asyncrat | 9d9a79f4ae9bf7a992945f6c06c5bec642c05e4e828217c50255dabfa3677006

max time kernel
45s
max time network
48s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RebelCracked.exe
Size

344KB
MD5

a84fd0fc75b9c761e9b7923a08da41c7
SHA1

2597048612041cd7a8c95002c73e9c2818bb2097
SHA256

9d9a79f4ae9bf7a992945f6c06c5bec642c05e4e828217c50255dabfa3677006
SHA512

a17f1144a0e3ce07c7ed6891987c5b969f291e9991442c33750028d35e2194794e8a649c397e8afc9f8ce19d485c453600c75cab4fcead09e38414d85819251a
SSDEEP

6144:lOcpeK8lucxAtLNFHUVuI/2zj1z6jZ755NofmWx4PCQL23wBw7R0ljTwrVuAdJKp:QcpSnx0LNFDQ60Ntbo5d7gBw7R7rbdJk

Score

10^/10

asyncrat stormkitty default discovery persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 5 IoCs

resource	yara_rule
behavioral1/memory/2912-26-0x0000000000400000-0x0000000000432000-memory.dmp	family_stormkitty
behavioral1/memory/2912-24-0x0000000000400000-0x0000000000432000-memory.dmp	family_stormkitty
behavioral1/memory/2912-22-0x0000000000400000-0x0000000000432000-memory.dmp	family_stormkitty
behavioral1/memory/2912-19-0x0000000000400000-0x0000000000432000-memory.dmp	family_stormkitty
behavioral1/memory/2912-17-0x0000000000400000-0x0000000000432000-memory.dmp	family_stormkitty

Executes dropped EXE 41 IoCs

pid	Process
1884	RuntimeBroker.exe
2912	RuntimeBroker.exe
2888	RuntimeBroker.exe
3064	RuntimeBroker.exe
2640	RuntimeBroker.exe
1768	RuntimeBroker.exe
2928	RuntimeBroker.exe
548	RuntimeBroker.exe
1532	RuntimeBroker.exe
1900	RuntimeBroker.exe
1492	RuntimeBroker.exe
1952	RuntimeBroker.exe
1744	RuntimeBroker.exe
2624	RuntimeBroker.exe
1980	RuntimeBroker.exe
660	RuntimeBroker.exe
2508	RuntimeBroker.exe
2524	RuntimeBroker.exe
892	RuntimeBroker.exe
2460	RuntimeBroker.exe
844	RuntimeBroker.exe
1412	RuntimeBroker.exe
1708	RuntimeBroker.exe
2500	RuntimeBroker.exe
2832	RuntimeBroker.exe
612	RuntimeBroker.exe
2820	RuntimeBroker.exe
2644	RuntimeBroker.exe
1880	RuntimeBroker.exe
2660	RuntimeBroker.exe
840	RuntimeBroker.exe
1748	RuntimeBroker.exe
3016	RuntimeBroker.exe
2996	RuntimeBroker.exe
2268	RuntimeBroker.exe
764	RuntimeBroker.exe
2344	RuntimeBroker.exe
1676	RuntimeBroker.exe
2212	RuntimeBroker.exe
2976	RuntimeBroker.exe
2408	RuntimeBroker.exe

Loads dropped DLL 1 IoCs

pid	Process
1884	RuntimeBroker.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\bfb35758038878f50f1ac0fd9b9ebccc\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\9810221d33fdc6c8d4eba8d3933542ce\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\fa18f64c0a5bd68d32cf0020ffdc310d\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\fa18f64c0a5bd68d32cf0020ffdc310d\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\73a648084adfb3da320c640d94c646db\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\ce9aea436b927286bf80dfb3add4f7b5\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\fa18f64c0a5bd68d32cf0020ffdc310d\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\bfb35758038878f50f1ac0fd9b9ebccc\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\fa18f64c0a5bd68d32cf0020ffdc310d\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\fa18f64c0a5bd68d32cf0020ffdc310d\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\fa18f64c0a5bd68d32cf0020ffdc310d\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\9810221d33fdc6c8d4eba8d3933542ce\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\fa18f64c0a5bd68d32cf0020ffdc310d\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\fab5c14b9ba3507d34b861e522b7adaf\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\ce9aea436b927286bf80dfb3add4f7b5\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\81aebf779e5442514ac9e2796872fd18\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\9810221d33fdc6c8d4eba8d3933542ce\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\bfb35758038878f50f1ac0fd9b9ebccc\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\fa18f64c0a5bd68d32cf0020ffdc310d\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\73a648084adfb3da320c640d94c646db\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\fa18f64c0a5bd68d32cf0020ffdc310d\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\73a648084adfb3da320c640d94c646db\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\ce9aea436b927286bf80dfb3add4f7b5\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\fab5c14b9ba3507d34b861e522b7adaf\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\bfb35758038878f50f1ac0fd9b9ebccc\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\fa18f64c0a5bd68d32cf0020ffdc310d\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\fab5c14b9ba3507d34b861e522b7adaf\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\81aebf779e5442514ac9e2796872fd18\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\fa18f64c0a5bd68d32cf0020ffdc310d\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\73a648084adfb3da320c640d94c646db\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\ce9aea436b927286bf80dfb3add4f7b5\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\bfb35758038878f50f1ac0fd9b9ebccc\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\bfb35758038878f50f1ac0fd9b9ebccc\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\fa18f64c0a5bd68d32cf0020ffdc310d\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\fa18f64c0a5bd68d32cf0020ffdc310d\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\ce9aea436b927286bf80dfb3add4f7b5\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\bfb35758038878f50f1ac0fd9b9ebccc\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\fa18f64c0a5bd68d32cf0020ffdc310d\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\bfb35758038878f50f1ac0fd9b9ebccc\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\81aebf779e5442514ac9e2796872fd18\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\9810221d33fdc6c8d4eba8d3933542ce\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\bfb35758038878f50f1ac0fd9b9ebccc\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\fa18f64c0a5bd68d32cf0020ffdc310d\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\73a648084adfb3da320c640d94c646db\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\73a648084adfb3da320c640d94c646db\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\ce9aea436b927286bf80dfb3add4f7b5\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\fa18f64c0a5bd68d32cf0020ffdc310d\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\9810221d33fdc6c8d4eba8d3933542ce\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\73a648084adfb3da320c640d94c646db\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\73a648084adfb3da320c640d94c646db\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\ce9aea436b927286bf80dfb3add4f7b5\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\81aebf779e5442514ac9e2796872fd18\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\ce9aea436b927286bf80dfb3add4f7b5\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\9810221d33fdc6c8d4eba8d3933542ce\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\73a648084adfb3da320c640d94c646db\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\73a648084adfb3da320c640d94c646db\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\73a648084adfb3da320c640d94c646db\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\fab5c14b9ba3507d34b861e522b7adaf\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\fa18f64c0a5bd68d32cf0020ffdc310d\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\bfb35758038878f50f1ac0fd9b9ebccc\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\fa18f64c0a5bd68d32cf0020ffdc310d\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\fa18f64c0a5bd68d32cf0020ffdc310d\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\fab5c14b9ba3507d34b861e522b7adaf\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\ce9aea436b927286bf80dfb3add4f7b5\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of SetThreadContext 20 IoCs

