asyncrat | 9d9a79f4ae9bf7a992945f6c06c5bec642c05e4e828217c50255dabfa3677006

max time kernel
174s
max time network
1386s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2024 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RebelCracked.exe
Size

344KB
MD5

a84fd0fc75b9c761e9b7923a08da41c7
SHA1

2597048612041cd7a8c95002c73e9c2818bb2097
SHA256

9d9a79f4ae9bf7a992945f6c06c5bec642c05e4e828217c50255dabfa3677006
SHA512

a17f1144a0e3ce07c7ed6891987c5b969f291e9991442c33750028d35e2194794e8a649c397e8afc9f8ce19d485c453600c75cab4fcead09e38414d85819251a
SSDEEP

6144:lOcpeK8lucxAtLNFHUVuI/2zj1z6jZ755NofmWx4PCQL23wBw7R0ljTwrVuAdJKp:QcpSnx0LNFDQ60Ntbo5d7gBw7R7rbdJk

Score

10^/10

asyncrat stormkitty default discovery persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/32-25-0x0000000000400000-0x0000000000432000-memory.dmp	family_stormkitty

Blocklisted process makes network request 18 IoCs

flow	pid	Process
81	4812	RuntimeBroker.exe
82	4812	RuntimeBroker.exe
83	4812	RuntimeBroker.exe
84	4812	RuntimeBroker.exe
85	3120	RuntimeBroker.exe
86	4812	RuntimeBroker.exe
87	3120	RuntimeBroker.exe
88	4812	RuntimeBroker.exe
89	3120	RuntimeBroker.exe
90	3120	RuntimeBroker.exe
91	3120	RuntimeBroker.exe
92	3120	RuntimeBroker.exe
167	5568	RuntimeBroker.exe
169	5568	RuntimeBroker.exe
170	5568	RuntimeBroker.exe
174	5568	RuntimeBroker.exe
181	5568	RuntimeBroker.exe
184	5568	RuntimeBroker.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	RebelCracked.exe

