176
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3716
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4408
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        6⤵
        
        PID:5884
- - C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
    "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:856
    - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3480
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        6⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        7⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        7⤵
        
        PID:4432
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        6⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        7⤵
        
        PID:5232
  - - C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
      "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1040
    - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3272
      - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5144
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        8⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        7⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        8⤵
        
        PID:4356
    - - C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        5⤵
        Checks computer location settings
        
        PID:3556
      - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        7⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        8⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:6108
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        9⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        9⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        8⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        9⤵
        
        PID:5864
      - C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        6⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        9⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4416
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        10⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        9⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        10⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5556
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        7⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        10⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5592
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        11⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2448
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        11⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        10⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        11⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5456
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        8⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        11⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        12⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        12⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        11⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        12⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5644
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        9⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        11⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        11⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        12⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        13⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2712
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        13⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        12⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        13⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        10⤵
        Checks computer location settings
        
        PID:800
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5500
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        13⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        
        PID:432
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        14⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        14⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        13⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        14⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        11⤵
        
        PID:5536
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5180
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        14⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        15⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        15⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        15⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        14⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        15⤵
        
        PID:5232
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        12⤵
        Checks computer location settings
        
        PID:5252
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6140
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        14⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        15⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        16⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        16⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        15⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        16⤵
        
        PID:5528
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        13⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5644
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        15⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:6140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        16⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        17⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        17⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        17⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        16⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        17⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        14⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5996
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        16⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:5796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        17⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        18⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:460
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        18⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        17⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        18⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5208
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        15⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        17⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:5956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        18⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        19⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        19⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        19⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        18⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        19⤵
        
        PID:6008
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        16⤵
        Checks computer location settings
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5552
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        18⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:5676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        19⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        20⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        20⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        19⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        20⤵
        
        PID:5856
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        17⤵
        
        PID:5792
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5924
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        19⤵
        Blocklisted process makes network request
        Executes dropped EXE
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        20⤵
        
        PID:5824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        21⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        21⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        21⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:5572
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        21⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        21⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        18⤵
        
        PID:5960
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5812
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        20⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:6084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        21⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        22⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        22⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        21⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        22⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        19⤵
        
        PID:5556
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        21⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:5984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        22⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        23⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        23⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5092
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        23⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        22⤵
        
        PID:5164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        23⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        23⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        20⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        23⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6044
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        24⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3308
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        24⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        23⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        24⤵
        
        PID:5776
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        21⤵
        
        PID:5936
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        23⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        24⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        25⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        25⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        25⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        24⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        25⤵
        
        PID:528
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        25⤵
        
        PID:6152
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        22⤵
        
        PID:5480
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        24⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        24⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        24⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        24⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        25⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        26⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4532
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        26⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        25⤵
        
        PID:5492
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        26⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        26⤵
        
        PID:6496
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        23⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:6508
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        27⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        27⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4416
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        27⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        26⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:6416
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        27⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6236
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        24⤵
        Checks computer location settings
        
        PID:5828
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6044
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        26⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        26⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        26⤵
        
        PID:5188
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        26⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:5812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        27⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        28⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        28⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6588
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        28⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        27⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        28⤵
        
        PID:5328
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        25⤵
        Checks computer location settings
        
        PID:5704
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        27⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:5636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        28⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        29⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        29⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        29⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        28⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        29⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        29⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        26⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        28⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:6068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        29⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        30⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6608
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        30⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        29⤵
        
        PID:452
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        30⤵
        
        PID:5492
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        27⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5328
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        29⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:5224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        30⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:5060
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        31⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6660
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        31⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        30⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        31⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        31⤵
        
        PID:6532
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        28⤵
        
        PID:5852
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        31⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        32⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        32⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        32⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        31⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        32⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        32⤵
        
        PID:5596
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        29⤵
        Checks computer location settings
        
        PID:5428
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        31⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:5440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        32⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        33⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        33⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2428
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        33⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        32⤵
        
        PID:7008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        33⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        33⤵
        
        PID:6448
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        30⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        33⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        34⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        34⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1496
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        34⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        33⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        34⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        34⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5876
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        31⤵
        Checks computer location settings
        
        PID:5740
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5428
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        33⤵
        
        PID:5272
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        33⤵
        
        PID:5416
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        33⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:6096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        34⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        35⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        35⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5512
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        35⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        34⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        35⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        35⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:7008
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        32⤵
        
        PID:5824
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5520
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        35⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        36⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        36⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6520
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        36⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        35⤵
        
        PID:508
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        36⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        36⤵
        
        PID:7264
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        33⤵
        Checks computer location settings
        
        PID:536
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        34⤵
        Suspicious use of SetThreadContext
        
        PID:5880
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        35⤵
        
        PID:6044
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        35⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        36⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        37⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        37⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        37⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:5776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        37⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        37⤵
        
        PID:6760
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        34⤵
        
        PID:5720
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        35⤵
        Suspicious use of SetThreadContext
        
        PID:5436
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        36⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        37⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        38⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        38⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        38⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        37⤵
        
        PID:3724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        38⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        38⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        38⤵
        
        PID:7356
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        35⤵
        Checks computer location settings
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        36⤵
        Suspicious use of SetThreadContext
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        37⤵
        
        PID:5288
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        37⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        38⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3180
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        39⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        39⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5360
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        39⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        38⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        39⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        39⤵
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        36⤵
        Checks computer location settings
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        37⤵
        Suspicious use of SetThreadContext
        
        PID:684
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        38⤵
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        39⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        40⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        40⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6356
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        40⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        39⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        40⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        40⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        37⤵
        Checks computer location settings
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        38⤵
        Suspicious use of SetThreadContext
        
        PID:5408
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        39⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:5380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        40⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        41⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        41⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3488
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        41⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        40⤵
        
        PID:6836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        41⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        41⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        38⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        39⤵
        Suspicious use of SetThreadContext
        
        PID:6512
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        40⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:6588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        41⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        42⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        42⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6152
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        42⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        41⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        42⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        42⤵
        
        PID:6228
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        39⤵
        
        PID:6556
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        40⤵
        Suspicious use of SetThreadContext
        
        PID:6148
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        41⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        42⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        43⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        43⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        43⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        42⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        43⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        43⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        40⤵
        Checks computer location settings
        
        PID:6176
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        41⤵
        Suspicious use of SetThreadContext
        
        PID:6912
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        42⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        43⤵
        
        PID:6448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        44⤵
        
        PID:428
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        44⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        44⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5504
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        44⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        43⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        44⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        44⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        41⤵
        
        PID:7000
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        42⤵
        Suspicious use of SetThreadContext
        
        PID:6700
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        43⤵
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:6768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        44⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6408
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        45⤵
        
        PID:428
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        45⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5904
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        45⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:6900
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        45⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:6448
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        42⤵
        
        PID:5328
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        43⤵
        Suspicious use of SetThreadContext
        
        PID:6548
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        44⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:6644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        45⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3264
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        46⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        46⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        46⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        45⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        46⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        46⤵
        
        PID:7112
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        43⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        44⤵
        Suspicious use of SetThreadContext
        
        PID:5644
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        45⤵
        
        PID:5264
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        45⤵
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        46⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        47⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        47⤵
        
        PID:632
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        47⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        46⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        47⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        47⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        44⤵
        Checks computer location settings
        
        PID:6316
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        45⤵
        Suspicious use of SetThreadContext
        
        PID:7128
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        46⤵
        
        PID:6584
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        46⤵
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:6240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        47⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        48⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        48⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6540
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        48⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        47⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        48⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        48⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        45⤵
        Checks computer location settings
        
        PID:6352
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        46⤵
        Suspicious use of SetThreadContext
        
        PID:6408
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        47⤵
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:5208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        48⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        49⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:6976
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        49⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:6076
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        49⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        49⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        46⤵
        
        PID:7044
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        47⤵
        Suspicious use of SetThreadContext
        
        PID:7112
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        48⤵
        
        PID:528
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        48⤵
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:7160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        49⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        50⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:364
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        50⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        49⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        50⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        50⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        47⤵
        Checks computer location settings
        
        PID:5356
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        48⤵
        Suspicious use of SetThreadContext
        
        PID:6976
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        49⤵
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:6352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        50⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:8020
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        51⤵
        
        PID:208
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        51⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3724
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        51⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        50⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        51⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        51⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6812
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        48⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        49⤵
        Suspicious use of SetThreadContext
        
        PID:6716
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        50⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        50⤵
        
        PID:6436
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        50⤵
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        51⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6088
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        52⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        52⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        52⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        51⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        52⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        52⤵
        
        PID:6312
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        49⤵
        
        PID:5868
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        50⤵
        Suspicious use of SetThreadContext
        
        PID:6596
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        51⤵
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:7092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        52⤵
        
        PID:7896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        53⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        53⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:7856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        52⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        53⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        53⤵
        
        PID:7956
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        50⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        51⤵
        Suspicious use of SetThreadContext
        
        PID:6508
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        52⤵
        
        PID:6304
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        52⤵
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:5824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        53⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        54⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        54⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5460
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        54⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        53⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        54⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        54⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        51⤵
        
        PID:6656
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        52⤵
        Suspicious use of SetThreadContext
        
        PID:6512
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        53⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:6424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        54⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6152
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        55⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        55⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4844
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:7484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        54⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        55⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        55⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        52⤵
        
        PID:6496
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        53⤵
        Suspicious use of SetThreadContext
        
        PID:5868
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        54⤵
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:6796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        55⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3104
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        56⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        56⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7472
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        56⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        55⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        56⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        56⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        53⤵
        
        PID:6776
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        54⤵
        Suspicious use of SetThreadContext
        
        PID:6480
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        55⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        56⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:7712
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        57⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        57⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        56⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        57⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        57⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        54⤵
        
        PID:6828
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        55⤵
        Suspicious use of SetThreadContext
        
        PID:6744
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        56⤵
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:6652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        57⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        58⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        58⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        57⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        58⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        58⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:7108
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        55⤵
        Checks computer location settings
        
        PID:6368
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        56⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        57⤵
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        58⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        59⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        59⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7680
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        59⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        58⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        59⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        59⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        56⤵
        
        PID:6508
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        57⤵
        Suspicious use of SetThreadContext
        
        PID:6488
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        58⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        58⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        58⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        59⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2552
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        60⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        60⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        60⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        59⤵
        
        PID:7328
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        60⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        60⤵
        
        PID:7740
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        57⤵
        Checks computer location settings
        
        PID:6740
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        58⤵
        Suspicious use of SetThreadContext
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        59⤵
        
        PID:6292
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        59⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:6760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        60⤵
        
        PID:7768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:5760
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        61⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        61⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        60⤵
        
        PID:4628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        61⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        61⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        58⤵
        Checks computer location settings
        
        PID:6836
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        59⤵
        Suspicious use of SetThreadContext
        
        PID:5352
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        60⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:6740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        61⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        62⤵
        
        PID:380
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        62⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6592
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        62⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        61⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        62⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        62⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6460
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        59⤵
        Checks computer location settings
        
        PID:5192
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        60⤵
        Suspicious use of SetThreadContext
        
        PID:5632
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        61⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        62⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        63⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        63⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7764
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        63⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        62⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        63⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        63⤵
        
        PID:7924
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        60⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        61⤵
        Suspicious use of SetThreadContext
        
        PID:5192
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        62⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        63⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        64⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        64⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        64⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        63⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        64⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        64⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:7080
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        61⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        62⤵
        Suspicious use of SetThreadContext
        
        PID:6236
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        63⤵
        
        PID:7112
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        63⤵
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:6776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        65⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        65⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        65⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        64⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        65⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        65⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:7972
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        62⤵
        
        PID:5192
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        63⤵
        Suspicious use of SetThreadContext
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        64⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        64⤵
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:6312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        65⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        66⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        66⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:424
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        66⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        65⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        66⤵
        
        PID:6260
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        63⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        64⤵
        Suspicious use of SetThreadContext
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        65⤵
        
        PID:6204
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        65⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        65⤵
        
        PID:5488
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        65⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        66⤵
        
        PID:8164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        67⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        67⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        67⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        66⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        67⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        67⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        64⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        65⤵
        Suspicious use of SetThreadContext
        
        PID:6076
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        66⤵
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:6384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        67⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        68⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        68⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        68⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        67⤵
        
        PID:3928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        68⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        68⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        68⤵
        
        PID:7392
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        65⤵
        Checks computer location settings
        
        PID:5192
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        66⤵
        
        PID:7784
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        67⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        
        PID:7944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        68⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        69⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        69⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        69⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        68⤵
        
        PID:5500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        69⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        69⤵
        
        PID:5604
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        66⤵
        Checks computer location settings
        
        PID:7840
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        67⤵
        
        PID:6756
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        68⤵
        
        PID:7832
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        68⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        69⤵
        
        PID:7616
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        70⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        70⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        70⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7620
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        70⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        69⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        70⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        70⤵
        
        PID:6900
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        67⤵
        
        PID:7744
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        68⤵
        
        PID:7232
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        69⤵
        Drops desktop.ini file(s)
        
        PID:7308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        70⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        71⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        71⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7204
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        71⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        70⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        71⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        71⤵
        
        PID:7004
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        68⤵
        Checks computer location settings
        
        PID:7324
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        69⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        70⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        71⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5924
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        72⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        72⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        72⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        71⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        72⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        72⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5148
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        69⤵
        
        PID:7328
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        70⤵
        
        PID:7192
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        71⤵
        
        PID:7348
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        71⤵
        Checks processor information in registry
        
        PID:6016
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        70⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        71⤵
        
        PID:7516
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        72⤵
        Checks processor information in registry
        
        PID:7884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        73⤵
        
        PID:3264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        74⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        74⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        74⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7344
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        74⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        73⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        74⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        74⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6056
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        71⤵
        Checks computer location settings
        
        PID:6152
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        72⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        73⤵
        Checks processor information in registry
        
        PID:6428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        74⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        75⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        75⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        75⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        74⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        75⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        75⤵
        
        PID:6340
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        72⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        73⤵
        
        PID:6264
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        74⤵
        
        PID:5656
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        74⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        74⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        75⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        76⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        76⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        76⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        75⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        76⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        76⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        73⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        74⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        75⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        
        PID:6256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        76⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        77⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        77⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5232
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        77⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        76⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        77⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        77⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        74⤵
        Checks computer location settings
        
        PID:6008
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        75⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        76⤵
        
        PID:7492
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        76⤵
        
        PID:8008
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        76⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        76⤵
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        
        PID:7452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        77⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7892
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        78⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        78⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5524
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        78⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        77⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        78⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        78⤵
        
        PID:5652
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        75⤵
        Checks computer location settings
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        76⤵
        
        PID:7204
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        77⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        78⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        79⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        79⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        79⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        78⤵
        
        PID:7524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:384
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        79⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:6056
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        76⤵
        Checks computer location settings
        
        PID:7616
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        77⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        78⤵
        
        PID:6756
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        77⤵
        
        PID:8088
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        78⤵
        
        PID:7592
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        79⤵
        Drops desktop.ini file(s)
        
        PID:7380
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        78⤵
        Checks computer location settings
        
        PID:5612
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        79⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        80⤵
        Checks processor information in registry
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        81⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        82⤵
        
        PID:396
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        82⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        82⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:7996
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        82⤵
        
        PID:756
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        82⤵
        
        PID:5468
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        79⤵
        Checks computer location settings
        
        PID:632
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        80⤵
        
        PID:5396
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        81⤵
        Checks processor information in registry
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        82⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:8180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        83⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        83⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        83⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        82⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        83⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        83⤵
        
        PID:7964
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        80⤵
        
        PID:7336
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        81⤵
        
        PID:5820
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        82⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        
        PID:5836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        83⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7960
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        84⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        84⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:8092
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        84⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        83⤵
        
        PID:380
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        84⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        84⤵
        
        PID:6688
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        81⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        82⤵
        
        PID:8112
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        83⤵
        
        PID:5192
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:6588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        84⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        85⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        85⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6308
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        85⤵
        
        PID:7780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        84⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        85⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        85⤵
        
        PID:5760
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        82⤵
        Checks computer location settings
        
        PID:5352
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        83⤵
        
        PID:6960
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        84⤵
        
        PID:7496
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        84⤵
        Checks processor information in registry
        
        PID:6864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        85⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        86⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        86⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6852
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        86⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        85⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        86⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        86⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:7676
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        83⤵
        Checks computer location settings
        
        PID:364
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        84⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        85⤵
        Drops desktop.ini file(s)
        
        PID:8128
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        84⤵
        
        PID:7956
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        85⤵
        
        PID:5276
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        86⤵
        
        PID:5368
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        86⤵
        
        PID:7476
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        86⤵
        
        PID:7732
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        86⤵
        
        PID:7472
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        86⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        85⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        86⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        87⤵
        Checks processor information in registry
        
        PID:6248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        88⤵
        
        PID:7600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        89⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        89⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5512
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:6552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        88⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        89⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        89⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6652
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        86⤵
        
        PID:7512
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        87⤵
        
        PID:7384
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        88⤵
        
        PID:8160
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        88⤵
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        89⤵
        
        PID:408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        90⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:6656
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        90⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        90⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        89⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        90⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        90⤵
        
        PID:6320
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        87⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        88⤵
        
        PID:7968
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        89⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        90⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        91⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:6968
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        91⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        90⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        91⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        91⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        88⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        89⤵
        
        PID:7328
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        90⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        
        PID:5384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        91⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        92⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        92⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3716
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:7828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        91⤵
        