description	pid	Process	procid_target
PID 1884 set thread context of 2912	1884	RuntimeBroker.exe	33
PID 2888 set thread context of 3064	2888	RuntimeBroker.exe	36
PID 2640 set thread context of 1768	2640	RuntimeBroker.exe	39
PID 2928 set thread context of 548	2928	RuntimeBroker.exe	43
PID 1532 set thread context of 1900	1532	RuntimeBroker.exe	55
PID 1492 set thread context of 1952	1492	RuntimeBroker.exe	67
PID 1744 set thread context of 2624	1744	RuntimeBroker.exe	79
PID 1980 set thread context of 660	1980	RuntimeBroker.exe	91
PID 2508 set thread context of 2524	2508	RuntimeBroker.exe	102
PID 892 set thread context of 2460	892	RuntimeBroker.exe	115
PID 844 set thread context of 1412	844	RuntimeBroker.exe	126
PID 1708 set thread context of 2500	1708	RuntimeBroker.exe	139
PID 2832 set thread context of 612	2832	RuntimeBroker.exe	152
PID 2820 set thread context of 2644	2820	RuntimeBroker.exe	163
PID 1880 set thread context of 2660	1880	RuntimeBroker.exe	176
PID 840 set thread context of 1748	840	RuntimeBroker.exe	188
PID 3016 set thread context of 2996	3016	RuntimeBroker.exe	192
PID 2268 set thread context of 764	2268	RuntimeBroker.exe	212
PID 2344 set thread context of 1676	2344	RuntimeBroker.exe	217
PID 2212 set thread context of 2976	2212	RuntimeBroker.exe	228

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 32 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2904	cmd.exe
668	netsh.exe
2340	cmd.exe
2100	netsh.exe
2612	cmd.exe
3056	cmd.exe
2432	netsh.exe
2936	netsh.exe
1880	netsh.exe
1316	netsh.exe
2836	netsh.exe
668	cmd.exe
556	cmd.exe
2456	cmd.exe
2992	cmd.exe
332	cmd.exe
1836	netsh.exe
2268	cmd.exe
2116	cmd.exe
3028	netsh.exe
1096	netsh.exe
2284	netsh.exe
2492	netsh.exe
2256	netsh.exe
1436	cmd.exe
2484	cmd.exe
1892	netsh.exe
2064	cmd.exe
2996	cmd.exe
784	cmd.exe
844	netsh.exe
2468	netsh.exe