Executes dropped EXE 64 IoCs

pid	Process
548	RuntimeBroker.exe
32	RuntimeBroker.exe
5048	RuntimeBroker.exe
4888	RuntimeBroker.exe
4276	RuntimeBroker.exe
3224	RuntimeBroker.exe
3468	RuntimeBroker.exe
4648	RuntimeBroker.exe
4308	RuntimeBroker.exe
1264	RuntimeBroker.exe
1180	RuntimeBroker.exe
3120	RuntimeBroker.exe
2316	RuntimeBroker.exe
4012	RuntimeBroker.exe
3304	RuntimeBroker.exe
4812	RuntimeBroker.exe
1388	RuntimeBroker.exe
4332	RuntimeBroker.exe
2216	RuntimeBroker.exe
2744	RuntimeBroker.exe
4964	RuntimeBroker.exe
2504	RuntimeBroker.exe
4508	RuntimeBroker.exe
2304	RuntimeBroker.exe
2024	RuntimeBroker.exe
2928	RuntimeBroker.exe
4352	RuntimeBroker.exe
3288	RuntimeBroker.exe
3756	RuntimeBroker.exe
2044	RuntimeBroker.exe
4948	RuntimeBroker.exe
1896	RuntimeBroker.exe
2024	RuntimeBroker.exe
4556	RuntimeBroker.exe
3216	RuntimeBroker.exe
5008	RuntimeBroker.exe
2936	RuntimeBroker.exe
4948	RuntimeBroker.exe
3620	RuntimeBroker.exe
3756	RuntimeBroker.exe
1104	RuntimeBroker.exe
1348	RuntimeBroker.exe
1092	RuntimeBroker.exe
3168	RuntimeBroker.exe
4868	RuntimeBroker.exe
4400	RuntimeBroker.exe
1260	RuntimeBroker.exe
4956	RuntimeBroker.exe
1912	RuntimeBroker.exe
1232	RuntimeBroker.exe
5176	RuntimeBroker.exe
5672	RuntimeBroker.exe
5260	RuntimeBroker.exe
2292	RuntimeBroker.exe
6116	RuntimeBroker.exe
5232	RuntimeBroker.exe
5176	RuntimeBroker.exe
2676	RuntimeBroker.exe
5916	RuntimeBroker.exe
5568	RuntimeBroker.exe
2592	RuntimeBroker.exe
3620	RuntimeBroker.exe
4016	RuntimeBroker.exe
6228	RuntimeBroker.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\ec025c2ab0533d25cf7bd78c58061070\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\419b8aaa7cba6e4dff05a70cc7016228\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\54af8aa9286eab1ac406bb1322b37d00\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\419b8aaa7cba6e4dff05a70cc7016228\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\2d6c356d977278447729b5b1420edf99\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\0b3abc7ee26025431112385cdb7daa68\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\2d6c356d977278447729b5b1420edf99\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\0b3abc7ee26025431112385cdb7daa68\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\0f9df786692a67ed658c193a7ae69544\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\2d6c356d977278447729b5b1420edf99\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\51c533bf59b511f2f6e36fb839dd6db9\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\51c533bf59b511f2f6e36fb839dd6db9\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\0f9df786692a67ed658c193a7ae69544\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\419b8aaa7cba6e4dff05a70cc7016228\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\4c72cbc49fc893b68d51772d0468ae43\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\b3739a9836fd4b31afd459a7980e2aac\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\2d6c356d977278447729b5b1420edf99\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\2d6c356d977278447729b5b1420edf99\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\4c72cbc49fc893b68d51772d0468ae43\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\b3739a9836fd4b31afd459a7980e2aac\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\2d6c356d977278447729b5b1420edf99\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\51c533bf59b511f2f6e36fb839dd6db9\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\2d6c356d977278447729b5b1420edf99\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\ec025c2ab0533d25cf7bd78c58061070\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\b3739a9836fd4b31afd459a7980e2aac\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\0b3abc7ee26025431112385cdb7daa68\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\b3739a9836fd4b31afd459a7980e2aac\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\419b8aaa7cba6e4dff05a70cc7016228\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\4c72cbc49fc893b68d51772d0468ae43\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\2d6c356d977278447729b5b1420edf99\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\0b3abc7ee26025431112385cdb7daa68\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\0f9df786692a67ed658c193a7ae69544\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\b3739a9836fd4b31afd459a7980e2aac\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\0b3abc7ee26025431112385cdb7daa68\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\0f9df786692a67ed658c193a7ae69544\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\51c533bf59b511f2f6e36fb839dd6db9\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\b3739a9836fd4b31afd459a7980e2aac\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\54af8aa9286eab1ac406bb1322b37d00\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\b3739a9836fd4b31afd459a7980e2aac\