        PID:6948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        92⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        92⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:7372
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        89⤵
        
        PID:6792
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        90⤵
        
        PID:5552
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        91⤵
        
        PID:6828
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        91⤵
        Checks processor information in registry
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        92⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        93⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        93⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        93⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        92⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        93⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        93⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6264
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        90⤵
        Checks computer location settings
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        91⤵
        
        PID:6176
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        92⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        91⤵
        
        PID:7244
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        92⤵
        
        PID:5960
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        93⤵
        
        PID:7952
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        92⤵
        
        PID:7764
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        93⤵
        
        PID:5228
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        94⤵
        Drops desktop.ini file(s)
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        95⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        96⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        96⤵
        
        PID:508
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        96⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        95⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:7176
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        96⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        93⤵
        Checks computer location settings
        
        PID:208
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        94⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        95⤵
        Checks processor information in registry
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        94⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        95⤵
        
        PID:5432
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        96⤵
        
        PID:6884
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        95⤵
        Checks computer location settings
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        96⤵
        
        PID:6620
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        97⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        97⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        
        PID:5440
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        96⤵
        Checks computer location settings
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        97⤵
        
        PID:7664
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        98⤵
        
        PID:7600
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        97⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        98⤵
        
        PID:7020
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:7720
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        98⤵
        Checks computer location settings
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        99⤵
        
        PID:8108
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        100⤵
        Checks processor information in registry
        
        PID:6752
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        99⤵
        Checks computer location settings
        
        PID:7892
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        100⤵
        
        PID:6988
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        101⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        100⤵
        Checks computer location settings
        
        PID:7244
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        101⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        102⤵
        Checks processor information in registry
        
        PID:5596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        103⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        104⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        104⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:800
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        104⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        103⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        104⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        101⤵
        Checks computer location settings
        
        PID:7616
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        102⤵
        
        PID:8164
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        103⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        103⤵
        
        PID:7816
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        103⤵
        
        PID:8156
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        102⤵
        
        PID:7920
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        103⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        104⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        104⤵
        Blocklisted process makes network request
        
        PID:8016
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        103⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        104⤵
        
        PID:5864
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        105⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        104⤵
        Checks computer location settings
        
        PID:6264
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        105⤵
        
        PID:6640
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        106⤵
        Drops desktop.ini file(s)
        
        PID:5700
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        105⤵
        Checks computer location settings
        
        PID:7972
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        106⤵
        
        PID:6112
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        107⤵
        
        PID:5712
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        106⤵
        Checks computer location settings
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        107⤵
        
        PID:7908
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        108⤵
        Checks processor information in registry
        
        PID:5936
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        107⤵
        
        PID:6260
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        108⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        109⤵
        
        PID:6120
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        109⤵
        Checks processor information in registry
        
        PID:5624
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        108⤵
        Checks computer location settings
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        109⤵
        
        PID:6656
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        110⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        109⤵
        
        PID:4024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffd8a3c46f8,0x7ffd8a3c4708,0x7ffd8a3c4718
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,14076881191200675917,1434741187436589809,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:2
  2⤵
  PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,14076881191200675917,1434741187436589809,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,14076881191200675917,1434741187436589809,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
  2⤵
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,14076881191200675917,1434741187436589809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,14076881191200675917,1434741187436589809,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,14076881191200675917,1434741187436589809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:1
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,14076881191200675917,1434741187436589809,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,14076881191200675917,1434741187436589809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,14076881191200675917,1434741187436589809,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,14076881191200675917,1434741187436589809,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:8
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,14076881191200675917,1434741187436589809,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,14076881191200675917,1434741187436589809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:2588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,14076881191200675917,1434741187436589809,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 /prefetch:2
  2⤵
  PID:6740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,14076881191200675917,1434741187436589809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=224 /prefetch:1
  2⤵
  PID:5352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,14076881191200675917,1434741187436589809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,14076881191200675917,1434741187436589809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
  2⤵
  PID:6908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,14076881191200675917,1434741187436589809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1976 /prefetch:1
  2⤵
  PID:7420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,14076881191200675917,1434741187436589809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
  2⤵
  PID:7524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,14076881191200675917,1434741187436589809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:8100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,14076881191200675917,1434741187436589809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:3768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1600

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe f77f254cdfa19343eced2a44fb3043cb 8wRJK0phZUGFrTQ+y/nR2A.0.1.0.0.0
1⤵
PID:5424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\Browsers\Edge\Cookies.txt

Filesize
2KB

MD5
205b4311ec1cb233fce184635014439d

SHA1
5898e5c8abb05219e1be2730163e2baee936869d

SHA256
70a489dee4057bf63a67b76d803341e46bbd3c3836cac9de26e0fac30e13a82d

SHA512
ed1b2b38ff96bdfb899a0e15763144237cacfb85be6038b8b638b699847c2ba595a31c8ec33a7a69610b6f8cee313942ed1e64187b0284850f3f9debc20761d5

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\Browsers\Edge\Cookies.txt

Filesize
4KB

MD5
80fbf3c53565827aa34bd027d4501e8a

SHA1
fa92dc1b6f7c7ee640e04ad19d67e0b7b1f205b4

SHA256
87bd3773b572d6ac0af5bebddb67587005588320bf64041a2d25b2843d5fa2ba

SHA512
ef2013721397799f7f3fb09fd1282ea512ae72841679f817b69e7116614775443b818dce9e117e8251f5ccae6d9e0cd70fcf1e926b63d5981db6e38c4ea07a0c

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\Directories\Desktop.txt

Filesize
593B

MD5
1f44162fe7fad6c671d4992f7667285d

SHA1
bdbcb395473012f971bc74f5d58e10e175fd8495

SHA256
63cae018d9d9223c76452e19ebd5ea8628671352a1ac463bda691089e2da7238

SHA512
4da8a32b3ba2eb4235d869bcffc3e7b1a3af82923d9932d2af925976b71f25fae05b8c536d3dda17c25dc178559aeb19d65ae3fac0ecf33913247a9a8ba0ca56

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\Directories\Documents.txt

Filesize
650B

MD5
e05268054dbd631a01136dfc93e399ce

SHA1
c03463cee0aef216d7a18a358a676df6b10cb72f

SHA256
f2c042fafe2eb66817cc13d0f384c03e1a18833e2c765cb21043cda91039de2b

SHA512
2916c8156b1e550fc21bb7b86560a13eddcae7ec4693ef007f25f4cd35da355275514fe8f3081dc190518720ca0bebd31e86efef716b40a65896107e33f248c0

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\Directories\Downloads.txt

Filesize
709B

MD5
69080c97b8d695bad8fd5b210237435d

SHA1
7c4035221ee1f5ab19d6ff8cc777172f5dd0751f

SHA256
65daecdc358cc2e94e6300ddbeb5cb2bfe4f160a8faaf19aef45ceac84d57a0e

SHA512
43bfb8b72ae82ff54681b1cb661b6493c79f5402f9d9af2ef35e480a072a83f7dab292175a470dd3bd86a56f0408cc2ca2bda006248f0cb49fbf6cf4c80f7c94

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\Directories\OneDrive.txt

Filesize
25B

MD5
966247eb3ee749e21597d73c4176bd52

SHA1
1e9e63c2872cef8f015d4b888eb9f81b00a35c79

SHA256
8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e

SHA512
bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\Directories\Pictures.txt

Filesize
859B

MD5
73046716f62513dfe405816632b31030

SHA1
e9bf45f8779310bbc299e05e21c7ee7ed8ee9f7c

SHA256
fbb3666b180dc89fbc32b1a2b99af3b5e8e239212b04c3c64185f28d81a0f86c

SHA512
e2bfe826f213728186e4cfb29ac0ab3b81b44c90f2f63374f48f6adf8715032e141abd9fb72afed48c1246a6bcc46c3661be7b7a0e6c2a2a9d0e0b259fb1a493

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\Directories\Startup.txt

Filesize
24B

MD5
68c93da4981d591704cea7b71cebfb97

SHA1
fd0f8d97463cd33892cc828b4ad04e03fc014fa6

SHA256
889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

SHA512
63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\Directories\Temp.txt

Filesize
3KB

MD5
8b8298341fd7073c81e61ce51be55da4

SHA1
9a46597026eee42706ef1a0a88b25c18a772550f

SHA256
732df3b1ea186c6fbcefb6e2be357b47cd1571ea4d67bcbb797f19bceb0f0760

SHA512
5193b835ddd63dde77423bbd7a982a03c91b8d0a4a26bfa1c6679df5745e3af1ea1415a7610850d3ceabe3ba75b14d7ab779eb21e29ff4b4e5c877b7d362c90a

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\Directories\Temp.txt

Filesize
10KB

MD5
444779c3240a01c8bb36de9bed0eb199

SHA1
33da1dcae3cbd162b5607b46336114748da5635c

SHA256
170b1cdb6400d879d470a1fee1b46f688f877a81d9c95ce1332d4922e4b4e87e

SHA512
742cee79c2c4b8eaab3ab07eab372b85e88a5541dbd2f9206ce942191a538fb613b4261f1b28fca36735edaf8817569f053bde48da9749dcac251fd6da50c55c

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\Directories\Videos.txt

Filesize
23B

MD5
1fddbf1169b6c75898b86e7e24bc7c1f

SHA1
d2091060cb5191ff70eb99c0088c182e80c20f8c

SHA256
a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

SHA512
20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini

Filesize
282B

MD5
9e36cc3537ee9ee1e3b10fa4e761045b

SHA1
7726f55012e1e26cc762c9982e7c6c54ca7bb303

SHA256
4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

SHA512
5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini

Filesize
402B

MD5
ecf88f261853fe08d58e2e903220da14

SHA1
f72807a9e081906654ae196605e681d5938a2e6c

SHA256
cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844

SHA512
82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini

Filesize
282B

MD5
3a37312509712d4e12d27240137ff377

SHA1
30ced927e23b584725cf16351394175a6d2a9577

SHA256
b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3

SHA512
dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini

Filesize
190B

MD5
d48fce44e0f298e5db52fd5894502727

SHA1
fce1e65756138a3ca4eaaf8f7642867205b44897

SHA256
231a08caba1f9ba9f14bd3e46834288f3c351079fcedda15e391b724ac0c7ea8

SHA512
a1c0378db4e6dac9a8638586f6797bad877769d76334b976779cd90324029d755fb466260ef27bd1e7f9fdf97696cd8cd1318377970a1b5bf340efb12a4feb4a

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini

Filesize
190B

MD5
87a524a2f34307c674dba10708585a5e

SHA1
e0508c3f1496073b9f6f9ecb2fb01cb91f9e8201

SHA256
d01a7ef6233ef4ab3ea7210c0f2837931d334a20ae4d2a05ed03291e59e576c9

SHA512
7cfa6d47190075e1209fb081e36ed7e50e735c9682bfb482dbf5a36746abdad0dccfdb8803ef5042e155e8c1f326770f3c8f7aa32ce66cf3b47cd13781884c38

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini

Filesize
504B

MD5
29eae335b77f438e05594d86a6ca22ff

SHA1
d62ccc830c249de6b6532381b4c16a5f17f95d89

SHA256
88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4

SHA512
5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
71B

MD5
72eaaccc2882ca630dc193908eebcd6a

SHA1
dd03f55894e6d313efcacb773c5863f312aa0dd9

SHA256
8949ed26eee323182ffd03aa9281aa3fc8aa6544d1011c685cbdf076d6fd5ae9

SHA512
f6fd875611c6b7ca93fc5f6c376c0435b9483126c8583de421e66af942d6a604b013112c3d454ae0e95ecbc5decc5aabb93d342071a03378f121b7312a22c808

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
101B

MD5
d6f1344cc236185e4c9ea58c29e720b7

SHA1
e4719e2c01034bbc4dbca6bd3656533c943905b2

SHA256
be238f3da22a774ba5dac0634a20e9d89252817e1f882965dd3ba64de5f7dc8d

SHA512
1e63adcdfa805e603f3860a96b048869d901915e6e8007949cd0b85848fd2c7798b5603701714e8faf0e1312bf0921362ec3e4ec134e6aabd98f869e11a7e985

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
172B

MD5
b90964f6319a8b453525064e64ae6841

SHA1
4421aa8a9006d0e6c66d3dee3bd8595fa977d34a

SHA256
0121f106ee30a9eac02d556a1664c376ec29c7e16d75b8cd28d95edf804e6ace

SHA512
2282383ca2351ff0132048bf68df9820a4d2fb93442048a3e608691f52ea7f50ee1d2ac68ded91bb453cacc09053186a06ae23e4571165007b11d47e95fd2a2b

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
264B

MD5
0b7b9109c93cd692a9cbe3c22ece6a1b

SHA1
ec9077186eb0aba5c9a7aa6d7d417e6aac7fdaed

SHA256
9307e4fa5c5ba22f7099e0cfcf302146913c3b3159009ac85a3b0558d041d1ca

SHA512
12a06ece9db7c20c866f6f1cd058dd59ca0b28970bde10f3219a7cbfd3691bcf9b3362bffce404591f6a7873d53c6536ab98c511d1cadfdc2e2a33e51ef4244a

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
294B

MD5
8d56a71ed013eb99b236fc0b874e07e5

SHA1
34ef15793eecbc6435b2f7f629a10cc221b215d8

SHA256
2dd596cab3d42a0a65234e1a98414ca490226ee2dc8eed1d3b91928011963069

SHA512
3ed91de12b96401e0595f2510fbc93e0b5ab0cb00676a2c100e9962cbfe4841bcc2796651f6dc4f5f449b64f9ae66590fb7efee5b682841512cb6a704c8c128e

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
358B

MD5
e09fd618f05866efa2df93774713a320

SHA1
3c6159de703e686040d5a581594e01182ef94402

SHA256
46b1517e30532d4857cd18eff702d5b6851e0566d7f77ed9a2d813172da6ebe6

SHA512
b99a8bae3c71eab7a022c05f0bdcba78fb617621ef90ec267afc9d98f76f944d0d39bf01cdb33dd13412b399f825aaa09b88657c883d68a094e401da79fa8906

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
421B

MD5
1e1579979c4976aef702727af010a476

SHA1
5ddc1e6a92e23c8348b00abf26b523e55eef09be

SHA256
45f3d23baa089a1a266c5c12e31e0f8bf434bea55c30a51c1b8e3a0c30c46048

SHA512
9ed0a78578d6a3373f2723344c992ab218cd3fdc8646c27cf0b193ffc39b9acbacf21836ecb1b231b99d2134c1702cad54a133517f8c73d3c8e089c885d4b9bb

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
453B

MD5
f69a609b1f26bed538324b0e0e519aa6

SHA1
32177adde58db915801a6ad6f3a6cd48fa69df31

SHA256
ef9abacb567ad18a1ed850a9d28d6ca3035fedf2c2760776be2c5035cb1d2fbf

SHA512
a1506123f066c39f2ba74bed5525ac4d4f21acdce3bc6ef083acdb7f915221c79fab91fae88a0f1afa84fc3dcd7ccd2ddb96d7eb4c063726dd0ea530e40d22da

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
1KB

MD5
472751863533088b7a383554aba2111c

SHA1
dd2a0a97f774b339f9500fd914c5b1d0fdd186ed

SHA256
2df7bf0b2dd89328f6e8b16d670b7767b93685fdd7338e9bef9c4766e0fde6b9

SHA512
8a567c37274263cf89a4f9430a7e7409bc92197fbe79e19fb153c8581187df0b2182493147ddc5693f6a482598d2d2e54d5c26197101d26c11b613a1de06afdc

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
142c64bd0f98b366d83bf0df25b871e2

SHA1
56bdb045a08c56c4dfb2960a8eb9f7ec8ed53f21

SHA256
f1d58ab4f0ac96073107052e06d86044497f48200a85cc4212f372955f8ea537

SHA512
06efa0ed5eb8469ff5a126f4643dde1eb067b63bd920459bb32b578ebec0c79040b3e7067e080f2ff84301c050dca4c5aa098388c1b02383d6cae1a60d9a4f0e

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
9dc3183d7e3193673cd4760f5155ad34

SHA1
64aa1bafb44b936cd0d879ddce82e487bc6311af

SHA256
9d7073586492c6a098419a07150e624972f1b41f54699c3dac3ee33aa9afffe3

SHA512
35edae4677711f1d5c5e85b86c05185629c9b4faa0b306b9b48ff667c3ab81604482f7ffbb180b876a9ba85213838050815e0c376d4fcd129e34f3c8fa9b38a6

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
234B

MD5
c9dbaa9ba3bfdecb2d0e5655e80eca99

SHA1
698d865d1fcbd969c917d0cef5b6c37e9e6de370

SHA256
b24450c009d260d86e79b19a1125abdffc797a61e12ce05c1fbcb9005516122d

SHA512
22402a5e5c0611bc5303db8778962f15ff2906511b7bf5818eb6948e743c30e58e32b11bcdc75311f3ce25de8cdaa2e1f1862234fab79931e1f275519a01efc8

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
1KB

MD5
f23de21ec7d0e15e808e71622170a28f

SHA1
e98019e4016dac1b596fa5d48683cb241222bb52

SHA256
6efb648df012ca36fae45ae2bf173f31ffe8d3cdc3767e72c0f86e69b167b106

SHA512
d4637d0b41fa3cccdb0dae0b6e4ec4323854431ec71cef7b13d2e7d1dcaa30a2f8851193f154abfb53e156174e39b4f97b76c4d9ae9fd505a5fc8cdfa33c2828