Checks processor information in registry 2 TTPs 28 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2912	RuntimeBroker.exe
2912	RuntimeBroker.exe
2912	RuntimeBroker.exe
2912	RuntimeBroker.exe
2912	RuntimeBroker.exe
3064	RuntimeBroker.exe
3064	RuntimeBroker.exe
3064	RuntimeBroker.exe
3064	RuntimeBroker.exe
3064	RuntimeBroker.exe
1768	RuntimeBroker.exe
1768	RuntimeBroker.exe
1768	RuntimeBroker.exe
1768	RuntimeBroker.exe
1768	RuntimeBroker.exe
1768	RuntimeBroker.exe
1768	RuntimeBroker.exe
1768	RuntimeBroker.exe
1768	RuntimeBroker.exe
548	RuntimeBroker.exe
548	RuntimeBroker.exe
548	RuntimeBroker.exe
548	RuntimeBroker.exe
548	RuntimeBroker.exe
1900	RuntimeBroker.exe
1900	RuntimeBroker.exe
1900	RuntimeBroker.exe
1900	RuntimeBroker.exe
1900	RuntimeBroker.exe
1900	RuntimeBroker.exe
1900	RuntimeBroker.exe
1952	RuntimeBroker.exe
1952	RuntimeBroker.exe
1952	RuntimeBroker.exe
1952	RuntimeBroker.exe
1952	RuntimeBroker.exe
2624	RuntimeBroker.exe
2624	RuntimeBroker.exe
2624	RuntimeBroker.exe
2624	RuntimeBroker.exe
2624	RuntimeBroker.exe
660	RuntimeBroker.exe
660	RuntimeBroker.exe
660	RuntimeBroker.exe
660	RuntimeBroker.exe
660	RuntimeBroker.exe
660	RuntimeBroker.exe
660	RuntimeBroker.exe
660	RuntimeBroker.exe
660	RuntimeBroker.exe
2524	RuntimeBroker.exe
2524	RuntimeBroker.exe
2524	RuntimeBroker.exe
2524	RuntimeBroker.exe
2524	RuntimeBroker.exe
2460	RuntimeBroker.exe
2460	RuntimeBroker.exe
2460	RuntimeBroker.exe
2460	RuntimeBroker.exe
2460	RuntimeBroker.exe
1412	RuntimeBroker.exe
1412	RuntimeBroker.exe
1412	RuntimeBroker.exe
1412	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2912	RuntimeBroker.exe
Token: SeDebugPrivilege	3064	RuntimeBroker.exe
Token: SeDebugPrivilege	1768	RuntimeBroker.exe
Token: SeDebugPrivilege	548	RuntimeBroker.exe
Token: SeDebugPrivilege	1900	RuntimeBroker.exe
Token: SeDebugPrivilege	1952	RuntimeBroker.exe
Token: SeDebugPrivilege	2624	RuntimeBroker.exe
Token: SeDebugPrivilege	660	RuntimeBroker.exe
Token: SeDebugPrivilege	2524	RuntimeBroker.exe
Token: SeDebugPrivilege	2460	RuntimeBroker.exe
Token: SeDebugPrivilege	1412	RuntimeBroker.exe
Token: SeDebugPrivilege	2500	RuntimeBroker.exe
Token: SeDebugPrivilege	612	RuntimeBroker.exe
Token: SeDebugPrivilege	2644	RuntimeBroker.exe
Token: SeDebugPrivilege	2660	RuntimeBroker.exe
Token: SeDebugPrivilege	1748	RuntimeBroker.exe
Token: SeDebugPrivilege	2996	RuntimeBroker.exe
Token: SeDebugPrivilege	764	RuntimeBroker.exe
Token: SeDebugPrivilege	1676	RuntimeBroker.exe
Token: SeDebugPrivilege	2976	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 1884	2552	RebelCracked.exe	31
PID 2552 wrote to memory of 1884	2552	RebelCracked.exe	31
PID 2552 wrote to memory of 1884	2552	RebelCracked.exe	31
PID 2552 wrote to memory of 1884	2552	RebelCracked.exe	31
PID 2552 wrote to memory of 1888	2552	RebelCracked.exe	32
PID 2552 wrote to memory of 1888	2552	RebelCracked.exe	32
PID 2552 wrote to memory of 1888	2552	RebelCracked.exe	32
PID 1884 wrote to memory of 2912	1884	RuntimeBroker.exe	33
PID 1884 wrote to memory of 2912	1884	RuntimeBroker.exe	33
PID 1884 wrote to memory of 2912	1884	RuntimeBroker.exe	33
PID 1884 wrote to memory of 2912	1884	RuntimeBroker.exe	33
PID 1884 wrote to memory of 2912	1884	RuntimeBroker.exe	33
PID 1884 wrote to memory of 2912	1884	RuntimeBroker.exe	33
PID 1884 wrote to memory of 2912	1884	RuntimeBroker.exe	33
PID 1884 wrote to memory of 2912	1884	RuntimeBroker.exe	33
PID 1884 wrote to memory of 2912	1884	RuntimeBroker.exe	33
PID 1888 wrote to memory of 2888	1888	RebelCracked.exe	34
PID 1888 wrote to memory of 2888	1888	RebelCracked.exe	34
PID 1888 wrote to memory of 2888	1888	RebelCracked.exe	34
PID 1888 wrote to memory of 2888	1888	RebelCracked.exe	34
PID 1888 wrote to memory of 2616	1888	RebelCracked.exe	35
PID 1888 wrote to memory of 2616	1888	RebelCracked.exe	35
PID 1888 wrote to memory of 2616	1888	RebelCracked.exe	35
PID 2888 wrote to memory of 3064	2888	RuntimeBroker.exe	36
PID 2888 wrote to memory of 3064	2888	RuntimeBroker.exe	36
PID 2888 wrote to memory of 3064	2888	RuntimeBroker.exe	36
PID 2888 wrote to memory of 3064	2888	RuntimeBroker.exe	36
PID 2888 wrote to memory of 3064	2888	RuntimeBroker.exe	36
PID 2888 wrote to memory of 3064	2888	RuntimeBroker.exe	36
PID 2888 wrote to memory of 3064	2888	RuntimeBroker.exe	36
PID 2888 wrote to memory of 3064	2888	RuntimeBroker.exe	36
PID 2888 wrote to memory of 3064	2888	RuntimeBroker.exe	36
PID 2616 wrote to memory of 2640	2616	RebelCracked.exe	37
PID 2616 wrote to memory of 2640	2616	RebelCracked.exe	37
PID 2616 wrote to memory of 2640	2616	RebelCracked.exe	37
PID 2616 wrote to memory of 2640	2616	RebelCracked.exe	37
PID 2616 wrote to memory of 2676	2616	RebelCracked.exe	38
PID 2616 wrote to memory of 2676	2616	RebelCracked.exe	38
PID 2616 wrote to memory of 2676	2616	RebelCracked.exe	38
PID 2640 wrote to memory of 1768	2640	RuntimeBroker.exe	39
PID 2640 wrote to memory of 1768	2640	RuntimeBroker.exe	39
PID 2640 wrote to memory of 1768	2640	RuntimeBroker.exe	39
PID 2640 wrote to memory of 1768	2640	RuntimeBroker.exe	39
PID 2640 wrote to memory of 1768	2640	RuntimeBroker.exe	39
PID 2640 wrote to memory of 1768	2640	RuntimeBroker.exe	39
PID 2640 wrote to memory of 1768	2640	RuntimeBroker.exe	39
PID 2640 wrote to memory of 1768	2640	RuntimeBroker.exe	39
PID 2640 wrote to memory of 1768	2640	RuntimeBroker.exe	39
PID 2676 wrote to memory of 2928	2676	RebelCracked.exe	41
PID 2676 wrote to memory of 2928	2676	RebelCracked.exe	41
PID 2676 wrote to memory of 2928	2676	RebelCracked.exe	41
PID 2676 wrote to memory of 2928	2676	RebelCracked.exe	41
PID 2676 wrote to memory of 1112	2676	RebelCracked.exe	42
PID 2676 wrote to memory of 1112	2676	RebelCracked.exe	42
PID 2676 wrote to memory of 1112	2676	RebelCracked.exe	42
PID 2928 wrote to memory of 548	2928	RuntimeBroker.exe	43
PID 2928 wrote to memory of 548	2928	RuntimeBroker.exe	43
PID 2928 wrote to memory of 548	2928	RuntimeBroker.exe	43
PID 2928 wrote to memory of 548	2928	RuntimeBroker.exe	43
PID 2928 wrote to memory of 548	2928	RuntimeBroker.exe	43
PID 2928 wrote to memory of 548	2928	RuntimeBroker.exe	43
PID 2928 wrote to memory of 548	2928	RuntimeBroker.exe	43
PID 2928 wrote to memory of 548	2928	RuntimeBroker.exe	43
PID 2928 wrote to memory of 548	2928	RuntimeBroker.exe	43