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
3a2b9b505d0a648efadbda6705a0891a

SHA1
6cf2f117b229538b873e4b140775646fb87dac5b

SHA256
2b5871f7a30f27618f4dab54d3c3889a32c4703ed86a8a09c0c5ec79ac08950c

SHA512
df1bc28e0f33e33183fddf457a5e5da49b4a8508ace61fcdb9c0e261ac95c5b309cdb3715676aa665faaca963ea4dccd4c9771a6887ad4f1359b6cd35e9e76cc

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
7097a4423ad97c9e1f4cb33e7b5fccce

SHA1
4b119d83aaf85e2583b037af74abb34f8c2140e2

SHA256
dd26c6f2ee3279e10c3019a632c9e855e466d13fe6a7f3b16eda00bd69d45fd1

SHA512
2f85380ee200cbd115f35a3b36f24bbfee1beef9eb0a6a4038ff7cda66b48cc2b700789037e7b4e57c50fdd3cd7cf232405f82d4010c215534926c3d0f59a047

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
226B

MD5
1989f702cd6137c413b375cdcff787e1

SHA1
7f2bdb87186b3f264cd36168cb2c9d6066d3133c

SHA256
a3c8184b57e43d3a827b44971cbca489a81ff22553a378d0dfa30fae38d0c448

SHA512
5513419619ede5728b54ffe609b4b40123b890030daae5866a39f1703861f64b804a4bf81e0a5f78b8e8dc9ce80c46a143b830b0c86c1ef2de6e4c9a57ac60ec

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
787B

MD5
36374151c6352139342211e98fd1eb39

SHA1
d3c06e53e35b8ee2ab39b0fd0987620d24914ec9

SHA256
66605089cc05e76549305713b10d640a26ab07e39afed4c7877eea63fa3f14ce

SHA512
f514acd9796d08563d67ff2d3b796fca3acf392e7b491502a4eb0b7ed946daef9589962ae51ccdc25220d50ca28fad709e508792872a15d58af585d9365aef88

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
340B

MD5
8adb09c2fa8b3fdd6b0e821d9607e978

SHA1
065d4bab85ad58e27e4200e752ea3352f5ce6d27

SHA256
ed2c2dc4dbd4e2b04f46edcb7e811721959349ede777d3f32e9af06b5bfde0a6

SHA512
ef8c3478ab14a6e9a95d73393252e1886016dd83b5cb03be7faf7831ea2cf561f66b49f1c10a8f32f66e99abba501fb41c8129e5bf528ef3c81c0c79483a91a3

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
1KB

MD5
24566dda560c1e26ded35cbb4d1327b0

SHA1
3dc3e7d116929a04d11707991a15280d929ac9da

SHA256
c963e573ece16cf5d91b3ab719d9ebbd309be06f5e892bd0a951864ba42199b7

SHA512
a6ce4dfb302eabe4b092c119ba15d9a48a0319db6cf63d5062f6cd02ebcf0e236ea4742179aa374ada73531eedeef67b15811f808ccec88387ebd44ab7f79865

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
2KB

MD5
aebf308d7163b18e04a05b942a025aca

SHA1
6f383caaa67a261366ad98b1dac299ba35d974a6

SHA256
2cb1422c6b49034b83404ce4393413ba737593b6f5d60606da20ecc9fd8a0c35

SHA512
42e441d373da3bcc19b45c626d1d4e7558559421b061163f548dee929273c491a520a252792744c4a1ae48af1cb1ca8113f70eef7fc83ea219be67a770ccb7cd

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
e85f97ae76ee2dc7eea3240a5fc4a632

SHA1
071541e3a2f7ab4ce4307c13920940d5faeb44c0

SHA256
a6c79887280e6ed59b4bb7750da6b9f89bafeef0d818402fa2c5fa3d394b3bb2

SHA512
bfb1d0dc6d3593f6239de37e1d8a2205fed4cedba207366686828db7a82d66905fe09abda1fc9723c765c8bfcd55ab5e62da1af5104b178109e2d43d297baad0

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
319B

MD5
ac00901b269c4018e0a896f638ac800f

SHA1
9c287478fa7249f94f9b16fe03f27d2e283e5ea5

SHA256
9ea6db78dfb63614588fb156cfa24e0503921cfb94cc637b232cf60d2b25304e

SHA512
ba694bc2f138705f25425f1a24a7a8631077d212ef86005206ca2d0d2955f2cbe7f542bee161b94f5ff9dc76b1bd5ed61000182db6990b3e8d63aebf9e27b05d

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
eae3d0ef577555f93ad2da4d106803de

SHA1
3dd6593391172027a0dcafa99254c1c08b472895

SHA256
1288d7efe9b37ae4c4e7754611f67a4f5eb8d6619cade538e1d1e4a596a76c65

SHA512
a1084b66be55f771dca2edaeb83b4eb72ffe9595a98c4d3678b501a9738b1bb32f88d12b47c38442834493f41544d2d4568b48bf218f07836cf42528da246f89

Download Submit
C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\Admin@ERHQJVYQ_en-US\System\ScanningNetworks.txt

Filesize
252B

MD5
995b1400cc02a81c8267b34915717a14

SHA1
e63065ebfc971bbcb9cd94bc253e05d5af998e35

SHA256
c411d6863e5fc88789c1bc8824585ccfd7af6a399ff47053578f145807ecf647

SHA512
d9565e9d447d1ae902616d54692c4b3a02227e06ae95191b33fe7167f680dd4c36ff8eb0d08f4bd8abb1956f0599d6549001bf17aadf94bd7e5af1293677326e

Download Submit
C:\Users\Admin\AppData\Local\656d76ece5ee2f4e0f454a346b44ba43\Admin@ERHQJVYQ_en-US\Browsers\Edge\Cookies.txt

Filesize
5KB

MD5
f276199cca8e7978084af8b635e35c4c

SHA1
6ca57e53e05f66b5d75973cb2289a777330fb074

SHA256
53e56ab03b266adeb15a6c3605c0ad2cc1b52ccda745bbf67127b61d1a850a2b

SHA512
e9f7ed2dba8c15949d61f1728eb4f93b2ac72301409f753db2de8749cda9c593f3311ff716359e046b54e624c69970bfa43e08522f0651106462ea2eba42c3c8

Download Submit
C:\Users\Admin\AppData\Local\656d76ece5ee2f4e0f454a346b44ba43\Admin@ERHQJVYQ_en-US\Browsers\Edge\History.txt

Filesize
753B

MD5
69a12526ea65949202fc330ac1276d63

SHA1
0c68907dbd952eee2d84941056f01380f0431866

SHA256
7737035a3e9021eda551308ce8189345f7220e0a2d166da327329c35d588367c

SHA512
ae356c92cc20d428f9573801d87cd7744fbc9869b53a856d9fb5724be305b79601859f7884761ea21e1d2ad8c956b9cd552068b6208e4ae9a2eb467d51264402

Download Submit
C:\Users\Admin\AppData\Local\656d76ece5ee2f4e0f454a346b44ba43\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
257B

MD5
0f9c136d68d3146417595a50d1b799b1

SHA1
5b9391fd2a26326d231b588799573850844a1900

SHA256
1930052069777591eafa4a6b53452b1a265388f252a45c94ab5e65be6781bb5e

SHA512
6256fb3d4b068e15938dda26867b848d0a4c4f4a73f6b04b9442e7f02604191496325dfa69cee69df2be6f76d6a81b15798936adb8daa3d7da19d024421ca912

Download Submit
C:\Users\Admin\AppData\Local\656d76ece5ee2f4e0f454a346b44ba43\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
349B

MD5
3b7916d59d618d947b4e0ba9bc517e06

SHA1
4cc8a23bf3bdf7d6ff030d692e9beee94123bf81

SHA256
c7ca085f113d2953e3edb7f4d324d0ebba08eef2ada6af50e1f490db3794cc7c

SHA512
6df7d3a2c2e4ff2cd60881bdc94e1212534c9e6dbad7ecd2e5eaa315d422efec49e4a47afcd4a28adce3097333a83b8baff4b5dcdda90c598d7042a08a6d045f

Download Submit
C:\Users\Admin\AppData\Local\656d76ece5ee2f4e0f454a346b44ba43\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
413B

MD5
3805fda3be304aa86d2781d815e64cc0

SHA1
2568806515b54b9a0172ff7f295fcfc7fe705cc7

SHA256
99a4a9e42425a3ccc27c36601a24f7c905890522547d577517ada3dd53725049

SHA512
c4c98ae0efb39f6159bf45c01afc4633d74f0e4631b25ba57d3ab6664da737326936f6d437bf862dd07360a56f5442145661f7448d0ad7e7e1515b489cd48e89

Download Submit
C:\Users\Admin\AppData\Local\656d76ece5ee2f4e0f454a346b44ba43\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
476B

MD5
347aefad0254584faa01fc9bbe352fff

SHA1
bc77071dbc0e6d4b77da5b9bd379521cbff4de86

SHA256
7faeb31ce4ee294c643d0e6c67ca8d2262e79a8e85d5d3e1bb107f17a80d4a77

SHA512
6b803fc411d80c11d3c0603c98b27beba344e8b7ab45af13e6ac93e1ffecc81cca461b81b25af158e8e542144a1cf8720183fabf44b2a3b2bd2ca5cb8f5e7c45

Download Submit
C:\Users\Admin\AppData\Local\656d76ece5ee2f4e0f454a346b44ba43\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
508B

MD5
41fba5826361babfa35047b8e0fddbd5

SHA1
bad91e936abef5820c791c0a11988434822fbfef

SHA256
fd6bea13a6f9f9f676656f5a4aadb1c958372dec3220a63cd638592849b0a9ec

SHA512
9a015af39df12d2b4f57e55c1770f41b0ed483c229e35543e1951a5362bb17bd5b9804cefb9410e6d4cfc8cc2717c25062f58441404154f955b3fae7fa1e31f2

Download Submit
C:\Users\Admin\AppData\Local\656d76ece5ee2f4e0f454a346b44ba43\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
572B

MD5
fbb47780e7dc261594ee9c9cfbf91d91

SHA1
7ddc259f2d63f303be553918417fc0819bf9d674

SHA256
a3221a3182dd40514daac55589b584c2b8b4db19f93743c0296b9dbac319de14

SHA512
cd416746975f9425b1b0f5e44605fc33d799df0212108108f95a79f6ce5b2d56d5fb9c042f64343688223eb6bd4cd00d92ee90143016b94d2aa7e6d01a9a5544

Download Submit
C:\Users\Admin\AppData\Local\656d76ece5ee2f4e0f454a346b44ba43\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
692B

MD5
a046d7b23c089c716fcc7bc553726524

SHA1
ae34584e191ea700aa82e6c34fac2c9fca96aeaf

SHA256
8555df2fc2a3ed6d93b9943b99fa2f5cffbc2b9ed28b7f2718ab7714413a3605

SHA512
9ebd891cbd6acf9a81983fb23e7e7a7ee6baf10af8032fedb9b481e2cf1fd69cf86513b2eaa9e964d87591f79b807ed37872062a45e10ed6377a8f74aea845b2

Download Submit
C:\Users\Admin\AppData\Local\656d76ece5ee2f4e0f454a346b44ba43\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
69f9d3c4042bc4ae51b70cc8426e9f5a

SHA1
e93bf86efcb7da41db94391dda826207ab17fa73

SHA256
1dbbde39ac1d8a8a082fd34e2a0275f60a9fb10ef71526c4adc953fc700082cb

SHA512
4dcf4f022b50d32f3fedf39af183c646099a0331c5a7bdf1cc767f3c46c8bebf93194067bec399cb4c657bd30a2f2a318f6b7a8a4dd84234f74719c7b4eea621

Download Submit
C:\Users\Admin\AppData\Local\656d76ece5ee2f4e0f454a346b44ba43\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
7c38077d1e7880730934c4862d5efc97

SHA1
d25e2377055d75243f3401ef36c06d05235e87cb

SHA256
7ba662f8b6d807d79bc8529265343b00fbd4f5c37db80d28794107acf96f892b

SHA512
f32f2dac47c6ef3d160c3fe68c659ad5cac309a7b396cdbfd8680c959e6c3fd7d9162df64b8d48cfa0a23966940e92638cd91c9874ddec6045df162e4b7f470c

Download Submit
C:\Users\Admin\AppData\Local\656d76ece5ee2f4e0f454a346b44ba43\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
1KB

MD5
441029a3917f433d686a1b5321bc9b1f

SHA1
3777eb210419b379e26a675367cdf8bb1fe256d8

SHA256
dc667871965ced8aec769a2cfe12a77a1c01d81863933591bc03c39a7c4952f0

SHA512
eaa9277b7b594a24d3717994dff94a1404fb957d0a2853dc807667c009c1c75b183d89d5c20913da63f25cc75e4e8fda6e02e2ace3c9b257d9d33f45671bc20b

Download Submit
C:\Users\Admin\AppData\Local\656d76ece5ee2f4e0f454a346b44ba43\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
2KB

MD5
729fb207011bdd30b3d060d204558100

SHA1
1436ddd4e96e84c00fd6cc6a16bf6bb3a80521e3

SHA256
ea63b322570b1560ef5d860a14824418fb337c9fb3711d58f8b2e4508344d7d7

SHA512
4f772dfe2d142dc0681adbfdba2ce8f6c2706d33bcab8e43686a81c1fd3f9ae798744ed2e06c07d035bb1996183a4028189f081749f1acc637d3dbe4b8c48e59

Download Submit
C:\Users\Admin\AppData\Local\656d76ece5ee2f4e0f454a346b44ba43\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
e99c35e5f9189ae030450ed780e9e61b

SHA1
e17021080520b3e85bbc5b48e86557daebc6edcd

SHA256
902bfd448a8627aaf866f5639d5d2483215ac76ad760e7c756c3af03983f5eda

SHA512
f377ea69cdc33cf8b3b419571ef1cf8d9deb7f44e6b04ccc3c941db49e095cdb5e699fc7e3893888fafed72aa67882be8db0c32f58e8beadb73ec17489d4069f

Download Submit
C:\Users\Admin\AppData\Local\656d76ece5ee2f4e0f454a346b44ba43\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
a8e85b276b380c1031d0d82515e4fec9

SHA1
e068b2e5a1046cbf39e574224134e4174c71fc51

SHA256
56dca29ca610f22fb74a49cd36af5f8f3c9f6d1a48ba15c70c7263b741f7afb8

SHA512
49249ce0556dfd4f96a640a4804d6136412e010fff7edbeddcfee36ab9becd7d950847ced5c3a24ef977c382d6a4bf3e9dccb3eb91742243be4c8614a6661baf

Download Submit
C:\Users\Admin\AppData\Local\656d76ece5ee2f4e0f454a346b44ba43\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
2KB

MD5
e3dc52775b8539bbd08f3e31e3b2f551

SHA1
29a0dc1362901c9bf4a10b3d4ed06ffe7664c91d

SHA256
74a5b5af42914a17218bd80da2fbe6045b911d8ff08783cfb243a98cc13019d4

SHA512
904c8dbe8c38b5c81a38b9fbd46f94ee93662dcd7413ce16657979610f16254ff5b768a4b3e85087fe2e81ae24750333d71e136953e8c4510ba74768e196c06f

Download Submit
C:\Users\Admin\AppData\Local\656d76ece5ee2f4e0f454a346b44ba43\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
d135296ecc79eac4b10a326c3f35b354

SHA1
f120adef808195eea020723c1dba4d2ea02768dd

SHA256
c582a6b6ab5fdf099ec427658a5731b04af53d5b652235324aaf80cfad3f0c29

SHA512
656ffb7e48c9cb8c04cc1cc84e4001278ffc0b5446b9723faed03b41b5d6ab7f0e1c8311be12cd2e01456980dbafafc626f00d5037433c6efa6d9b43551a5bb7

Download Submit
C:\Users\Admin\AppData\Local\656d76ece5ee2f4e0f454a346b44ba43\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
c19f1ba0b4ce5b8b81a3f84016232999

SHA1
3487ca94e51dc138b3f16a535265f4eb5479672c

SHA256
b1726af89602a15a28bde16fd4947a07c3799f2f9439f4e8c5846c1953e6ce9c

SHA512
ab63307ffa970191d92186fb9d1688f2a1ade359061d9053cc83ed817721b6a11a624b9271bdb41486033a13fafb140ddf5d5194b81a70296fe81ddcd879804e

Download Submit
C:\Users\Admin\AppData\Local\656d76ece5ee2f4e0f454a346b44ba43\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
9b9f4e7fe81e729a2ec177141114dfde

SHA1
562e6646d19e6a99c88d5cab1e25737cccc74581

SHA256
704ef1dd931b81bce1780588c772bbb1c0476a1561cc6d848a3ae08f8289fca6

SHA512
6ac64a51af8a9054c7003b11ddeb1b0ff4e179a4cf1047091a86a3b30815cd02072a64b157204410cbb7250a54b876779b0ad4bb79a2ec763d7e59c2a9c7c834

Download Submit
C:\Users\Admin\AppData\Local\656d76ece5ee2f4e0f454a346b44ba43\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
1KB

MD5
dc6edf54f533ca88dba8ffb8c1411951

SHA1
c545231b535dc936083d842e2a118b7ea0792b66

SHA256
7b32c3e615a8e73fa6e305ab698cbcdafb0aa5afb9e156326f4a1988c26bbb96

SHA512
4b6c463e532ad66aed4d5d42bb77ba6dd5c7b8166a763cb9eb1b6bf17d1453d7ffc29301349c725700432554c686d85af846d22a513818e43f254222377a2758

Download Submit
C:\Users\Admin\AppData\Local\656d76ece5ee2f4e0f454a346b44ba43\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
170B

MD5
ac8789bbc1ecee07eaed1d880f9c3096

SHA1
86536653978a6c8fb9aa0872b00ac79ebb3b83c6

SHA256
dc5c582399927dbe3af461a1c9c83afabdd0dfc206382fe8b57060be6c6a9edd

SHA512
3ec69dcbadefc85f4988ae2dbc8acd3cb23c0256aee131e4a38fe7a4645a89d6f2b9b88bd408e305f0eab7115b65a69435226e1ec68e48e3870b35b6a9c68469

Download Submit
C:\Users\Admin\AppData\Local\656d76ece5ee2f4e0f454a346b44ba43\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
201875ff5d5d834420894fd39efb88ef

SHA1
d12f70f29cb46485c2400cb876f5ca9e49c422ec

SHA256
2e7ac4de6699a61f742492803d9ad41fcbe1cff03c2294933e440ac4a30d0820

SHA512
3c1dcaa92e3fd3480f8729e9cb502cc6d286df3b5e16514cb4a582abb0b50bc5b4239fb3955a64ad5c558b052f47ca2c0a6ad7610c26fd4be47cf9732261e092

Download Submit
C:\Users\Admin\AppData\Local\656d76ece5ee2f4e0f454a346b44ba43\Admin@ERHQJVYQ_en-US\System\Windows.txt

Filesize
175B

MD5
569d904eec75272b64d5ccd80107e849

SHA1
6dba1a61ffab21132c700284839b3a85cc87fc79

SHA256
912decbf980daf21e2467a669f7aeb4c6498ce4945bafc1e33241837747f9f92

SHA512
5f1b3df884b4cc7f63bd8fafa0bffde90e5348cacb5712183ffdf1b2391e4a11268bc60a3cd9196b314f74b03474f420b17555ae37b58273bff8bfc6d49b93a4

Download Submit
C:\Users\Admin\AppData\Local\656d76ece5ee2f4e0f454a346b44ba43\Admin@ERHQJVYQ_en-US\System\WorldWind.jpg

Filesize
86KB

MD5
6e2cb31ba1737a0e6a171a2573c3bf4a

SHA1
b7287573df8a21e3f720877269fe7d18a4d80404

SHA256
5becd159098dbea081de3d22c11ce1ea478160b3e1aa12778bb12f2512121efe

SHA512
3ad953e45c199ad16ceb48e118e2662a94f76566f57ce5635038996979fcffa4ab1b41628f93d0b4dd89d7154c70a0c6ffa8434b5b448cffb3b0f240481ddffb

Download Submit
C:\Users\Admin\AppData\Local\7b09d57dff625c59e41b5d8cc41e4ef2\Admin@ERHQJVYQ_en-US\Browsers\Edge\History.txt

Filesize
637B

MD5
ac9f9cc43ad4449512e25c81ab386804

SHA1
abdb9a1bf30d464fcaf576c9c42444aa48378aa2

SHA256
00a512827dbd6b2fe02b3c4bbf558cbb3fde2f1c6136dbb21af4647108e16dc4

SHA512
1477108b562a2b7f2eb065847724a0fe7e0c551eef86d3a2f83fe7b3ed895da4eca078ee904f2347325bd8a9cbaa1381b4fb072b178b7f1d03dc951f0003209c

Download Submit
C:\Users\Admin\AppData\Local\7b09d57dff625c59e41b5d8cc41e4ef2\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
b2362b8d1c4f81864b6d7d3485947054

SHA1
c9458d9af02d3523fda7f6678bc5855d155599b4

SHA256
8f7cc2a8265216f004dd11c0a64123810419aea65c17bd5577690d113e0b6d75

SHA512
191e1e0f5bb45c3a53dad311ce9af47e8e1b6ae37671736f2c41aa8b0b01eb79476726cc4905a30f0277c33984b0c1ec631153c5126c462cc3264df41b0463e6

Download Submit
C:\Users\Admin\AppData\Local\7b09d57dff625c59e41b5d8cc41e4ef2\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
6ea151b3cf82cf850e9066dac16cd878

SHA1
cdd3e6e1c021306fca9430d567e934e1de4dfae9

SHA256
b45e5ab740f65315bc01d4bd37b9a8013d1a07c2829ae3d71e7d3d089575641d

SHA512
40720b9c767af8e367ed52265b3f0c4ae6d873bf0b779dbcea6cfde1396d90114b0542d0f7684e46b7a3cd6deb5f5a3b14fa16d22224802b63e3979c27f15552

Download Submit
C:\Users\Admin\AppData\Local\7b09d57dff625c59e41b5d8cc41e4ef2\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
a18571f008d5739204da3a90eb49c45b

SHA1
07d7f84531e539d2d13ed1e047a6c5978845ef80

SHA256
529bcb06e33e38bf760e80e22015a305789aec59ebd01e0c5ce7dba79dc359b2

SHA512
cab6cab613ff5b154b1d147640a81b0f3b464d75d650618b1ecfb98e5137714106423fd72b48b3ccf4ae40f04fb22e8739508e80115c6e89fd309c654f10c6b1

Download Submit
C:\Users\Admin\AppData\Local\7b09d57dff625c59e41b5d8cc41e4ef2\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
404B

MD5
9f905cb2148ff080be14e551b76a1930

SHA1
886d9f0fb192057ef4e08ce83b2b4d549abc72c1

SHA256
4c25b7609e0e8b169b85a304be7f113b1eb59dffcf9c382b5d4cc730eb14f89a

SHA512
af1e448254e6ab093a695266c49eb471bc268caf7bea054c4b7ce9de5903ee703c4ce8d1baf3adb5540cb95bf5c3c2412a94b8e5edb2a3f9620b3a9f9ff7a968

Download Submit
C:\Users\Admin\AppData\Local\7b09d57dff625c59e41b5d8cc41e4ef2\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
1KB

MD5
440a9952492383b6147fcc4c83daa410

SHA1
dacf195549ea9a428de4617c854a364aaf919964

SHA256
cc4241f30adbdc86064ff9ed68321e1962b7f34e6b2c62de57008b98353d8d86

SHA512
ee40e3aeb9cc22b30a9064ffe6f1e5a148dee1c94343e4a3054ea6784c00022f22d2d91210fb5e8dbcfd4d08775776d8092bfe6227bb964f5ab4eb3728105a13

Download Submit
C:\Users\Admin\AppData\Local\7b09d57dff625c59e41b5d8cc41e4ef2\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
388dfcc44ecd144ce7d5b774d43da12c

SHA1
ddc0b3e3bc55b0d50349580720399207769c6e97

SHA256
a77698aeacef875adaeb14c3deebb820953d7a87adeba574da479556016e469a

SHA512
acc6ecb6db854d0bdbd4bd8e6ebffbe00f19d45882cc23e6ee5c0369520417e798ff481aa36ce0efd3d18115aca6d4645ba05bba19b93055f39ec7c912ac1e5e

Download Submit
C:\Users\Admin\AppData\Local\7b09d57dff625c59e41b5d8cc41e4ef2\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
bbb6ada3849580d1cffc85c3dbd702b8

SHA1
afc4e818784fa66568be4f4455257b45631b390c

SHA256
beae6b1bd843b09fb6ebad6e89574ded5632bdc91b5334ffaf3836388d08a07b

SHA512
a1d771ebefbda042b3f88fe7fc5996d041b333bba10b0a37bbf9e3da209adbf5e21426ad03e82fac174a0807f765bc8aab4937cd11338a0e7c957a8296225ae4

Download Submit
C:\Users\Admin\AppData\Local\7b09d57dff625c59e41b5d8cc41e4ef2\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
556B

MD5
927879e27b16fa25f208719c791e46ba

SHA1
ac842033f09d48c11f77e830e09df61112cf3a60

SHA256
0c4baa77553d0c40bf738e7cfacc7fef67bfa78ba0c6c9258db335ca8b46e324

SHA512
69c5e6d63d6103a9be0f20ae86f528b55a64438550b35f7b9252c90094f339a83daebcc82da4820c03d613cca2cf88d3d157f77757e7a95b96c8d405425691f9

Download Submit
C:\Users\Admin\AppData\Local\7b09d57dff625c59e41b5d8cc41e4ef2\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
aa5dc0de0e74722e67476dfed3f9ebda

SHA1
55ddc1e3c3e80a6d8558088a1c7736984a20c748

SHA256
f565e58d0dda1037c17d68a2c19d831702d5895c54167ffe0dd42aff055c72fe

SHA512
0ed897b25ca0e808b48c9b17631efe740bde80c04094247a82d91304dc2e060d23a10ff2349101c76c330ff8202226d70ecccfd07ce8f9473b0d61d8c0c4c439

Download Submit
C:\Users\Admin\AppData\Local\7b09d57dff625c59e41b5d8cc41e4ef2\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
690B

MD5
c94a0163ce8fddf8f1b5cab0995525de

SHA1
9a221459ca4489fe19349a400b5d9bfd1a2a0243

SHA256
d7f08e77b9e99e62c76c40c7eb58e4f51e7dbf2253b04c99cf92d2347a10ebe0

SHA512
a1caec7b31bd452924f57c0860d99242d968bca3d192667932a77fc6d30662a2d4708c612662c5d0f3e9a73079b51962b1b861b84f12185721a96fb8bfd2174a

Download Submit
C:\Users\Admin\AppData\Local\7b09d57dff625c59e41b5d8cc41e4ef2\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
375f2c486799f8f9c5c2f8adffbee29d

SHA1
5e0d886e9b5ff3917222a9beb628a9c2611b1fd9

SHA256
f66edba50bf294d37132da80971a0d65c8d11f7fc1f29f43c62971002ed8276a

SHA512
1915e694510b7bd46f7df0becf298c9aa8164b8e23a3b2ef08f0289c64a60cfd5c9a0fa4f5744ff1f76698f364815d7fd3e59c936de4084452b3f86443f463e4

Download Submit
C:\Users\Admin\AppData\Local\7b09d57dff625c59e41b5d8cc41e4ef2\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
70848567fb91be5e3d32790a34871b42

SHA1
8ba4de68f87ce6ad98974650c078715a5e5f9e84

SHA256
29493a2ff151b549ed0bf2cfce0bbe9a8da23bea572b1a278608384f45814da8

SHA512
191e6dbb30531c0dada2da042af490a4630669b88acc29e4448ebdae657d09c1425662a4e3922c35fb1b72b560dee5ef90f22aa9cc99ac78fdba83979696ce3a

Download Submit
C:\Users\Admin\AppData\Local\7b09d57dff625c59e41b5d8cc41e4ef2\Admin@ERHQJVYQ_en-US\System\WorldWind.jpg

Filesize
131KB

MD5
5bba0c90b3fbf2539c256994626bda2f

SHA1
b708bb3a7970f2a6975d9a443ccd8385acb1e760

SHA256
5206a427312e626afcec308e1355d17f60136f76b1bc93200dda8e8b6a159b70

SHA512
acd40f723d6a39c5accaf7fae3e52271eea98944bd1fab2d5b7ac311d0b8541b2aeb3b6fd0c6efbb9ea09be622cb9fddeb2edb701979b5309e1879db5540b9ad

Download Submit
C:\Users\Admin\AppData\Local\7d4e116d7913a9dab7bf3ab58c16012d\Admin@ERHQJVYQ_en-US\Directories\Temp.txt

Filesize
17KB

MD5
f6f6dead14b5799074da70e5103fcdac

SHA1
a3e6a3be603c09e6ae8a9a47dae16891653d4754

SHA256
72d7dee0c0cd6929e071e2ea138750ac5d5b82654328e7fa9b59b9ca590eb716

SHA512
4a28013d44eb99090c026eb1eb8a51e1247e08bfc3f9a34a6b21c34649ef6c217f7923dff3a734ab10ff2896d0734f62c976a1610dcd1db7e1841641d261ef76

Download Submit
C:\Users\Admin\AppData\Local\7d4e116d7913a9dab7bf3ab58c16012d\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
517B

MD5
599c3f2178830ec04e56d1af5609796e

SHA1
41eda9ef534365412585fe495197cfc931e6fc62

SHA256
a06ac50607a7d041773a5f7aaaf49005a7f9135dae9925a7ef4abf5468911c2b

SHA512
fe97e74b90f85d0036749b839841697882436e5271cfb3111eb45c39024ba0b3cd2e7ec47fe94a5d2b50464f6aedab6701da571b0d1f879be70d13ec0aa47a20

Download Submit
C:\Users\Admin\AppData\Local\7d4e116d7913a9dab7bf3ab58c16012d\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
637B

MD5
656c9fca6372ee29342a53a36e1c1626

SHA1
44663704fac97fc13f5a40c2eb1bdb2c15438a1f

SHA256
8a01f526ad634680ae183e208763613e852965cabbefb01b6cf441cc65009637

SHA512
440a5896266f243c91cc664d85bde6eb4618c4ee7c1b5d99fa06581b635b3bc239329162935f19e3cb1750f16dc7a40d2d22d818f64ebcab3c136191fde3bcab

Download Submit
C:\Users\Admin\AppData\Local\7d4e116d7913a9dab7bf3ab58c16012d\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
701B

MD5
145bffea13aaf284b676d11cbe08ffce

SHA1
faf34637e4c386509290b3243a40dc95aeb8b564

SHA256
f37b082b31e7d2c6ce80cef9480d4b0e5b2ccfaa8903f6ffe2207ae3d5e2db79

SHA512
27dc3fedd985f97b813c454a15f2a11afb49087e993cc4012646619788b0d9a9904ff323c667bae8f93753022bf6fb93bb19bf67a732a0013c1515a77642ce1c

Download Submit
C:\Users\Admin\AppData\Local\7d4e116d7913a9dab7bf3ab58c16012d\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
777B

MD5
3568b809fd9a1d6a95cebb2765ec222c

SHA1
df4732531cb7b498907574632155a1a70413c762

SHA256
20e02da17040586c528b04c3851f9a3923722669657ede23f01d8b03266f4027

SHA512
dcbb58871f90c77451e345292395f2cf018386e22bf435cb245da98b95f4f3eebfabb14e12f607a470277c590e5182356355a51e296f6dc0d08abccba87097d8

Download Submit
C:\Users\Admin\AppData\Local\7d4e116d7913a9dab7bf3ab58c16012d\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
fd080fc284d290b1f68fb16cafe72e0f

SHA1
5535b1d9d8177c01d7daddf804436057437d3f20

SHA256
52c85f208c1831b498705525e84171a9d940358b6e02109fb45c8fd522e6911d

SHA512
0601b917a0f1cfef7338cd7f215854b51a29e690e468b65c7c5f98c43a1b7353b35b96f0725c554eb19a7346f4db8dbaa896aae010dba1d653c927b38053338e

Download Submit
C:\Users\Admin\AppData\Local\7d4e116d7913a9dab7bf3ab58c16012d\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
4926dc9de07c1a53e2e0dacf59f1fb23

SHA1
815bb8b75df1c01f1de61cd25df935d95318db4f

SHA256
745566825b67c849da191c58b3ad0faa6cc13f75ef78035575a1719095db1329

SHA512
635d5e3fa531d17bf23aa0c3a79315790a46d50a36423e197e146ff5058b5e88b123e8ea8fe0f1b40d82bc2840e78108e75767d1cbb6c518585501d339c475aa

Download Submit
C:\Users\Admin\AppData\Local\7d4e116d7913a9dab7bf3ab58c16012d\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
98e489bc9c7311753d686657c527268a

SHA1
d049dbbba98052fc437f33b751eb1d07797a1b75

SHA256
1496b2b85c2067b40e53e18c688624119484de9c82c6838037d594550685eeb9

SHA512
2d03d0af314f5d3f4a261adfdbf610ef78eb2313e2fe8edf368d0785ea3c595b16992774cb41f6cbd0f9bd569a2245a59c953138925da3af95674692bc079ea8

Download Submit
C:\Users\Admin\AppData\Local\7d4e116d7913a9dab7bf3ab58c16012d\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
09fe11742a255e5d3f5ddf5b84121ae1

SHA1
10ed3fb82bc93ae121fdd3dd6b3dd40bbd37acac

SHA256
fd04a243a8ff14baa3f530865c2b0e487065c0790d541275ecb41795c71c895f

SHA512
07028086e21003e984acc1b40fb009b80e7d90e6aae543401608a7a3d6e044a7f6bfc649471c0b3d2889068587f6d9af1f2f32d181682bb215bbc570a4757820

Download Submit
C:\Users\Admin\AppData\Local\7d4e116d7913a9dab7bf3ab58c16012d\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
1KB

MD5
6143ddc8af892e22273eb0234958d7f5

SHA1
de5fb1390bad142a2b197fb87fd18f673c026cbc

SHA256
70d84f6eaa28e669391055d4064e49d5c5c696a9d6938189caadccb039fddec4

SHA512
9b5759ac86231f89363fc7370bef15f052014d78dca220a6d17d1abd144005c599d7660945455a0bfb88ee51a4047baec27439dbf39bf3cad81cb1268972861c