C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
"C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Users\Admin\AppData\Local\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2912
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2064
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2120
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2432
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2508
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      4⤵
      PID:2240
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1220
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1744
- C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
  "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      Drops desktop.ini file(s)
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3064
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2992
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1292
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2492
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2188
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        5⤵
        
        PID:2408
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2996
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1836
- - C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
    "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2836
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3048
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:660
  - - C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
      "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2928
      - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:332
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:988
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        8⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        8⤵
        
        PID:344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        7⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        8⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2568
    - - C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        5⤵
        
        PID:1112
      - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        7⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        8⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1436
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        9⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3028
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        9⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        8⤵
        
        PID:304
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        9⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2488
      - C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        6⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        8⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        9⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2484
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        10⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1096
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        10⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        9⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        
        PID:760
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        10⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        7⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        9⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        10⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        11⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:668
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        10⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        11⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        8⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        10⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        11⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1360
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        12⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        12⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        9⤵
        
        PID:604
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        11⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:668
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        13⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1836
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        13⤵
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        12⤵
        
        PID:840
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        13⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        10⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        12⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        13⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:784
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        14⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        13⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        14⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        11⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        13⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        14⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2612
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        15⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:844
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        15⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        14⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        15⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        12⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        14⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        15⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        16⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1880
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        16⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        15⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        16⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        13⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        15⤵
        
        PID:604
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        15⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        17⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        16⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        17⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        14⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        16⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        17⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:556
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        
        PID:984
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        18⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        18⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        15⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        17⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        18⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        19⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        19⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1316
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        18⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        19⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        16⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        18⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        19⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        20⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1892
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        20⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        19⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        20⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        17⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        19⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        19⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        18⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        19⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        21⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        20⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        21⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        22⤵
        Executes dropped EXE
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        23⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        22⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        23⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        24⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        23⤵
        
        PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\73a648084adfb3da320c640d94c646db\Admin@ZQABOPWE_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\73a648084adfb3da320c640d94c646db\Admin@ZQABOPWE_en-US\System\Process.txt

Filesize
3KB

MD5
9b3cb4ef80553b80e5d10aa7d8dedd10

SHA1
0eba1f095df2bc1d42938e59c601eb7293e62a2b

SHA256
1d242d89f8a1fe4c438d8c64676a1a578d09fcf89e198862858c7a2949b0f646

SHA512
4b65c215bf44d3e4d7241eb08a563c394167654f3eb1c936d2a40d878e705f8264f161913af2296ccf8aa0edfe594c21ab8fc43f0998dd565da67fd55b859398

Download Submit
C:\Users\Admin\AppData\Local\73a648084adfb3da320c640d94c646db\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\81aebf779e5442514ac9e2796872fd18\Admin@ZQABOPWE_en-US\Directories\Temp.txt

Filesize
2KB

MD5
fffc72970c5b1053cb7b18cd5b320d58

SHA1
2d9ae5dc879dd45f5c6e9a153a18f80f670a80c2

SHA256
e264cc538246fa066ee8daf608854366a80a191430685842c3db1d941eaac7fe

SHA512
f3fe5e58b27d3e57a91e4813202f5378064fa058cdac0ad60f5e1b634b7b541e2ba0614ce6fb8332187e6ea422eb885f2c85d72542e4e0d1031df728e9253495

Download Submit
C:\Users\Admin\AppData\Local\81aebf779e5442514ac9e2796872fd18\Admin@ZQABOPWE_en-US\System\Process.txt

Filesize
290B

MD5
5df99ddb18ba4279bf9115dc0a9d70d8

SHA1
05c28f56cbe64e117eb9c1827716ab05d0ba26b5

SHA256
11e48f8077c69f940f9ad3516409324020f1ac27b0030ae0b4376739c66bc446

SHA512
85e23dc62ec8db24d41d1d0067e7ae4cc2817b4dd3920c06d54735e782293aaffc53ddf62bdcaa6435e74a167a03989d4437a2ba419477814dea1590e5fab97f

Download Submit
C:\Users\Admin\AppData\Local\81aebf779e5442514ac9e2796872fd18\Admin@ZQABOPWE_en-US\System\Process.txt

Filesize
2KB

MD5
d6638020ef098934bf6a2d91153da27b

SHA1
fe722c074cd568eb173aa7a60e4c8e19e45f411e

SHA256
10d379ec2fab3fdb6964cb0e173ebe524ff281519538b9300a07d74c05012a0d

SHA512
3cbbc90c718c87a71e82269482f844edd861510c7d86c274013fd1f6c62f71f94f2c8537eb08412b3a117b158a41531f80fd0816afbd498c7d449a7a66868848

Download Submit
C:\Users\Admin\AppData\Local\81aebf779e5442514ac9e2796872fd18\Admin@ZQABOPWE_en-US\System\Process.txt

Filesize
4KB

MD5
f0d77ffce99e92baf4e75790dfe39f9e

SHA1
90b8925194ea96cad3dc23e82522370d1eac17d7

SHA256
5a5ada7ebe028b6aed142a47f8344bbabd84fbcff5d1fcf0cec3b367154dc18a

SHA512
6221c77c7ff9de2ec995d64679cc3e0ea6882aaa2c67011639693efe6c066c3afb0250d527e06883b7e3df5ead9f99b62a85e41c0e9caa5b5d9b507198325cd6