Download Submit
C:\Users\Admin\AppData\Local\7d4e116d7913a9dab7bf3ab58c16012d\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
8638c566fe46b30fdfe7cffa7bb967b2

SHA1
2000fa54d90cc891162b02a75346ddd86c733160

SHA256
e342949c84949110b20342d4611e660884713401339c09fd01577a52c1f09d1e

SHA512
9c83f59add107a9951afe486083891663a8ec16ed45a3c290260e706de330d897c9885cb82cd9185a256b2b7447a2d4ec0dc2c20c338e4153017b959b4c5bd07

Download Submit
C:\Users\Admin\AppData\Local\7d4e116d7913a9dab7bf3ab58c16012d\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
517B

MD5
e3a5337633b764804cdfab193afc72cd

SHA1
93cbc8ec6bcfd78ccbf2276471f101bdddb7ffb7

SHA256
9e9b7a12d4b75e1c9276867629af0a4d10f83ff286c9c2193dd00becf31d674c

SHA512
b67ba8617d45ac0b2b68ffdf28fb0d3b405e6945a0f708c3e9a89ec760b9477d06c850b07b6000a2f9742843f20fa6ad27fa686fe3a9fe6433f283765c92d41b

Download Submit
C:\Users\Admin\AppData\Local\7d4e116d7913a9dab7bf3ab58c16012d\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
1KB

MD5
e855015d95ec2aaac346418e7ef5facf

SHA1
29b6ce2720569777142fea7218a1fcae68f2be9e

SHA256
99ef5d0a40f01811988a826a52a567732e1e3ff41802348d9d15acff7fdf472e

SHA512
2307e0ccf88440d6b6946295802e85da6590dc45d19c5dbf7e0d431db5fe7569b2ffebbcc1b7ccb2a99837d9881347ad56727e1103f30fb623f70164b4682d48

Download Submit
C:\Users\Admin\AppData\Local\7d4e116d7913a9dab7bf3ab58c16012d\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
636254d41b42a24aec03162ea21f5ad7

SHA1
f8630609598ade1ec4651732f42ee9c33ee9c3fb

SHA256
d7cf591abd88bf070c1e69d64300b2e50275fcbcd954aa23b022f7ef82062fdc

SHA512
2732909c6509e51297d618c506eb130ebffb51b9618322540d9f71fed83fd3156598eb57db1381606d10f1c9a9681fc2d069c18437a88b5f15cbca903a4d6b99

Download Submit
C:\Users\Admin\AppData\Local\7d4e116d7913a9dab7bf3ab58c16012d\Admin@ERHQJVYQ_en-US\System\ScanningNetworks.txt

Filesize
168B

MD5
9f11565dd11db9fb676140e888f22313

SHA1
35ae1ce345de569db59b52ed9aee5d83fea37635

SHA256
bd652c6bfa16a30133dd622f065e53aee489e9066e81ecb883af1c3892af727d

SHA512
d70edbd84693afbdb90424b9f72a4bd4a51bd27c719506e17a58b171c251046aea23ca7228ccd8b98b47cd8eb1227bc2d90a07c4f50e8b080f9a41d253935ace

Download Submit
C:\Users\Admin\AppData\Local\7d4e116d7913a9dab7bf3ab58c16012d\Admin@ERHQJVYQ_en-US\System\Windows.txt

Filesize
140B

MD5
396503ab865f0098765987e6137aefde

SHA1
8e661e8d95055a24c9b3438ae85aa1cb0d6f70ff

SHA256
cda85268304a12a391363985c12574301765d519d85da138b69f61d4380551b1

SHA512
5e7381d51bd07477af5e3727681fe7a4c369c255a42ce65789e823ad31c49141fc78e2018a8391d10d8f0387c505097d42ceadb6fb64177bddd9f0151e835846

Download Submit
C:\Users\Admin\AppData\Local\7d4e116d7913a9dab7bf3ab58c16012d\Admin@ERHQJVYQ_en-US\System\Windows.txt

Filesize
302B

MD5
c669ed3db9f75baa660fb57e0aa85173

SHA1
95216f7145c180b2f37a9bb19c581ad09cbb0317

SHA256
71250ee1f91c5daa36441bf017c10d7005d7899b31250d06b59697fc209bbc4e

SHA512
d968945913f7127de2c92acf7970a854f69d8ea097e49a4ae1e02c0a3571a705dcd3078f2d2522730f12a03b7a39968d4e8cf8b4d7e75e99c62d102e053e7969

Download Submit
C:\Users\Admin\AppData\Local\7d4e116d7913a9dab7bf3ab58c16012d\Admin@ERHQJVYQ_en-US\System\WorldWind.jpg

Filesize
86KB

MD5
59057a993b1879dbaf5f2ef8d7b6f086

SHA1
bc233d9f31e7559bc9bf102b8303521eef85249c

SHA256
c297bda48cbd573dcfa8dca61c0c540baf94896b936769b1806903fb03988937

SHA512
995b899157ac0b623efe0c03e1c2fa3e161eff24e8d6e47d4db7044a7e1718ab5e8ddc4941b9aa949b16c2225149aa7ca0b9630d61479ce2a6de50dd0e654136

Download Submit
C:\Users\Admin\AppData\Local\7d4e116d7913a9dab7bf3ab58c16012d\Admin@ERHQJVYQ_en-US\System\WorldWind.jpg

Filesize
130KB

MD5
5280d7141f09a60af36629b3b6318631

SHA1
0aab1745a78ed808d851883b1806509d341fcbad

SHA256
3bfd8dabec8b84a03fab8bdb05ef850de52be1e8bee70ff684925d8747026222

SHA512
866350206286d43d94d409c4983e43c5c8e16b4ff37a88c0014a23b375f6085f983dae03b6a091a36f35a18cf02f04f5b95f6f554cd358a399f9326fdfc56c07

Download Submit
C:\Users\Admin\AppData\Local\8fb59d67cfe559e22530d7f5a0ec92bd\Admin@ERHQJVYQ_en-US.zip

Filesize
11KB

MD5
363c35924159253bcc52590568b60297

SHA1
31859b30f93de9bcbe3011474de2d2d0ecc7ffdb

SHA256
75239b0ad5f963ca6bce33df56b0fbb15252d97903182a116141cef0ca997366

SHA512
2b17d5b2988207c1fb69081bc0a36348a2c76f38f3b23e94940e876c005e3756a9732f63b64790f8a6d554ab0cb91a65a2b3a50bcd269448c6c8c602f7740b04

Download Submit
C:\Users\Admin\AppData\Local\8fb59d67cfe559e22530d7f5a0ec92bd\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
943B

MD5
34d0ee6ac9f1aabc08bc36f1f7a4e24e

SHA1
43d87e1e81db8c75d7a6c93ace431125666fd94c

SHA256
24338ed50c0c0ace961cde4b6ee4e8972c210a8578ecd1bbde5157c44ed148d7

SHA512
29148a8059d5fce482e67dcd0a495624da3cba3d33967a67a4bd28dc7b9da11f1563ff3d15122f318cb8c97fce08b6e1e79d9f2f706470392410cb1f9cfc5bf0

Download Submit
C:\Users\Admin\AppData\Local\8fb59d67cfe559e22530d7f5a0ec92bd\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
170B

MD5
4f9a3e7372225822f6d12ce85545a070

SHA1
dac9468a363da88f602ecd37d2f982f16bbab53f

SHA256
f32bc2bf9408f06a301205efe83bff9f2adffb12993a54dd914d796d70183b81

SHA512
e39aa83211b9bd7ca6014fcd53c144dee4a4c4e4749ffe40456fe4e7dc4cd0a832e58376a8bb7b7ee4fa52b9f937ebe11e0673e6fbca78818cf07729bb636b0f

Download Submit
C:\Users\Admin\AppData\Local\8fb59d67cfe559e22530d7f5a0ec92bd\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
234B

MD5
32cc0fdea08ffc575dfd38b486e481a4

SHA1
d6db988f416889df74d7e2e13af4cfe36747cca6

SHA256
5b136854d62de94309fb7f1ab7cc51f555d08c1192f03310ed98edaf72e61e32

SHA512
ede853c74d18c72d7b4600c0b040a4ab4a80ff6a6823c51150227686b08006567eb9d1dd57c26e8a782736afd1d1b8057ba371f0c17dcce2546891fd1e3a5471

Download Submit
C:\Users\Admin\AppData\Local\8fb59d67cfe559e22530d7f5a0ec92bd\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
2KB

MD5
69d024ad4a44dd7a846808f2e75ae7e8

SHA1
5b41a149e267d73c06719fa8ad1aec6edc4a5382

SHA256
4f2ae9f84b83879b75233421e5d7cb1a1893faa6e3f5147b547ce1d5644b0b5f

SHA512
470a31f9f9fa9f1b799c82c605e3b04cea51984362af27b307514768b753299b98e433414937479d3c8ce373c8dcce80f4e92ea8eee3d2a7fbc8496fdf878483

Download Submit
C:\Users\Admin\AppData\Local\8fb59d67cfe559e22530d7f5a0ec92bd\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
2KB

MD5
37270ac0a3a7b98c6b94031e0ae9f494

SHA1
59c436994b71db9fcedc87d7996d31bfd08290ef

SHA256
1cd02c36d58164ff2e977836cfc51d5c1987249c3090060b6250f051c8943c62

SHA512
92faab7a266dd0370e5980e913395b5524b69e51ec06046b3b97128ecc08d5f30bf81c47da325263a1fcfbc3c0b122d7fcc2bb7c7e2f130e31aefbe41f859c00

Download Submit
C:\Users\Admin\AppData\Local\8fb59d67cfe559e22530d7f5a0ec92bd\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
97a74e0a1ec4a9758578fc13a1cf8514

SHA1
fa5adda84e41dccb4c5cf51d3110822e40d8a758

SHA256
1e141efff0745e6fbb508b9f256694c20f449b591ecfa72be5f53be1b9eab132

SHA512
5792711134ea0f25d1ba599232dadf67dfd2d7409083ab4d20baf514912649c3997eac797dd5c00ba59f4e670dd1a3e432d5a8f8f46d108f5cbed7ce6c1aa0ca

Download Submit
C:\Users\Admin\AppData\Local\8fb59d67cfe559e22530d7f5a0ec92bd\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
c9cfabcf79eb14c6df5565590308eb3c

SHA1
3d6866472474ace5e9145df882c00dd553c5cdcf

SHA256
a7a25fa9fda0f30fca7f582a6223094a74653ed66bf7050f7704de9aa350d03d

SHA512
1fb5765fa769e57124bfd237adfbe4f278a0d348650cde3cc4c9c25fe37c39c3334658f5218509594b98e1f3b1c0ef66dad62ae013cabe8ec26b8791853db10f

Download Submit
C:\Users\Admin\AppData\Local\8fb59d67cfe559e22530d7f5a0ec92bd\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
2KB

MD5
bb3bad14fd45780e5ff7e4c11bbc7ab5

SHA1
71d6269eef1a9796d302515515119da28ba995d8

SHA256
8a5ac478b10cb0d20853d155ba8227e205e61512d4a654527523a182466580b3

SHA512
bea494c214d728f99bfab4b93a29f8497d60b7abdb20034a09b8f68a2ad166d1140ccce9b46b9263a7b4e291457e37daf0cc02aacca36540d6e0526a9788cb47

Download Submit
C:\Users\Admin\AppData\Local\8fb59d67cfe559e22530d7f5a0ec92bd\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
3KB

MD5
2f13a14f4748dd4e55972270a28df55a

SHA1
8360a1c68aa62671828679c23cb9fe7d76e9dbb7

SHA256
879e13a2c6b2b6088aca09d4f3384b9d1e7c60b9c61762f547cd8392f5f0b91f

SHA512
351c6923b342d5e316a2ef93d92b26af49199af8cc0c00184c2fe401e0f594e140a8e5260fd6af9b33974ebd888b435542c420fd0da07eec58fda3b30f2a5b77

Download Submit
C:\Users\Admin\AppData\Local\8fb59d67cfe559e22530d7f5a0ec92bd\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
9554081a8697b3da0b917959ed903040

SHA1
1bf3cb5448767993fefd931ad5bed97d4f73fd77

SHA256
90d879e0235adace608b77ef898525e7c9a99c73bb58d22857962a0d8c2655b2

SHA512
4ca4fce3aaf59862800041e4b6cb0efe46674594599063baeb8c99a51db776a797faaf541871c53c6639f3b17d630acdfb58b3b9d839e8beb53278acd8efa187

Download Submit
C:\Users\Admin\AppData\Local\8fb59d67cfe559e22530d7f5a0ec92bd\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
629929f435af749b6434bfc34569ad3e

SHA1
a41280e72e2545d1c7764e9205f30996a8ed9489

SHA256
2b46358a3d3d783c1094bbfdf17347c3b2597bddbcd7156b7a2ae42c52049712

SHA512
41ea532e275f20974be0fcdb71bb5fe3958c00ee873f4dc814fcbbc0487ab8a614cd1d33c0ef6f5e06b074e6c645fa2eb174486fb4263b1abd83fefe8723d4a6

Download Submit
C:\Users\Admin\AppData\Local\8fb59d67cfe559e22530d7f5a0ec92bd\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
9bd1fa3259470eaebb84a25f997ca22b

SHA1
bae42708ff8f232fd9193cf0b402020fd61c51c1

SHA256
794e85975b6a992a10bfaebb0a3321edf660b33ab32dc6a2792a7a2799d4f045

SHA512
3b10ac1b7bab9605d19eb89005c70a3827a523bd260a7d7034937beff27c012e9b187d33a2894a523cfd05b97750ed8851f642966f2ada22ccd2df15ef2fe7be

Download Submit
C:\Users\Admin\AppData\Local\8fb59d67cfe559e22530d7f5a0ec92bd\Admin@ERHQJVYQ_en-US\System\Windows.txt

Filesize
345B

MD5
eb59bc8f20c720b3d6f38d8b2a2094cf

SHA1
d1b6ef5882bc51bdc3ec8cd752c4301d7a24ff47

SHA256
ec8036995f7ab7c90dd7eb894ab5c55808879f44fb15e65aaba7fd61c21bdeaa

SHA512
d41c6ac6f244b8585ffe9f5af5ccba1b0c013ef1884fab42df6b700f48de907e60d41790c299d293e7e9688d62d66f29e900781c78a8d564f3d3c98071e89012

Download Submit
C:\Users\Admin\AppData\Local\9ebcbf67b2297a4a6bc4feb069231747\Admin@ERHQJVYQ_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\9ebcbf67b2297a4a6bc4feb069231747\Admin@ERHQJVYQ_en-US\Directories\Temp.txt

Filesize
25KB

MD5
a967a9b218ab775a8d064d08896394ef

SHA1
8f11afecd2c5e1df499d24046131dc029b9aaed9

SHA256
4c27194f18012e05da29bce2a539eb87316b8bc9a015410692355d21d00dd6c4

SHA512
5610e97aff7aeda643f0c1676f235272127a24ac13f4fc216fa67e95b30fc0b7a4943408a9e138abc758c05f990e637c9761948ae173789fc2be69bd5a06fd1c

Download Submit
C:\Users\Admin\AppData\Local\9ebcbf67b2297a4a6bc4feb069231747\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
ebb7260007e97fb819441b7f584099fa

SHA1
0d6267eef4b27567c840106ffe1ca1c51b572048

SHA256
c4935f2037a63c2e9782632e056a6ae056e3696aa74509ba823f652e39d07dcc

SHA512
ba9373a14d840fe9c848a08318d462a54078fb6404d3637239034445bf7ae3435ebe67828b170d608c71d0109f08200978d3be425fc6ed5b26f9142c1a527fb0

Download Submit
C:\Users\Admin\AppData\Local\9ebcbf67b2297a4a6bc4feb069231747\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
564f78a974e278a3fb9e6a058c2812d2

SHA1
a9c01e418697d60f0613debd3359325bef2c996a

SHA256
f3e0d7909730beee43c2a6cc8bc30037fc4bf28efb21175285cbd2e338c40987

SHA512
a59f3849079e082bda5694a0ad5bdae3cbf12f462d074fb27a91632271887f3502108608dc90e63d358af39bdcf1b117d5287146bc69ada1f57705c6f942b6e3

Download Submit
C:\Users\Admin\AppData\Local\9ebcbf67b2297a4a6bc4feb069231747\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
805ccc97dbf65829dfabaabcf25ded28

SHA1
c6771628440f9771fc38fea58f716ea51172f84c

SHA256
f3db2dc7539c37a1adbd590ad94b1e24468ab30bb3736a850668799b4a6400a1

SHA512
3b54d7387bcb3ce40972e9eaedfe71d5b1a4215807f4e74daf7b2a0bde2b3486a83737d3f1a5fe0117f450324df39e31c6f12b4d7a2f35780570b3a0e752dd12

Download Submit
C:\Users\Admin\AppData\Local\9ebcbf67b2297a4a6bc4feb069231747\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
7109cddc4977b218ceee4dc7eb79f1cb

SHA1
b3a34b4bf6fd0e5fbe7ae228a570b661a8951801

SHA256
1949740daf47b39796bcc6601b4b35bae769d13444369ce792c65fabde6bda81

SHA512
d1f9db67462121a0de41e38308ca8df6f4be79fbe3601726cb8713dd5c485caec8fce9a6100a17b2b753d84002b12af0a2b73a9cd0a34b22a0a1e6a19862d009

Download Submit
C:\Users\Admin\AppData\Local\9ebcbf67b2297a4a6bc4feb069231747\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
255B

MD5
8b54d13c15755216e4b070fc828bb776

SHA1
9812f55f84bf1c2175ed6bc67c5e30fafb01a9e5

SHA256
81f041e9f65e6b149cd67d6691674a935837d78e58410bd715c6fa7cd86741bd

SHA512
6f8268bc649e21bd82159daa27ba1744ee32659dfece709c52864c9a84c964a00b723c88d0f5e7950c58aedfed687f4cb336008cddf5589b262462232ae710f7

Download Submit
C:\Users\Admin\AppData\Local\9ebcbf67b2297a4a6bc4feb069231747\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
2KB

MD5
3cd25eee856aa864593497f549f31c8e

SHA1
91a061215fa80a5e164b06c01000381f0e75e116

SHA256
06993523fffb493da7f41311d9b9f971913656b5d6c4ca6e3c023e676f8c70db

SHA512
5b3cfaf8c3a05fe166695a22ee9f1f5fae178ead29510a10f7db17fa3cc374ec94df82bd811bb02372f47442e945d3f65380cd6e3ef7897a76b0daa2415e8922

Download Submit
C:\Users\Admin\AppData\Local\9ebcbf67b2297a4a6bc4feb069231747\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
3555e7df1cb62bdb74a08470e5b8bd51

SHA1
7e9f63ad287af0e0a902a232d6c188c433edc37c

SHA256
bba5091b4479c61a7bb82c3bd1e79761353e0646a4d0236d01f616b525543c41

SHA512
0cd7b667c63298dc11fb0c24cf52d0d187259e27068037718793fd580de948b03672ca8e4ba75ecff8f3f469df57ba2250acb9433f655816d356da0b2f1cee5c

Download Submit
C:\Users\Admin\AppData\Local\9ebcbf67b2297a4a6bc4feb069231747\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
630B

MD5
3d0fcadd242951164949cc1c57e5206b

SHA1
8e48928ab9b60217a7d0a4b49e03bdaa02bc133e

SHA256
6acd92d9249cfd30a1141853b0e3125c2bb29ffa20b6e9fd6c7f3a7cf5411391

SHA512
fdc5c88102cc2f7df7c51d86177f7c9b286ed00d6cd70ea72d3da89441e59d3205dbf8f7a9e97682132bc4f4ee8b2aef118800e8d97dfdaafb4a221ad75916c1

Download Submit
C:\Users\Admin\AppData\Local\9ebcbf67b2297a4a6bc4feb069231747\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
cfa334c00502f30cbe9d99a3f94a290e

SHA1
afce953d12b840194264b5ad00c3f5ebcc708e5c

SHA256
beb68ac4e3e5059fca7e9df6f8acf6d3c6967cfc4f166f38dd08993df2e6e792

SHA512
46ff0c074239c56cfc615d4e96725c398fecfbdede30c9e0caaa693f7a65b973d6fa61270e383a555689d3ac68bfffa88db07578141c0c2a6d250ded995ba3d7

Download Submit
C:\Users\Admin\AppData\Local\9ebcbf67b2297a4a6bc4feb069231747\Admin@ERHQJVYQ_en-US\System\ProductKey.txt

Filesize
29B

MD5
71eb5479298c7afc6d126fa04d2a9bde

SHA1
a9b3d5505cf9f84bb6c2be2acece53cb40075113

SHA256
f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3

SHA512
7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

Download Submit
C:\Users\Admin\AppData\Local\9ebcbf67b2297a4a6bc4feb069231747\Admin@ERHQJVYQ_en-US\System\ScanningNetworks.txt

Filesize
84B

MD5
58cd2334cfc77db470202487d5034610

SHA1
61fa242465f53c9e64b3752fe76b2adcceb1f237

SHA256
59b3120c5ce1a7d1819510272a927e1c8f1c95385213fccbcdd429ff3492040d

SHA512
c8f52d85ec99177c722527c306a64ba61adc3ad3a5fec6d87749fbad12da424ba6b34880ab9da627fb183412875f241e1c1864d723e62130281e44c14ad1481e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RebelCracked.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RuntimeBroker.exe.log

Filesize
706B

MD5
9b4d7ccdebef642a9ad493e2c2925952

SHA1
c020c622c215e880c8415fa867cb50210b443ef0

SHA256
e6f068d76bd941b4118225b130db2c70128e77a45dcdbf5cbab0f8a563b867ff

SHA512
8577ecd7597d4b540bc1c6ccc4150eae7443da2e4be1343cc42242714d04dd16e48c3fcaefd95c4a148fe9f14c5b6f3166b752ae20d608676cf6fb48919968e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
16KB

MD5
48c80c7c28b5b00a8b4ff94a22b72fe3

SHA1
d57303c2ad2fd5cedc5cb20f264a6965a7819cee

SHA256
6e9be773031b3234fb9c2d6cf3d9740db1208f4351beca325ec34f76fd38f356

SHA512
c7381e462c72900fdbb82b5c365080efa009287273eb5109ef25c8d0a5df33dd07664fd1aed6eb0d132fa6a3cb6a3ff6b784bffeeca9a2313b1e6eb6e32ab658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
69f09f5dc3a86437dbfb18e7e5ff0896

SHA1
cb3df91b13bed8a97d7442f811e5e6e3d92cd7c2

SHA256
8fbf278b6b52f8967a032db8160d51fd565ce2b91fcdbbe79b26e279c5c7d881

SHA512
ca5b3e53eed0d7df33ecbad0137da3b8c57a189da26e3ecf59378ff7b2d483a5a75e43458664301bd94c969debae2ae96a7c01b98699976f8a02a195f575a0d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
bd776cad2a621b226882e6a4e2894ce4

SHA1
567abd0c789c97ae306866358344e3438a7521d8

SHA256
50f9349a53de2f40e9ebd645ccdcaf3588173d1391472d45dbae074d3838d6e5

SHA512
b84dd5936f5806fcd9feabf6372b24e478211dbbf1dd04f89abc09cab97d973bf7f3ab744916a51f8ad73209e01af2bef0e8b9dcd04ed4608cd4dfd0c65655c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
ba08490ba03db769eba4c26d09652148

SHA1
eb98a3dff83b31d6195cc4e7299c138bf22d3a2e

SHA256
7be0a71c41c75f025f4b1406933195ff14a46a507f2dccbcea4bc349ce8dca8c

SHA512
af7ecb721ebc9964ffef4b2cb0aa903c3baaeae44a28624556910ad24bad49cecdde3cc39317bd6ff7cd73bcc6723a3b2a9d2d3d41df13957f7978b6ba4a5cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
c964406d6afa186bdcf6be060403dec0

SHA1
4113b19325287ea3c99fe7d49ae00bf4a903b5ef

SHA256
d4ae2d074b5825aecebddffda0129fd511bb593582cfbe1fb1335b319fca4c7d

SHA512
63c5b8304a194e9fabb71b46e0df672e0e12b1ad56a37719edc458baabc828390b7bdd4ad9eb3ab4f326ec913ad7d5612ee71b7fb33fdc304015a571e12f2bcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
94aa1605c0c3160aaa0fe621d05fe79b

SHA1
6efb5b3f8d770972c8a8cf78e65ba5e5545f73cb

SHA256
35bb758d9a658da3393a77a79ee9225e46aa3bacbea1eb6678cdfd3f10a25a87

SHA512
c4a71fa14ff74b32a666e8ccc17183aa2859d26bed9e7a3b3ece7276dafdc6d0839f212e5da7848e681d8fb096772e1a7b3f10acc6c124d125d29b7a7b7ce585

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
350dbf1006da89d2362f6e67447ca9ea

SHA1
fed952f5b9eb2b8961ac4f2988810ae640213b25

SHA256
a5e468fdba744f1feb40b9d37a2dc9565408fd2a89277d611587de339a8ee74a

SHA512
40b1035ba3a380b430f08fc04744ddae8b9257e8021c43f8d1af06c1aca12670d54a62977f1d20c581c17c3d0ff3c75bc4470b8fd2b0a317a7bc5980846af876

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
456396f290722d043b2e9e4594c14fd5

SHA1
9490db0a8d2fc0b131bf297ed8839261daa1d899

SHA256
70d6af61f67dae8080e30c0b725a10cac846b297876962e932902ce64d2092d0

SHA512
929e133a4d86992fe16d305d4720cf33e976916e9b73db115971bfa93f15cff889b8eb3ae96d4a8b1958893f2122a90ac4c673d6e7c07f38d1793bd038b14361

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
0419804602f896fe8adccc005388f445

SHA1
c87525a5e14fe98fb0e10627dcd862ce4c57b3af

SHA256
507261a92ab68c77e117cb45527bbee7a474acf940554faa53972142e2a3d4cc

SHA512
acf97253361dff904b186134fd5f52f6d6add9b3654a91fa1a4b1aed5a7cec1bf90bd496e838af35eb31670d0aea3b2685ce0b78edb9fa7f5b630d90e7317d38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9a20454f15969fa1e08e698bb6009d9b

SHA1
625f2a0ac49e821c25eccfe96ce3febed94a671b

SHA256
b027c983c99be245ae57dd34b55a44622eff261b345a900448f833919f65d967

SHA512
39b6c99f754bad9d46cd3b443a876f17027e7a57446643765e01e2bc44fb53276b80b8610327675b742a854e2a1731b7823193d9fe741865b330cffc60ebf07b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0a035dd11e0a2386a54b05585332c292

SHA1
a68f3b10efdfa9cfa108b736486c10a590d9413f

SHA256
a69d3bb7963f5038a7ed61a4d1497980837e2fb7a45d9518f28a345fd2bdc5d4

SHA512
de056b196611b23cae9e0692ef6eeae73c5e6b0a3fbf5bbc3c3070001e31be512f305e949063929acc810878fba3719280ea5e4630b5852580bc7ae0d9679824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
a46bb7e8a15c3c7582ef3f960d7382ee

SHA1
9f1842130c89edc5afbcb717b178bb82dcf65910

SHA256
1586f072221620a7de1a150b23d3c1ccc03962bde1ad1e51e93bea4e2ced2075

SHA512
e14a27e88cd226ec37afab423c98c2c8a54b6c329f3fba22a47ddef8307f0975bf095dc258b0eeb004447e6885b0634e9c4698a22ea3a4a7172dbceb4b099a51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d5ab70b8cfb35ed3cfc98544aabed282

SHA1
d147d66c69a58696949d2509636a7e9c157e09f7

SHA256
f2b343f7295def6666f187df12bfc16d2c27f570783895f2f1dd1311428f73c0

SHA512
21b4b20b8d5ad933e0b1d2bfcd4ad277f452bef70d039a27c259a007dbd68b212017b4b91075d3562009c44bb30f172c6eaeee8c8e1b69240b9fbbf5a1f1a020

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
0401d77147fc5f2329b1b784d95a653a

SHA1
e43f830281e8a4b0cca152305b202faf64f9af71

SHA256
ae7cc7f3435f9f02d9b15e5dba551f5635f7675a286a85e0c4f234194a493ddc

SHA512
bcf6fde946df81449446c4e85f23857719b0fbba828c109de4d9ff36d7c9e88712ef30ada8d8e63c585b65b2d3a6f6ee547fe588036b0af5e9267db484e4e21a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5a5aa4.TMP

Filesize
48B

MD5
854b2675b8a15d381b757a565416c082

SHA1
61c7baac10ab14477d56b97e6f12840d2bad5911

SHA256
407b890271c39ba96a8964b91ea391f9ce5f22c0ce4187ca90276dccaddeaaca

SHA512
3bedc9b6554a8e075c1b3322465c3805d9de14df0bcf20397c4ff0535bc82709d599ecfe61eb2bce506f0c3dd2bf874db77ecf14e72c68ba1df378e0fba9386d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
cb53eddd6ba8ee3c52cac911f53aa1b2

SHA1
da29a0e96a9994783b82ba69d824d9d152d466c5

SHA256
ef8cb267d7824a87579d160cafb6bed3290f7475f7096f6ca37d11c6e23d17c7

SHA512
a561ef5e85efc3e2b4ee2d0c99fb0c8056b3c17a9db925dd4f60debebe5b6112e02e69bfcf5f617e4e2c58033548d9676e5386b31d2d909cf12d1a690a93c8b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
4c2241a21cef59f9a11d70e2d74d5132

SHA1
306e1f91d73ef39be666a18e620fc04fbef194e9

SHA256
9211c857c621237aa4ce2b6904f9622463d5475eb0fadbbc1c94e7226f167668

SHA512
c5ce5ba2913515ec2b4d1b12a6f0324d227c42e15ae3c4c64381125e70dc5c0cc088a63156e6ca81d52183f7c03268ef73e690d62c68659d6aa3b19870833a0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
870B

MD5
a2b26948dd7e70641476a32f685b737e

SHA1
a8c50b51d0dd2fa6a1a2ac09e06daff3a8d0de23

SHA256
eb40ced0b23fc6b6ae21f6f09085226e59f1ff9d115175b4e2aa92fcdcc5dc80

SHA512
a2fb3c36f95575db7fe48ddb26974ec85ab02b6b15289951e43758012aae75383056e0a83f90cce78b01db034df4e0090ac2911fcb75f133ecde1b0d6a4ccff1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
5de5450652ef199ca983e6da2df65890

SHA1
c1e97376b7dbe4ab91494380340478b413644f76

SHA256
d457c8d480fda585a5f9cf6a9a3be1195e4548600412a9026b0a61947264ae59

SHA512
71238e514571e3f312240e2cb65194b251710a2dc5116fcf746c029d2f8e38f41640509a2fdc92d2dcc82cde85e8984a3de7c3ed6f6c79121c431ab9c9f5ffed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
278eef1b4c786d6ccadb22ed9a6bf4c5

SHA1
44f511c2b75626871ec53e9ab730836458892bc6

SHA256
b016729c03c9ce731de0a382640e1da6aa7d1a9ec191862247660056d6348ff5

SHA512
2e449e2c9813e4d25575561df92c585fd2cada3dfa293816ef9ba6943f564430596e144db2326fd5763ce01addf82796e65b346fac4736215e13e2d09ddc062c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a28a7.TMP

Filesize
538B

MD5
c9c3c419e24a9e714383517c31d954e4

SHA1
d93ab2ead846b6da287c17ca5979fd223da5f2f5

SHA256
11744a98865e77740ed3f92726c8f1d3b09916af1fd39670a56b4e39cc953886

SHA512
a45f2840597cdad40064b73ac7f241afe5f54f5fdedb134ee4826aa71fb46b57be39a3f085835aca17432edf5593bba3774b0b7d7f0e64046d9e8bd2c7e983cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8c2f60375eb23a699c19dab28f5efd71

SHA1
6e6be572b11056dbb226c6f477f14e8b5364e734

SHA256
052446a1fca124b1aedba5574136ce00b1fa5c5263d4358d86814c02d90b4f36

SHA512
7f8a24923fcf9baafaf387bd304a1989f5953cceef7dc1b26cc0f48c0eabe8fdc984be751ed4a13932a496d4fbb9ae1565bca4496cfebdf63839b4c9497d2b8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d4607838dda439ec6061bccca2aef3e9

SHA1
8fd7f000549bd61499d6b9f59c1be1abf13b8ca9

SHA256
9658bc709c3d045e594617b9e70987e0fe89ef036d8762d07ce414e323b6f266

SHA512
fff24fab708ca1fac453b29dbeed8178ea95076eca892d915197a99149c25ea0f98f6ca51c042a248b41c87ca6c2557015a8c4cd1674e63c26578c340920f0fe

Download Submit
C:\Users\Admin\AppData\Local\RuntimeBroker.exe

Filesize
330KB

MD5
75e456775c0a52b6bbe724739fa3b4a7

SHA1
1f4c575e98d48775f239ceae474e03a3058099ea

SHA256
e8d52d0d352317b3da0be6673099d32e10e7b0e44d23a0c1a6a5277d37b95cf3

SHA512
b376146c6fa91f741d69acf7b02a57442d2ea059be37b9bdb06af6cc01272f4ded1a82e4e21b9c803d0e91e22fc12f70391f5e8c8704d51b2435afc9624e8471

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
1e82b3787b23061611482cee72145da7

SHA1
83c11287d68a6f1e5cbb9b39755a85686257fd22

SHA256
e86af9a8d23096ac222c9d8416698c962074a9d367abb96680a1bf6c27b619ba

SHA512
729268b632b1ce38eb48bea4bd781e886ce04adda5e6ac2608de7023e1ab9e06e7fc304627f9b26e344c42fff603f49713758406002b600e7f844a0541659748

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2219.tmp.dat

Filesize
124KB

MD5
84929854af3ab185f2d4acadd7ff2a48

SHA1
0f9404b56b02bb33c09ddf9717afe52006b97585

SHA256
2c3e7b0c19a83793faa3c66190b15012fa655206fc55e3e8fdecaf3f5f33855a

SHA512
5672ba51a7b7da5b50d101054fdfa08148a41c1d7856d5aa2639ee1d67bc5de924730807c6f59171d355cc1bd84b4746e7928151216996bdc34cc7d515ff6165