Download Submit
C:\Users\Admin\AppData\Local\9810221d33fdc6c8d4eba8d3933542ce\Admin@ZQABOPWE_en-US\System\Process.txt

Filesize
198B

MD5
847e67f84d7581127c9d68afa6d00076

SHA1
14aba7faac2d43b274d8781117be2e7176c4b581

SHA256
58a349754858b15c16ad3bfcd68ce5618167047f4826e6a272fafa6f9fa0012c

SHA512
39e0470f1f569ef9d72fb6b2cda8268b66ad8426c796f6a3ad293f66028de7f6167666d4ea3849cf43a3c09644058ba55b3d17125077c9aec5412a7c50cfb901

Download Submit
C:\Users\Admin\AppData\Local\RuntimeBroker.exe

Filesize
330KB

MD5
75e456775c0a52b6bbe724739fa3b4a7

SHA1
1f4c575e98d48775f239ceae474e03a3058099ea

SHA256
e8d52d0d352317b3da0be6673099d32e10e7b0e44d23a0c1a6a5277d37b95cf3

SHA512
b376146c6fa91f741d69acf7b02a57442d2ea059be37b9bdb06af6cc01272f4ded1a82e4e21b9c803d0e91e22fc12f70391f5e8c8704d51b2435afc9624e8471

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
ae61a66d83f1da2e7095f4d550732fbd

SHA1
4ba3a2f43a47fec552cf1e9e35bb33ab2e60bf02

SHA256
2ef56f7d5a10e6545354978628a06584d9b535bd9f382f524abaf80fa28bab15

SHA512
a6a2ab88312e1ff90e4563049041739eda748d22fe82422886647f9819d1430eef71ea737291b0f6a1bb268c0ef6814bcdebdf100b51816482f5171b1e0a690a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF190.tmp.dat

Filesize
92KB

MD5
6093b9b9effe107a1958b5e8775d196a

SHA1
f86ede48007734aebe75f41954ea1ef64924b05e

SHA256
a10b04d057393f5974c776ed253909cafcd014752a57da2971ae0dddfa889ab0

SHA512
2d9c20a201655ffcce71bfafa71b79fe08eb8aa02b5666588302608f6a14126a5a1f4213a963eb528514e2ea2b17871c4c5f9b5ef89c1940c40c0718ec367a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF1A1.tmp.dat

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF91F.tmp.dat

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF942.tmp.dat

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\bfb35758038878f50f1ac0fd9b9ebccc\Admin@ZQABOPWE_en-US\System\Process.txt

Filesize
1KB

MD5
843064ff70423a1bc49303c7ece36eab

SHA1
31e7a9e1766fa811287f5f3ddc0dab760bba52d9

SHA256
e5efc63e2285f2aace4c2bcb457574abf77bab2ecbec08071e83111755a63354

SHA512
f34ff75a0a13d4ebb330c0a550116ceb5040f3144c78ac866f842bb285afa84c7382d823a772e2feb5bd005d5c2fc4b969d5aa4035d3f9c2f327de835bb76aca

Download Submit
C:\Users\Admin\AppData\Local\bfb35758038878f50f1ac0fd9b9ebccc\Admin@ZQABOPWE_en-US\System\Process.txt

Filesize
1KB

MD5
48ccec3038a0f1396abf09d23b854246

SHA1
c1f68d2e997d5fccf20d4b37f4dd14f757aa6ebb

SHA256
a598de3aa5708af2c497e9f5c987b5172c6ecc83ef01824cbdc489e59d4b33fe

SHA512
c655a848ddd6d376581ce6a4aa00bf5d58db32816adce40de2ae02749d95038d83f71361ced0d55ec0aad7633a4e2fdd955e86a993e505779dbc683cfbfa41fd

Download Submit
C:\Users\Admin\AppData\Local\bfb35758038878f50f1ac0fd9b9ebccc\Admin@ZQABOPWE_en-US\System\Process.txt

Filesize
1KB

MD5
84a18ead758c264e8fb938b0e3147178

SHA1
dac6d099cf10c3498c59a6163ad0801b4fcbfde0

SHA256
9ebb3098183c8507d5d5d259f83ef574a64342fc97d1c1b3ceabe662169e3019

SHA512
605f849756e007e32baf6c2115af69c47ebd978e12b25632911bfc2644807209e24c80fb41c76af58bdadf2ffcee29f3dedafd5c2201bfd6a5f6372e1a765b4d

Download Submit
C:\Users\Admin\AppData\Local\bfb35758038878f50f1ac0fd9b9ebccc\Admin@ZQABOPWE_en-US\System\Process.txt

Filesize
113B

MD5
7b93fb6d660197681ae2603c889e090d

SHA1
a888f23ea00d39993c8f9d579111248f8590fc6f

SHA256
41dd2399b626c34776dc21108b805ea4d397290edf4eb8a4af048fe35dc02ac5

SHA512
2e0c067dc20895d92014969b2ba1f8aa1605f4f5f65d9bef420ae519f7d44e46dc0837bc3839f15dc97ab1a1bc4106b3db3dd61b65a67d5b9141d87afd4ea62e

Download Submit
C:\Users\Admin\AppData\Local\ce9aea436b927286bf80dfb3add4f7b5\Admin@ZQABOPWE_en-US\Directories\Temp.txt

Filesize
1KB

MD5
8211b13b960eb0a36e5d5f4dcf9b8631

SHA1
b55a8d83c82c3cbdf7696334876874a66bdfb7e0

SHA256
ddf1ea96a57d62a3142eaa5afebb7c3dbed697611248197424c15cf0da1dff17

SHA512
b5e37573e2b9ed60cba084d3be1a56256036bb6d133a08519854e22ee354ce5a75fa996bcefceff21acc1a4520ad9e1486e626077a8205dedfcdddf8d7915401

Download Submit
C:\Users\Admin\AppData\Local\ce9aea436b927286bf80dfb3add4f7b5\Admin@ZQABOPWE_en-US\System\Process.txt