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5ED3.tmp.dat

Filesize
28KB

MD5
1ade0d056a15a5b2220aa30e5574a0ff

SHA1
1455d825e123269e3e1a3699bf545f92efd21ed0

SHA256
ba467edc4d3ca77b24789e14e2071c9c397dd1c9ce2512c67ee068a7bca755d3

SHA512
7959d8fcdc1d2be4a6327472aae18071d24f716caf4eb22c181d691a5f59f03bb7e5a098705d3f7e9b51c1fd3dbad0c14b78b8aaea3ad27859813aab8f849367

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB42D.tmp.dat

Filesize
114KB

MD5
3cfabadfcb05a77b204fe1a6b09a5c90

SHA1
f106b5ed22265e64bc61dc5cf1e2d33ed12ec18d

SHA256
693617c470d7472e751d872341061cfb663f22ee95bdb42f9db01f02cb90df9c

SHA512
d5502023a17213919e2e991f5ba2d0d2c08223fd489d876a47a37239b637d03ace9cb9b92deb71460ae4030194ca49ce9e9752e0bf2ccbcd297dc5afe62a4e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB42F.tmp.dat

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB441.tmp.dat

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBE11.tmp.dat

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBE27.tmp.dat

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBE28.tmp.dat

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBE29.tmp.dat

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBE2A.tmp.dat

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDF8C.tmp.dat

Filesize
32KB

MD5
8413741509b0d050226065f30eb949b0

SHA1
dcda7cd519d23968fbd50af47ad843479b33d553

SHA256
7a1167d3833bd30f61bbfb9cb4c8bc85a0232831c2f64814c593c997e218101a

SHA512
c2c3c9429d9ed97d8eef813cd48a39c010730a56376504c3dc05c193aef320610bf708bcfe33109b87e510f5c71f3acfc672d161a406cc425a89be59830dad59

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF6FE.tmp.dat

Filesize
116KB

MD5
ae14c144dc944acd7a6888a4a51e8cdf

SHA1
9884cf8a988ea4fecaaf031322b70cc1985e34db

SHA256
5972aa6f8d1633e60ad9aca0b629d6d937368dc3df78193c44cf7b5739f0db44

SHA512
63612935a1123c6b088ec58c51667469386e55154ccd1970eb511aec762c31ea1b4dbd26d730e6539556589f1634361bdd33ba91a769e762c2adc433048e65e0

Download Submit
C:\Users\Admin\AppData\Local\a88f79e67bdd207514f04badd41e2959\Admin@ERHQJVYQ_en-US.zip

Filesize
13KB

MD5
77b6dac09796a6c4ce23ef740cfb8fcf

SHA1
20b60d14d726217ef76ec4546100f78c0a4bbafe

SHA256
2ecc843c61e5af50af4ca403d732123cf38702bc959633fe986ab865c24b9dee

SHA512
28a097ca9e09ef3f458b5f3e70842c64f1f7bdb8bf5f07e46ecfabf2c0dba994d6ac10e0b1f8aa84ff8347d0e361994f1e0268001b423b7ec8d4e375bb31ef1c

Download Submit
C:\Users\Admin\AppData\Local\a88f79e67bdd207514f04badd41e2959\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
726f136a67e42208dac20ce674278765

SHA1
170c8477bf9df627f917c2989c08a11a651b5c74

SHA256
4598924fff19bf445d07cacbdbcaa36943c19c9134886d624e130595cb90b7ba

SHA512
98d7ccf7e3f0d215679ce37ff8cd9513d8d63790efbc0ad90d435ed2738b5709b255abea370b0c31c90be1433086abbc70c407b24697856f0f21e3fcd9a8eb3d

Download Submit
C:\Users\Admin\AppData\Local\a88f79e67bdd207514f04badd41e2959\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
ca4f5dd249bf353dbe0094d7f54c31a9

SHA1
f24a7b167b2115def5c5c2d26aeadd6426170da0

SHA256
ca6494ff7bb17e22d8a60a21c047c2dbd207158ef4506faac104dd0115d278f3

SHA512
e684802c93b7abd7b627218cf19cd0f40b1ede28bfa511e87a2b53718c2a26eb81f38567502562e7f0ccb4e1f3430409998df384b06fdd15d7670a2672572f99

Download Submit
C:\Users\Admin\AppData\Local\a88f79e67bdd207514f04badd41e2959\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
905B

MD5
ef7c118579db27332f3002102da57fea

SHA1
003d0b5bd480bb3feba8b99dc98763a16ec7b2ed

SHA256
f7793e2377c837e9d6753f22c84e906952799fb843f26a4334f6769282627a82

SHA512
a96ce144447b1e03d67810a2695c05fb4afcd050937f0ec362f9219ce36aa56f13988c6507ea3e876df22c6c26bf0eb0adb5a1b0e996113ca836c6618fc8dc2b

Download Submit
C:\Users\Admin\AppData\Local\a88f79e67bdd207514f04badd41e2959\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
2ffc8f5c3d48ca9ab771dbc0931419f2

SHA1
700c8ab0d697e07091555ec113dbedfd9a41ece4

SHA256
8151245dd4496614d03a3d485b314e0a5d287c430bc180cb63b116f18c543cb0

SHA512
47a48fbf9e8ae0fd892c496dbf3e38859232628063deafb103b1e2564c2b0fe6e3e74b77247208e899a28f174870d6f60577de1dcd89de4ccecd18e904edcf52

Download Submit
C:\Users\Admin\AppData\Local\a88f79e67bdd207514f04badd41e2959\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
1KB

MD5
62032609bf9c37ab633ae5bc86fee6de

SHA1
0e36087e68239ab18743a9c85ecc3bb56e1dadd9

SHA256
c6a9d29caf87fe0bcb3d015e4fd57960991d045a6cd5a1ac7f924e257f238f44

SHA512
77cd6112bb1d0ad278835876d55a57156b9f726691b547fc0928f0955e970414397d8e5d9030e4ed20cd31d67259067e0b658d952ba59e2e174cf7af72add1e6

Download Submit
C:\Users\Admin\AppData\Local\a88f79e67bdd207514f04badd41e2959\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
85B

MD5
db1070e1c11fa819aaca2363ddee0eda

SHA1
5bc414298aa7678d1e9b36f53d76d67f6c6d7476

SHA256
64b48de4e61e694f7f6a3dcb7ea8b16d0226d6549f06c3887cfc7e292c8636f4

SHA512
1758ac201d8188cf32186e4de19b6c4ed1603243b43475c1ef6ba1258182596a28e1b7aa3ee688612743c178334db801561f918ab979c09fb1c3f2f002161a30

Download Submit
C:\Users\Admin\AppData\Local\a88f79e67bdd207514f04badd41e2959\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
3c809057df293e3f3e9073bbc8c7aecf

SHA1
ae1d576ffc4f4076fbf9ee5c14255a5c109984be

SHA256
d4c142dbe97a492b1db03c64ffa68877764f137377ea9103794e958ad74215df

SHA512
1f4e20746f828ce1324453da217e3cd20dfa14819bf0188acf6a13bf80960bc3ab5b8cebdbafa96df8c2bfbb4da69959422a5b91c9a2a91c07a5bba976a42022

Download Submit
C:\Users\Admin\AppData\Local\a88f79e67bdd207514f04badd41e2959\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
a8adea92f5f69d7223b270789cc34562

SHA1
7139461387ef0c45c28528654d224b69f52c819d

SHA256
ae58f10e0c285c4bd7143f2b3fff12bcc56616c9e467ac1fc683dc2c76e05b4f

SHA512
cfda2622d0936eed2d37b4b8f2f7250176c57089097ab1df8363388fe478d95f4ccef16d77827820b756606cc8a20b1c5d18c9f0e27e8b8d90421227dbea2643

Download Submit
C:\Users\Admin\AppData\Local\a88f79e67bdd207514f04badd41e2959\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
1KB

MD5
09c38d75a9294c28c9e7aeceb5c4f167

SHA1
eb1cc0cd965b08c153ca1a55cc34ac56a2d13974

SHA256
92052d81a0ad570693cb5243252ac098de924a2bbe23e81ca92bc6cb353fcedb

SHA512
cd2df5e248c22a9f7b6088b7bd94c45a9b934ff238ebb12291c813bb0e2ab988dd7617179e3d7a7de70c0c96220a7e41ad458ff174aeab094ea0acb26102eb58

Download Submit
C:\Users\Admin\AppData\Local\a88f79e67bdd207514f04badd41e2959\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
2KB

MD5
e6e9f384045f309d3a95719c9a7f0367

SHA1
05ab3ce1d1f47af0c055d6860c18897247cba152

SHA256
f7ea091a156512376ea0f07fb0d288204026b09d4d3da200839341d3e40390b7

SHA512
4d6afc117de40c982ba4b3bace51450725bbdbb777ed71584ce0fc6d635344525a5382427b76042aae4171d93e2f3e07c93f7b0bed28124aab210663b4e7aaff

Download Submit
C:\Users\Admin\AppData\Local\a88f79e67bdd207514f04badd41e2959\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
7a1363e0ebad254861250cdeea5a487d

SHA1
d9425ce797211587dd61232305bffbef6cd9082c

SHA256
506e7732d6140d5ac28bbf1daf0a18f10d866e930ba8b6e83acb11616934ab8e

SHA512
d6591265474a86470832fcac66eb855baa37b289c5fcbd13174f2c69154fd964f2553ded0c777dbc8d220b7a96f8b43577f276de3df5bcb5e3505cd1711eb984

Download Submit
C:\Users\Admin\AppData\Local\a88f79e67bdd207514f04badd41e2959\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
f2b5dae04cbea122cf030882d618b6d2

SHA1
66980da0fc834348d952917e72a7f640cf9cde68

SHA256
24837bec1b4e29d46f1765ba3a673dc653cd766e97c6243ea86ca88bac988e9c

SHA512
b15d4ba5626e820615e4c3efa664632a75219cbe43c0bfa73d4e01d2c253f0d37b7ba799213f9c8db8b6bb1881f6457940e353507a3109c0ba106b7e6a44c4cd

Download Submit
C:\Users\Admin\AppData\Local\a88f79e67bdd207514f04badd41e2959\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
3KB

MD5
4e9907e070dc4539cbaf18c9f3cf9c07

SHA1
01fbbe845ab442a663df0e04b2719aabaaca8c6b

SHA256
d4bd76ac0c3e37a3f72fcd390d5f9d68ad5b0e92997671a64eb02c70342ee705

SHA512
4ce5d3c1402df3f2e735e69a2f37d9bcf595d9167d2051cc1a03d2756644f0708b63dab6a748e14d3692faa82b5e1e27d0d461c6fe6510df50ad04236294e509

Download Submit
C:\Users\Admin\AppData\Local\a88f79e67bdd207514f04badd41e2959\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
d1e7328c8229bdd09de982739e4f537e

SHA1
2982a2dfae33a2dc7f5b893fe5942583f5abea36

SHA256
b2758f8706eb3f8b94d4e92c285608b01cd7fc8aff978b9f56919cb53309a8cc

SHA512
48f7065e788bc37e0d00ad9ab9fb482077f21e4b5a7d5629b5dc6d82d917def3c545c15cdc61e70ba061c9246b4cedc8b1398c520520d926c2ada3e8bd570df4

Download Submit
C:\Users\Admin\AppData\Local\b7518339e437082f220ef3d4b601feb9\Admin@ERHQJVYQ_en-US\Directories\Temp.txt

Filesize
15KB

MD5
21c9fb20c09652ad2067c0341362afa2

SHA1
9c27ee1c862f5639a762a4ca0c53670ea22790a1

SHA256
7584989f34d8d93ccaa105fc47179141edbe7baa49f2d36c11c91a284f5d0a9a

SHA512
630ba316624cc29caed6db9eba4c16e8dac7bcbacc21c8800f355b257cbca03e8618a1d52589572a7460ab2cf354880f0aa786383c03ff18b0da15fcb85641ba

Download Submit
C:\Users\Admin\AppData\Local\b7518339e437082f220ef3d4b601feb9\Admin@ERHQJVYQ_en-US\Directories\Temp.txt

Filesize
7KB

MD5
9aa59edb978774f11f08bdece3cc9aed

SHA1
2c5fbd963c5a6cd5d6b23a8ba0714418a8fa2677

SHA256
a738ca1f60eef1fe2fdc972379cdb025842e0bfd83efbee8b639f65c72999b72

SHA512
10830c6a49fe3bcd72903d8ada47414c64a4780c1cde4023f8100c111dd29fd6e5e6fe0d45f4f853d61eb90420fcf1ca1ec6633696389fd135354f190232d0e6

Download Submit
C:\Users\Admin\AppData\Local\b7518339e437082f220ef3d4b601feb9\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
1db2239ad8335fff4e32791d50a810dd

SHA1
ff5b619b726c7f010b13e9fcb5548528e7fe8ca3

SHA256
69f36236327ed372edd33fa2601e5cc185794acbc4b6565e88d1928d3072fdcc

SHA512
d9880317e8102d830d0ff2c9cae5e61879aab69d9c282ef8a0682eea32efe6153d34abf34c8e1d1aa53966a975abbb64933992df9f18b9172a0a86386bf0b506

Download Submit
C:\Users\Admin\AppData\Local\b7518339e437082f220ef3d4b601feb9\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
1KB

MD5
260fbd09cbe66c627be9d9c7001de614

SHA1
8c6097d4e8d44ac2147279139debb224d72ab244

SHA256
769563665d83607c1e4da2210574125cb370739c2e4e34052d2df71fe26b3f1c

SHA512
4bd709b552a274202c6ac86f86a200e51c7e6d3126eb5e4630d0a236e307c8bb58a3b1ae3311fcb3d12d3078fa37f2a88cef783cb82acb26703374fe904a703e

Download Submit
C:\Users\Admin\AppData\Local\b7518339e437082f220ef3d4b601feb9\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
ad97a75d4b878d30f981674e2aa63e64

SHA1
67d78181082e8ee6094c0fbe70aab910d56357ff

SHA256
137ee5575ad63593f731774980d5616d1b2d05d37d6a73f9314ded8433e7cd53

SHA512
f7f014d3b390410f0a9992b78b5f77d39437ddb0768d9c79300e59596f6eee672240ba8afb422f3a45c16ff05a1346ca6908e842e69ba00c709ee4a36eee101c

Download Submit
C:\Users\Admin\AppData\Local\b7518339e437082f220ef3d4b601feb9\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
d4815115b7ec67cde8c55f65e10e3a3c

SHA1
a36142409e88dc0b80fc17a8c774920711dd30eb

SHA256
f4ebfb0640486045053f9f57cc289a4289cf9167c36cbe64e034e0d769e75323

SHA512
9dc05d396faf8075458296f8f99f41139943c7cd4c3c3df4f62b30c05ff475b8d64bebe2101c2a41010d63d8376f6cfa190197addd87997fc9c1b47450bee492

Download Submit
C:\Users\Admin\AppData\Local\b7518339e437082f220ef3d4b601feb9\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
553B

MD5
ff9b8e49ef5c9e66f3d86141da1cb722

SHA1
40245b7f6f979fb568e5b83b4fab89c2f024bfa9

SHA256
c57f1730a8fb920ab6fae49717605c2aef6ef85f2e0d12da11727c899736ef2a

SHA512
c8fde8b41ba1e3716c1ba624229d22be44e331d61b35c2054a0a715609d500c0dab5b7ac277d07a4263a1eaebe922fa1ec9499ba3ae5d51cb8a220aadd66ffd2

Download Submit
C:\Users\Admin\AppData\Local\b7518339e437082f220ef3d4b601feb9\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
1KB

MD5
c04cd380010b551c91451aa2cfdac659

SHA1
2b1ebf80cf17e1e42dbaff13fac1dbc03d87b973

SHA256
d481e29521cd2a8d1149d148e7a820e8f1fe843bcb533fef227d5d836546ede2

SHA512
76e4aebd5df3a068d78fdae004384daf9130609eebe0e8d8aa6875e761fad00c2fa5ff194506148927c55efccbaf3235ecd3a1a7d5f6bc1d95382fa831c3858d

Download Submit
C:\Users\Admin\AppData\Local\b7518339e437082f220ef3d4b601feb9\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
4be498a034b360fe8dfb170307e2cd1c

SHA1
3cae288dbeb350f92ca55566070aece040d02003

SHA256
7d812202fa3e9cd33be711ecf3a31b6e907402937255cfed9cb9d62b1defdf66

SHA512
87d58fc7e0d3f3dd710f93402782176433c9091258426534923330a192b61f7902364afb7515002d13daf674fda57b7334782f591482ad40b7260b807dcc62a5

Download Submit
C:\Users\Admin\AppData\Local\b7518339e437082f220ef3d4b601feb9\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
e69bae6e9734a770f511ae53c41a5e4b

SHA1
28604528c52f59a3201dcf12da0f365f1f62def6

SHA256
02a312049328b6150c84bee6d03e8ea0ea27ef737d7341c87eb4c0d25d1f7c8e

SHA512
a1e7abab3a13e9d2cc25d00f7634ec65a7d8114a4b3b43f8c6ee8e57781bb34447e1b93d846b5405fa64e5534a5d1a1db829f7e0b84a92396fd8be43ad3011d0

Download Submit
C:\Users\Admin\AppData\Local\b7518339e437082f220ef3d4b601feb9\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
156B

MD5
914ac03c06eaf9fec8e484ecdad6ffc3

SHA1
8c2f3274116ec887418b2793bcebf1a519b2a0d0

SHA256
7eaa6d2a2796a41aba3e0497b844fc8a677ab2223229b5ab08de898e9aadb71b

SHA512
a62df26a7cb20f7e644ec0d47ae0e1c5bcfe57e7898368b5b2bd02e03e5128a8e5e4fc646b61b92510fd8ab71e9ff41540d059fda8e5d94e93085037799fb9ea

Download Submit
C:\Users\Admin\AppData\Local\b7518339e437082f220ef3d4b601feb9\Admin@ERHQJVYQ_en-US\System\Windows.txt

Filesize
310B

MD5
f801eaba479b1b1f8d73314b8a3c7eae

SHA1
913e068c9f17cfeda6c19c1627a23742e878bca4

SHA256
fd49d140587204358177832ffd519106b22c1530c1bd1b239b81df948d69bc2a

SHA512
906507c1709f17c6278f682d74301546a95f8a45bb35ccc2d9aa0d956eba5f4dbb7c9b0bf1ab9f26e9ae8d874c8368f089bc39769d257b6c4bb80d18fc25d334

Download Submit
C:\Users\Admin\AppData\Local\df4a22ee210f0651e0f96cfed7d44fe6\Admin@ERHQJVYQ_en-US\Directories\Temp.txt

Filesize
21KB

MD5
b7368aad4913ec536e416511a489e11b

SHA1
37161929ba2c38a1b2f59565ffc80221ab72afd8

SHA256
f8345b7128751d866d7b3426d55ed5b2357b3c51fff72bce81ec1a81669d5ab1

SHA512
7dd85b1e57cc0acf3734041ea2b8d62ebc4589013da273291c05b3ddc8139e900f501524f339476924ccec069a9f5312a139ef7f479c63c75c674efdd5041ea6

Download Submit
C:\Users\Admin\AppData\Local\df4a22ee210f0651e0f96cfed7d44fe6\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
2e7304c90bdf17dad700cf297beb8264

SHA1
0ddce4d70d970f7546d9f677eb68f41b817380fe

SHA256
596bff5c5db8bf57ed2d79fccad9303c06a207e0a8e71bfd634c2e876c11eba8

SHA512
1a5823b09b400e9928283f0032f36dfbb9ac0cf1fab6df13759819d2f6266aab0f3609d96cecc0c2d49413495c931142f741f8e770a485e1379d70dc24ddfe9c

Download Submit
C:\Users\Admin\AppData\Local\df4a22ee210f0651e0f96cfed7d44fe6\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
234B

MD5
6a8ef80af41963f8813b5902f8643a0b

SHA1
6ace6db1c32bf688a102d5a433ed4b6b61ad2b75

SHA256
d8abaf7761444aa67e7861feb202d8793c7bea2a831fff57f4bab55324f4e39e

SHA512
20dad0d9f0b2a3a3ca05e81d716bf71143697da614d035923320b1f194b2f27b43adae403eecb67a895fb4114b2af121b31a6465517e51295cd63a253938f198

Download Submit
C:\Users\Admin\AppData\Local\df4a22ee210f0651e0f96cfed7d44fe6\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
5850ad0a145504b0054dec60b3196267

SHA1
69cfad7cf8622084f7cd471a2c7eaf5955465570

SHA256
9911e236a2c6a5e27d0cf9ba80c4e7632955c4be13aa328acf568f46ead05720

SHA512
d044c5874c8748e36b94615eb93f3d81a6c0a8e9bdc2971a7fa541b141cd2328c4bf0af57aa8db944917c41eda6f0f0198c562469dcf67167246e3fbcdde6b19

Download Submit
C:\Users\Admin\AppData\Local\df4a22ee210f0651e0f96cfed7d44fe6\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
273B

MD5
9dfc2d56349bf9d9a3ca287ce83eb144

SHA1
df4cddb759c4b16c9f7c052c43e09bf64e1ff2e6

SHA256
12b8a93a351601b444d4091f37b7714c7775fa71f04310bac1a535192bb2e824

SHA512
26fb11c4732615f7d34ee30712d9627f4ad885857abb59f51fdaa9e442f54ad63efc5e5af0b8f9e0cb72fecd4fc50885dd7c5d7bd7132893c2c301d22aa5a7f0

Download Submit
C:\Users\Admin\AppData\Local\df4a22ee210f0651e0f96cfed7d44fe6\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
170B

MD5
1b4a9a39ff578077a52db8ac30405714

SHA1
a4f70bbba5d3ab9de231cca6533debba0bbfffc6

SHA256
4fb5061f4b5613e7fc375a0bdd8f563c2e38bb82d96c34d295ef90dfa04f6abc

SHA512
73ca7754578cd0bac77ad9c36386e451f97a21c7b45545cbeac427b8d1f48aa80034d4386f0d1c9b454dd55f3682fc9245e4f5f54f9e2418bd31cedfb0129a5b

Download Submit
C:\Users\Admin\AppData\Local\df4a22ee210f0651e0f96cfed7d44fe6\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
ebb603c4d30449cf725030b871b476c8

SHA1
7beebb7f1f8a816c6d08cb1608466a5af1156824

SHA256
6ad528edd37fa1ed386feaf249bf051dfd0148801f2682e549d572e34a7fa53f

SHA512
4a02cd07a87afc96d40fb9a5dc6637774d6b6ce3125cf2ccc3ac440c9bd76c783b00459ab1d73acf3b86cb2118c7b8afb7372c64d5dbb1233f41c2c48ec6577a

Download Submit
C:\Users\Admin\AppData\Local\df4a22ee210f0651e0f96cfed7d44fe6\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
2KB

MD5
b3932ef71de760c584a7bb5be3f25573

SHA1
1b313abc6040883396cbfc6e29c3c871cde5fdd0

SHA256
18e5379d1e549445edd1211c2e08be6a8a367252e53b946765ea2705762edf28

SHA512
fb3acc12745a27f1b812092e9a5c1225485f30849dd5708f76b194cab10694424445098ad3549f3f95b6fad75eb19139c468ef68406924b1548050d19d6a0e1e

Download Submit
C:\Users\Admin\AppData\Local\df4a22ee210f0651e0f96cfed7d44fe6\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
9f635751b5ab273aebd8555b6a574fce

SHA1
b281d52863d100f2e1707a7f7897dff09d257124

SHA256
7138b4e1ebb70a7a8fcadf7b73edc02376effed4cc1021b286e316093796e1a3

SHA512
1210cfad1506a728caaec658c31132e4ef82eea79d6cb0062f8c18cd3e72b7c14ae555a86965432aa768e481c5e15fbaad4fc71c023258c3cf9f6b51bab6c986

Download Submit
C:\Users\Admin\AppData\Local\df4a22ee210f0651e0f96cfed7d44fe6\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
03d97be6fd0d5ac92f4d73e0d4e946d2

SHA1
161f143e8077990461e5ed3ae7b6e1ba1f83a5c0

SHA256
268835612e5f38e085b21db443df55f619b1695f73be355e90f3317d695404f5

SHA512
57c68f469ce9b18daf2df482ef6d538ec1cd8acc4ae08e2c16099cb8e498fe31fcc886cf3c2f435efec8b53640243475ff02764f31b63a1645d5dfcb5887495e

Download Submit
C:\Users\Admin\AppData\Local\df4a22ee210f0651e0f96cfed7d44fe6\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
b031866b11e75656cd491f9d11cc503a

SHA1
c5d5f350330d5ca786d001e4e9c299aada599268

SHA256
dc33150eeee7bbd508ae11aa07fdc631e48e7765d159320dd3ce4153ad7d6e9e

SHA512
f5d67cddd0af8bbe1bcc3a73f0f30722c8ca50f06383aa102de9779ed77ae7d357141135b5edd6b09ca97b80db5919cde8bd46954798bd07cc0c140698353af5

Download Submit
C:\Users\Admin\AppData\Local\df4a22ee210f0651e0f96cfed7d44fe6\Admin@ERHQJVYQ_en-US\System\Windows.txt

Filesize
472B

MD5
4dd4f168e809bd9314cbad4d4ef67ab8

SHA1
4fee2a13a789749d8db3cf7c8eb39fed4fc8bca4

SHA256
9e0382ba6f97d390764ee9907e1882808285a2538014a4ebfd0c314d306bfd99

SHA512
904c051e6c031283d6346eed2296e0049f6798702efd19896297890d5356dc5e3a30cf509ef3c016e49fbd5fa3ebe6dc53498d0d712ffaeef69181d5ad5f6c4f

Download Submit
C:\Users\Admin\AppData\Local\f264d17220d4bb49ec07eb0a702c8273\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
841B

MD5
3b80a78668f202debd454cd8779a1ca0

SHA1
e8ba589c355f390eb0a06309c8b6da7fa55bd129

SHA256
832baa3fdade23482057d2df4d09ddee1a07b8eca0709c1bedc5b9e9fb74ef41

SHA512
e9f47d7f3bf0b40f2801aca936a272997eed948593c82222fb761b9e895260168266c7dad8ccc0895c5404a21175a259d8af0388f278d5026d01b0f72c6a6f67

Download Submit
C:\Users\Admin\AppData\Local\f264d17220d4bb49ec07eb0a702c8273\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
8513f1b184fa154c6c30045d3601528c

SHA1
bbceaef1d4a45db5a485aaaa93ce715030b8aa84

SHA256
7a88b1fb0d0fb396b586468bc749d784064976ca23b8e4ef7b226da6ece32881

SHA512
10c579247ba526944f8682a277e94f75740c4d811624ac6932990dd8f68182b0516506e2f5706debfb8f3ad5f6a69c7b0476c9cffc2dea359e3e82e17e1f785b

Download Submit
C:\Users\Admin\AppData\Local\f264d17220d4bb49ec07eb0a702c8273\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
08bddf5bb64957700f07d2e253ef7efd

SHA1
c3e51fc588c7b4f356a9b5bedba8aec0d29858d8

SHA256
a9b5082b13e508d4eae8ff2de40eeaf6ff3b829268551309b0e5fc7ae2375aa7

SHA512
7dd5c3fa638a54b1f0fdd81019e5a54cf86a48348b105e62302bf210095a3ce2344ca6b1b5f2c9d022a2d65f41f6646abf93864e559cdd45a3e3cbd27a709bbb

Download Submit
C:\Users\Admin\AppData\Local\f264d17220d4bb49ec07eb0a702c8273\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
273B

MD5
33d27c38cd6d8cf331d54b37a6e91957

SHA1
faf427f9d58f51f8e4dc45fca1fa12762e6e11c0

SHA256
cfb0dcb1d0f2a19cd0cc11417eb83071288d8206d8782d3d8a8e6929d07a9b0a

SHA512
7edac7af5e8dfa356a4fcdd731c6291eb30f2d57ba326438395570bc8cd2d95e08573c713adf277e5707c8e332d328c9552c5a0b4ce14cc1c86b6af2d679ac81

Download Submit
C:\Users\Admin\AppData\Local\f264d17220d4bb49ec07eb0a702c8273\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
312B

MD5
18ff3cad4d83be9019a55e847f9174c9

SHA1
f1f539db2c2d210b8963cb77c6562cd1806fa1a9

SHA256
104b56bd47b1509c630e0cb09dba17ea3c3624e8fa72ddb665ac64a9d620ff05

SHA512
0693403c2b4344fb0e7723a29be74d025dfb5d001db39e95bd1a8c030e9360833857b46e75909ca67413f2eb35107347078f54be85aa39a19cb3493baf4539b5

Download Submit
C:\Users\Admin\AppData\Local\f264d17220d4bb49ec07eb0a702c8273\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
1KB

MD5
16d65b8bb084f602e12721384854f18a

SHA1
492bb1899d7694d78184fe5f133b7caedca6ac88

SHA256
646ecd3d1d8bc09560af5399a48849f4592875f79cf89ce1176935628691be31

SHA512
e31967c0f0e2a86523287bfe4389045f6288adb44dc664621398d8784db353162699f682e030ab821af85fb54913062f262045b8575e8b2a1d384dff16af31c7

Download Submit
C:\Users\Admin\AppData\Local\f264d17220d4bb49ec07eb0a702c8273\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
872B

MD5
d76f891fe50d278845162c122ced3b33

SHA1
c291deeb4825f1f11209206e9bfed0815989bc23

SHA256
ad03b990a6b51c1265aedfb9fda1548bb6ac3803c5d9d3cfd30c1506f236b270

SHA512
a2328aab85a6c3c293f64d40bbcfa706d1ca6e58635e156de7dae234129801eb24795336d4417a77956c3520ba3c2b594983cfe6972adec07db11af358d52e9b

Download Submit
C:\Users\Admin\AppData\Local\f264d17220d4bb49ec07eb0a702c8273\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
b831de523918bc6d8556bfc39cd15406

SHA1
b97b99466b963ff7437226879d5a74d7afa07e6e

SHA256
63e7204caf35860e5c8831b55e188db281769655db507fe909e79074617c8e39

SHA512
f8f8aa37faae0bda80fff28bd1ba5a09f08e141f216c8c25a5b39e28b90a2eb438b61bd0f76b49dac0ec40efd29f4783604976c5d9b254ef900570cade54a789

Download Submit
C:\Users\Admin\AppData\Local\f264d17220d4bb49ec07eb0a702c8273\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/536-3845-0x000000001B950000-0x000000001B9A6000-memory.dmp

Filesize
344KB

Download
memory/988-18-0x000000007457E000-0x000000007457F000-memory.dmp

Filesize
4KB

Download
memory/988-23-0x0000000006190000-0x000000000622C000-memory.dmp

Filesize
624KB

Download
memory/988-22-0x00000000060A0000-0x00000000060EA000-memory.dmp

Filesize
296KB

Download
memory/988-20-0x00000000065B0000-0x0000000006B54000-memory.dmp

Filesize
5.6MB

Download
memory/988-24-0x0000000006100000-0x000000000610A000-memory.dmp

Filesize
40KB

Download
memory/988-21-0x0000000006000000-0x0000000006092000-memory.dmp

Filesize
584KB

Download
memory/988-19-0x0000000000FB0000-0x0000000001008000-memory.dmp

Filesize
352KB

Download
memory/1288-1402-0x0000000006F00000-0x0000000006F12000-memory.dmp

Filesize
72KB

Download
memory/1288-1220-0x00000000069D0000-0x00000000069DA000-memory.dmp

Filesize
40KB

Download
memory/1336-4112-0x000000001C300000-0x000000001C356000-memory.dmp

Filesize
344KB

Download
memory/1444-3444-0x000000001B630000-0x000000001B686000-memory.dmp

Filesize
344KB

Download
memory/2436-3083-0x000000001AE80000-0x000000001AED6000-memory.dmp

Filesize
344KB

Download
memory/2536-5182-0x000000001B550000-0x000000001B5A6000-memory.dmp

Filesize
344KB

Download
memory/2544-4373-0x000000001C040000-0x000000001C096000-memory.dmp

Filesize
344KB

Download
memory/2664-1396-0x000000001B960000-0x000000001B9B6000-memory.dmp

Filesize
344KB

Download
memory/3084-2972-0x000000001AD30000-0x000000001AD86000-memory.dmp

Filesize
344KB

Download
memory/3308-4500-0x000000001BD90000-0x000000001BDE6000-memory.dmp

Filesize
344KB

Download
memory/3796-17-0x00007FFD8BFE0000-0x00007FFD8CAA1000-memory.dmp

Filesize
10.8MB

Download
memory/3796-3-0x00007FFD8BFE0000-0x00007FFD8CAA1000-memory.dmp

Filesize
10.8MB

Download
memory/3796-1-0x0000000000F30000-0x0000000000F8C000-memory.dmp

Filesize
368KB

Download
memory/3796-0-0x00007FFD8BFE3000-0x00007FFD8BFE5000-memory.dmp

Filesize
8KB

Download
memory/4184-4251-0x000000001BEE0000-0x000000001BF36000-memory.dmp

Filesize
344KB

Download
memory/4692-25-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4692-34-0x0000000005E00000-0x0000000005E66000-memory.dmp

Filesize
408KB

Download
memory/4868-16-0x00007FFD8BFE0000-0x00007FFD8CAA1000-memory.dmp

Filesize
10.8MB

Download
memory/4868-30-0x00007FFD8BFE0000-0x00007FFD8CAA1000-memory.dmp

Filesize
10.8MB

Download
memory/5328-5041-0x000000001C290000-0x000000001C2E6000-memory.dmp

Filesize
344KB

Download
memory/5428-3324-0x000000001B9A0000-0x000000001B9F6000-memory.dmp

Filesize
344KB

Download
memory/5720-3981-0x000000001BC30000-0x000000001BC86000-memory.dmp

Filesize
344KB

Download
memory/5740-3574-0x000000001B7B0000-0x000000001B806000-memory.dmp

Filesize
344KB

Download
memory/5824-3708-0x000000001C080000-0x000000001C0D6000-memory.dmp

Filesize
344KB

Download
memory/5852-3199-0x000000001B950000-0x000000001B9A6000-memory.dmp

Filesize
344KB

Download
memory/6176-4759-0x000000001B510000-0x000000001B566000-memory.dmp

Filesize
344KB

Download
memory/6316-5305-0x000000001B4A0000-0x000000001B4F6000-memory.dmp

Filesize
344KB

Download
memory/6556-4623-0x000000001BBA0000-0x000000001BBF6000-memory.dmp

Filesize
344KB

Download
memory/7000-4901-0x000000001B860000-0x000000001B8B6000-memory.dmp

Filesize
344KB

Download