Filesize
2KB

MD5
ac691f70b0ae7e873e897564ec10b9ad

SHA1
f375cd77379b750c9c14716ac37df824760e84d7

SHA256
ed2d207b6b0b46dcf012627094ae01ccb4ce6fce471b73f3f2a93c8632e2708d

SHA512
b650e2898d875a5906dcb71407bb9eea4494d2061eb60794df3ac62eaa535ca6148fff691a389c8cc9479be178fc8c6e6206a5a792d447ed6176d716c761afe4

Download Submit
C:\Users\Admin\AppData\Local\ce9aea436b927286bf80dfb3add4f7b5\Admin@ZQABOPWE_en-US\System\Process.txt

Filesize
4KB

MD5
f11d9eadc73449b5a60eb917528362ae

SHA1
d5310dbc7ffd93627dd852074810101f38e47c7b

SHA256
22e7fe480b67ef76b7615b86ce03ce3babfdd618a2f913108fdb693607e2a803

SHA512
10d8c24d99db51115aac94c9360f3163c0a38b068d7e689ba1d54d331a9783885080eeba7621253cdb3b964ecdf0eb0bad37628b33f5d9e3e2cba723b4aff330

Download Submit
C:\Users\Admin\AppData\Local\ce9aea436b927286bf80dfb3add4f7b5\Admin@ZQABOPWE_en-US\System\ScanningNetworks.txt

Filesize
118B

MD5
2a5b1b68e8c60a7bbc64ccbdab5c059b

SHA1
9ed50f7bdc446b08407a43ea4144ed3d7062c3bb

SHA256
1dbd461d3e88a299f97ae8779e98a20f20f906fbbc7c6f61f2ca1b663b997189

SHA512
d13f54fa81639cef910a0406372bf5bb190bfe7cecb7b6ab045d2939c323e29dd2893f3c20e2ffd15ea452dafdbf94320b15b8cac47791f00d545c862a17a930

Download Submit
C:\Users\Admin\AppData\Local\fa18f64c0a5bd68d32cf0020ffdc310d\Admin@ZQABOPWE_en-US\System\Process.txt

Filesize
282B

MD5
d162e136200e2fb76189643c38e819b5

SHA1
8757c463b6deb98f9318c512e404f223e1072826

SHA256
a348193354b39804413609d71884fc755ebb9bea538b2188f7d8f1199defd3c1

SHA512
af27db2eacf96ab4e59ab29c71472790ee4cd683cae95c5ecd64614cd0ff8437114657f6386af7b3013a1ebf5898aca8c441b6d340f51e2379b644cb473d4122

Download Submit
C:\Users\Admin\AppData\Local\fa18f64c0a5bd68d32cf0020ffdc310d\Admin@ZQABOPWE_en-US\System\Process.txt

Filesize
459B

MD5
0dee019630554736108aa3bd0a761d3a

SHA1
5f4bb65a09a9135ed66f1d61caaec63f6e63bcd8

SHA256
79204c3cc1bb2e341999b2938d93e72a0d92c33f8ef0d5d80228060a4db0b658

SHA512
5232eabcf31cd796c7a1e1e3ba4f38df5faca84e253dc96b447b97ee7518b5b789499e1b4f7b7666e4f9531c883ff8cff6407154f8b334284be03869daf18e93

Download Submit
C:\Users\Admin\AppData\Local\fa18f64c0a5bd68d32cf0020ffdc310d\Admin@ZQABOPWE_en-US\System\Process.txt

Filesize
430B

MD5
4669fc7f4e097dab2cb1016170b7b90d

SHA1
ed53a20392e845232f1c094a88f96ddda09cb4e2

SHA256
b425d409a1ea3b725b9e6f8ba5c9834019b966a35270498fa34bb1d3c5b11e27

SHA512
0f47b2e52824658b0ee6afcc646d39307876ca390434bcfac740ef06b944bfcc113a169f65120c02fd38df62b93f094383c5e8dee79a54f8d07ee3f06e09ddbd

Download Submit
C:\Users\Admin\AppData\Local\fa18f64c0a5bd68d32cf0020ffdc310d\Admin@ZQABOPWE_en-US\System\Process.txt

Filesize
544B

MD5
329ce46b968ad0c12e1a5e21fbe38084

SHA1
c61382b9a0b49ee8c54b26d118680b2742a77b67

SHA256
7ac7746fd4e4fc126a73d8c57a8be2052d001861ab9d94f474bd64af306ca62e

SHA512
3c1fefeaa9bf870a92cf087384cc58dca908829cdbfbe54fe11c2df5138c31b49447d0f6a7c892bf91fd75c2c72bbe9bd192bfe99d66f80856a4884beace7604

Download Submit
C:\Users\Admin\AppData\Local\fa18f64c0a5bd68d32cf0020ffdc310d\Admin@ZQABOPWE_en-US\System\Process.txt

Filesize
1KB

MD5
e9654db826facc13e712f4ad2ee06de5

SHA1
ff8614342cf65eae5a9a8d80eae82978e0e2eac1

SHA256
ecad5a73c34219835c32d9aa2fa0b3d34029a63429d63d0cdb1446c769afdade

SHA512
46fccb131ab4defd8b22165d2cf90ccf7ee32180dee789a3a73e195f46835f265f718eb60653b377519a71639fc3b63fc64cd2c759921e6f1864f5ce868bcae8

Download Submit
C:\Users\Admin\AppData\Local\fa18f64c0a5bd68d32cf0020ffdc310d\Admin@ZQABOPWE_en-US\System\Process.txt

Filesize
1KB

MD5
5733518f278efcfcfb01aa36215ee3f4

SHA1
3a2c0a8cf45b40bac29525ce40557f918c39906b

SHA256
9e359607a2a15ef55602255615b7e6314f18b8f9b689705ba286d7889e81036c

SHA512
d17a1495ea2b3879145aa9e3a78b154175debb7a2e33e5ab9a864ba4867e6accee6ee80e20ad935adb9cf7d1d99a94dc4b4adb92e0a63055cfafe5a63566d02a

Download Submit
C:\Users\Admin\AppData\Local\fa18f64c0a5bd68d32cf0020ffdc310d\Admin@ZQABOPWE_en-US\System\Process.txt

Filesize
1KB

MD5
8c9c167baf3e902e9fcb0632fcd2d3d1

SHA1
ee2ec9b6d0e04ef27302294f6c1b31237e11cfe3

SHA256
e1f3cf7b05605db0fd3772165afabb0aa07fa244486dc6206bfa919f24041205

SHA512
8d543c5713e4b4f54b6ed5bc438737b7eef8cf3ba303c482018743f7e46024cc42dadafc4a42036f530aa41333af82f336a60900113476fe584a511ce0452527

Download Submit
C:\Users\Admin\AppData\Local\fa18f64c0a5bd68d32cf0020ffdc310d\Admin@ZQABOPWE_en-US\System\Process.txt

Filesize
2KB

MD5
9cf6245c6936ffad8094fb15b074374f

SHA1
c8cbe4163631516cc0acc17b947a0a8c0ebacd9f

SHA256
5c690e88d3b0f5e00b3e69f08c228a52827eebc8a7536ecfad6826308b103ea2

SHA512
0079b664cd9cc2294a4a18db35a6832424a1b586eb1f058e15808f65e537057101dfdfd689b5736bf359d7afbd93a9e6f3d7f85695b24cfe9a87de3c1477c79a

Download Submit
C:\Users\Admin\AppData\Local\fa18f64c0a5bd68d32cf0020ffdc310d\Admin@ZQABOPWE_en-US\System\Process.txt

Filesize
671B

MD5
cf6104f95adc76330d1d0d08f2dbdd82

SHA1
8a9cd7ec486780be51d54d6d4970a8cd47703929

SHA256
1d9922aed64867ef75052673ccdd35ef1d85de6f6020df2c5d28470b1a7fdc05

SHA512
ff561c0796e9e412a36569dafef2b3f0c9a876124a728f8f8eb0504c057feb0a4fcd56d4bb4ac0dbdeae9044e1ffcd6a02f6bb11bc8e6f9f8a7064a2d48f0f33

Download Submit
C:\Users\Admin\AppData\Local\fa18f64c0a5bd68d32cf0020ffdc310d\Admin@ZQABOPWE_en-US\System\Process.txt

Filesize
3KB

MD5
3b0d2c9bd9ef2da5d802f0b32948e834

SHA1
c0e57f388a457a86a9919a9862e17508232101f5

SHA256
baaac090c2157dcc8282525cb86a307e14be97b0bfc47f7af765a785f361f96d

SHA512
ad3629a636e412b903ca69d2163abbe2f0554f3df059dbc35c0c04e9f8b04c1d30b154eedff5c5bc316975581aa23387949bc9e01f8ce6c6efcc6ad349a8182d

Download Submit
C:\Users\Admin\AppData\Local\fa18f64c0a5bd68d32cf0020ffdc310d\Admin@ZQABOPWE_en-US\System\Process.txt

Filesize
3KB

MD5
9d37c2b48d540f7c2575b5d3dedab83d

SHA1
5497d53d925e02802e2c5c9c4881abb405b8566d

SHA256
af6f90311b5a7b57495a61fabe4f660d34e11a3d41a84653bad1f888159adf88

SHA512
d109a92608512b09f62f633078401ede2d23a4625241ff428b41f2fc99f79a67d0c05109fe4c55c2ff58e10a1feebcf7c3f99561412eb0673a9e2dd32fa38fee

Download Submit
C:\Users\Admin\AppData\Local\fab5c14b9ba3507d34b861e522b7adaf\Admin@ZQABOPWE_en-US\Directories\Desktop.txt

Filesize
494B

MD5
5bf219292d37595f86405482c9b2832a

SHA1
4128e8f856aa93dfc0765f031c3744cd7e79b90c

SHA256
21e114915ed9b53d2ac2cf6572505f9aa08a5e270e2183f947707c76d2d88e10

SHA512
f17db0bc09da06e520f3e5ccf47aff0c45168aed008d8545861f7183afd5fe8338e0209ea882e00e8dc44c96092367a03ad1b9ff5c0738325323914aaabc80cd

Download Submit
C:\Users\Admin\AppData\Local\fab5c14b9ba3507d34b861e522b7adaf\Admin@ZQABOPWE_en-US\Directories\Documents.txt

Filesize
765B

MD5
9634793a1ef02d1f209c3a0aca5808b5

SHA1
e957c6945c1629d6cd4698359d85b1f1985b96d6

SHA256
73c657004c9573fe246f28efcef698998f9154b9b0e9f696f325021499753faa

SHA512
0b562d9b097a0a12c79c79c6cdf5e9aba51a4c88fe215664582c8e9d878adca2507be9f6162e8de51a1ea52c6ea303652f8f02d400c03e37517b2c8aa9e58f52

Download Submit
C:\Users\Admin\AppData\Local\fab5c14b9ba3507d34b861e522b7adaf\Admin@ZQABOPWE_en-US\Directories\Downloads.txt

Filesize
684B

MD5
209ee46dc09088fd82a9def3d6bc0fff

SHA1
ad427f8523572c1bc2a0cde85e93bdf3551908c5

SHA256
9061420bc05708300739b6a3ad44d9c85854fba2d31b6515e672920b3af4465a

SHA512
f47c5b14274410378cc21315ada7edcec36e36981111819ca2cde24104ce8f4d36503f730587ecedbbbdfa3566b7f83fbf56345523355b6c4ad3162b928fbaf7

Download Submit
C:\Users\Admin\AppData\Local\fab5c14b9ba3507d34b861e522b7adaf\Admin@ZQABOPWE_en-US\Directories\Pictures.txt

Filesize
484B

MD5
1cdbd016acda40a536c30c6b5866d8bb

SHA1
a92aa2c0ec051a4a199f6f8739a672b2a73d5aa1

SHA256
f3aa7461f6b2cf5023f74967d64baf1f978dc1e2d1d1e218f85be790cccb5b88

SHA512
d2ce61564f97cbabae249f6969463218e164229b3b0d5501b7ccb71baf37fb34664360521795990de876943103010fc96d5fd9e4d9e8938f3359e1ac38933c17

Download Submit
C:\Users\Admin\AppData\Local\fab5c14b9ba3507d34b861e522b7adaf\Admin@ZQABOPWE_en-US\Directories\Startup.txt

Filesize
24B

MD5
68c93da4981d591704cea7b71cebfb97

SHA1
fd0f8d97463cd33892cc828b4ad04e03fc014fa6

SHA256
889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

SHA512
63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

Download Submit
C:\Users\Admin\AppData\Local\fab5c14b9ba3507d34b861e522b7adaf\Admin@ZQABOPWE_en-US\Directories\Videos.txt

Filesize
23B

MD5
1fddbf1169b6c75898b86e7e24bc7c1f

SHA1
d2091060cb5191ff70eb99c0088c182e80c20f8c

SHA256
a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

SHA512
20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

Download Submit
C:\Users\Admin\AppData\Local\fab5c14b9ba3507d34b861e522b7adaf\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini

Filesize
282B

MD5
9e36cc3537ee9ee1e3b10fa4e761045b

SHA1
7726f55012e1e26cc762c9982e7c6c54ca7bb303

SHA256
4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

SHA512
5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

Download Submit
C:\Users\Admin\AppData\Local\fab5c14b9ba3507d34b861e522b7adaf\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini

Filesize
402B

MD5
ecf88f261853fe08d58e2e903220da14

SHA1
f72807a9e081906654ae196605e681d5938a2e6c

SHA256
cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844

SHA512
82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

Download Submit
C:\Users\Admin\AppData\Local\fab5c14b9ba3507d34b861e522b7adaf\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini

Filesize
282B

MD5
3a37312509712d4e12d27240137ff377

SHA1
30ced927e23b584725cf16351394175a6d2a9577

SHA256
b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3

SHA512
dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

Download Submit
C:\Users\Admin\AppData\Local\fab5c14b9ba3507d34b861e522b7adaf\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini

Filesize
504B

MD5
29eae335b77f438e05594d86a6ca22ff

SHA1
d62ccc830c249de6b6532381b4c16a5f17f95d89

SHA256
88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4

SHA512
5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

Download Submit
C:\Users\Admin\AppData\Local\fab5c14b9ba3507d34b861e522b7adaf\Admin@ZQABOPWE_en-US\System\Process.txt

Filesize
56B

MD5
5e5899b0ea4ae0b4159c4b6afd88bf2b

SHA1
854ccd9e0f7b5a3392138fe78e5e15a19cc282e0

SHA256
b65e8552ff9305682ca6e1f887548dde8ff741493c174dabe66dbc877c886608

SHA512
b13ee8d236aa76ba7f3d0a1a43dad0fce423af5dc0771043c58bba6b5106c6667885c5690c095e2cfc628677bc1a73da8191726155c9f220124809e9d79ec97a

Download Submit
C:\Users\Admin\AppData\Local\fab5c14b9ba3507d34b861e522b7adaf\Admin@ZQABOPWE_en-US\System\ProductKey.txt

Filesize
29B

MD5
cad6c6bee6c11c88f5e2f69f0be6deb7

SHA1
289d74c3bebe6cca4e1d2e084482ad6d21316c84

SHA256
dc288491fadc4a85e71085890e3d6a7746e99a317cd5ef09a30272dfb10398c0

SHA512
e02cf6bff8b4ebd7a1346ecb1667be36c3ef7415fff77c3b9cfb370f3d0dc861f74d3e0e49065699850ba6cc025cd68d14ceb73f3b512c2a9b28873a69aff097

Download Submit
C:\Users\Admin\AppData\Local\fab5c14b9ba3507d34b861e522b7adaf\Admin@ZQABOPWE_en-US\System\ScanningNetworks.txt

Filesize
59B

MD5
409930721dbce1ee58227d109cca4570

SHA1
767f86ffec769d8415f07b4372a108cba1bf7221

SHA256
6b6dd8b11f84fb78e3e8cfaa7c5fca569d79402b9fc5861b00960b25607c911e

SHA512
4875187fce9545a92df636e384f92dcb403dfe80f3cad4a68e79329a1f42e12e9d04948f2a52b939638481da6d3e3b5f5096fe6dfd674ee53cca7c655ec03f17

Download Submit
C:\Users\Admin\AppData\Local\fab5c14b9ba3507d34b861e522b7adaf\Admin@ZQABOPWE_en-US\System\WorldWind.jpg

Filesize
51KB

MD5
8d2b4b6af42ad1a68170da6ca6a50421

SHA1
58df3b2d86f82eb904b22443f6b3af46d40e1324

SHA256
4d5b4520f3d9069db462e8bba32450bb2851825e0f47f72db42e96e37282eeae

SHA512
bcb13b5ab5a97c8866f7a71acffc27af186333020ac8a229420bb581ebbd59b4e8d2f557f000ed5b49e869055782ba8b6dc4834c135a54a2db328578aa25b205

Download Submit
memory/1884-11-0x00000000005B0000-0x00000000005BA000-memory.dmp

Filesize
40KB

Download
memory/1884-10-0x0000000000630000-0x000000000067A000-memory.dmp

Filesize
296KB

Download
memory/1884-9-0x0000000000E00000-0x0000000000E58000-memory.dmp

Filesize
352KB

Download
memory/2552-8-0x000007FEF6310000-0x000007FEF6CFC000-memory.dmp

Filesize
9.9MB

Download
memory/2552-0-0x000007FEF6313000-0x000007FEF6314000-memory.dmp

Filesize
4KB

Download
memory/2552-1-0x0000000000C40000-0x0000000000C9C000-memory.dmp

Filesize
368KB

Download
memory/2912-26-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2912-24-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2912-22-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2912-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2912-19-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2912-17-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2912-15-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2912-13-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download