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\2d6c356d977278447729b5b1420edf99\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\ec025c2ab0533d25cf7bd78c58061070\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\419b8aaa7cba6e4dff05a70cc7016228\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\0b3abc7ee26025431112385cdb7daa68\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\b3739a9836fd4b31afd459a7980e2aac\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\2d6c356d977278447729b5b1420edf99\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\4c72cbc49fc893b68d51772d0468ae43\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\419b8aaa7cba6e4dff05a70cc7016228\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\419b8aaa7cba6e4dff05a70cc7016228\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\54af8aa9286eab1ac406bb1322b37d00\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\2d6c356d977278447729b5b1420edf99\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\0f9df786692a67ed658c193a7ae69544\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
670	pastebin.com
110	pastebin.com
480	pastebin.com
564	pastebin.com
578	pastebin.com
545	pastebin.com
576	pastebin.com
770	pastebin.com
113	pastebin.com
350	pastebin.com
470	pastebin.com
482	pastebin.com
605	pastebin.com
606	pastebin.com
782	pastebin.com
67	pastebin.com
179	pastebin.com
393	pastebin.com
567	pastebin.com
79	pastebin.com
148	pastebin.com
771	pastebin.com
801	pastebin.com
264	pastebin.com
454	pastebin.com
492	pastebin.com
577	pastebin.com
337	pastebin.com
383	pastebin.com
455	pastebin.com
772	pastebin.com
657	pastebin.com
182	pastebin.com
206	pastebin.com
380	pastebin.com
534	pastebin.com
349	pastebin.com
394	pastebin.com
680	pastebin.com
799	pastebin.com
91	pastebin.com
526	pastebin.com
638	pastebin.com
768	pastebin.com
646	pastebin.com
767	pastebin.com
779	pastebin.com
99	pastebin.com
338	pastebin.com
372	pastebin.com
500	pastebin.com
157	pastebin.com
513	pastebin.com
528	pastebin.com
547	pastebin.com
615	pastebin.com
57	pastebin.com
73	pastebin.com
86	pastebin.com
181	pastebin.com
622	pastebin.com
684	pastebin.com
769	pastebin.com
187	pastebin.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
30	icanhazip.com
590	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 548 set thread context of 32	548	RuntimeBroker.exe	93
PID 5048 set thread context of 4888	5048	RuntimeBroker.exe	96
PID 4276 set thread context of 3224	4276	RuntimeBroker.exe	102
PID 3468 set thread context of 4648	3468	RuntimeBroker.exe	106
PID 4308 set thread context of 1264	4308	RuntimeBroker.exe	111
PID 1180 set thread context of 3120	1180	RuntimeBroker.exe	116
PID 2316 set thread context of 4012	2316	RuntimeBroker.exe	119
PID 3304 set thread context of 4812	3304	RuntimeBroker.exe	122
PID 1388 set thread context of 4332	1388	RuntimeBroker.exe	131
PID 2216 set thread context of 2744	2216	RuntimeBroker.exe	141
PID 4964 set thread context of 2504	4964	RuntimeBroker.exe	153
PID 4508 set thread context of 2304	4508	RuntimeBroker.exe	523
PID 2024 set thread context of 2928	2024	RuntimeBroker.exe	169
PID 4352 set thread context of 3288	4352	RuntimeBroker.exe	182
PID 3756 set thread context of 2044	3756	RuntimeBroker.exe	618
PID 4948 set thread context of 1896	4948	RuntimeBroker.exe	199
PID 2024 set thread context of 4556	2024	RuntimeBroker.exe	202
PID 3216 set thread context of 5008	3216	RuntimeBroker.exe	210
PID 2936 set thread context of 4948	2936	RuntimeBroker.exe	1220
PID 3620 set thread context of 3756	3620	RuntimeBroker.exe	234
PID 1104 set thread context of 1348	1104	RuntimeBroker.exe	247
PID 1092 set thread context of 3168	1092	RuntimeBroker.exe	261
PID 4868 set thread context of 4400	4868	RuntimeBroker.exe	452
PID 1260 set thread context of 4956	1260	RuntimeBroker.exe	418
PID 1912 set thread context of 1232	1912	RuntimeBroker.exe	275
PID 5176 set thread context of 5672	5176	RuntimeBroker.exe	287
PID 5260 set thread context of 2292	5260	RuntimeBroker.exe	1137
PID 6116 set thread context of 5232	6116	RuntimeBroker.exe	298
PID 5176 set thread context of 2676	5176	RuntimeBroker.exe	301
PID 5916 set thread context of 5568	5916	RuntimeBroker.exe	1447
PID 2592 set thread context of 3620	2592	RuntimeBroker.exe	321
PID 4016 set thread context of 6228	4016	RuntimeBroker.exe	333
PID 7076 set thread context of 5124	7076	RuntimeBroker.exe	345
PID 6356 set thread context of 6732	6356	RuntimeBroker.exe	363
PID 6352 set thread context of 6704	6352	RuntimeBroker.exe	376
PID 7044 set thread context of 5280	7044	RuntimeBroker.exe	393
PID 6464 set thread context of 6496	6464	RuntimeBroker.exe	403
PID 6104 set thread context of 6948	6104	RuntimeBroker.exe	406
PID 2484 set thread context of 2220	2484	RuntimeBroker.exe	414
PID 5816 set thread context of 7096	5816	RuntimeBroker.exe	430
PID 4016 set thread context of 7024	4016	RuntimeBroker.exe	435
PID 6952 set thread context of 116	6952	RuntimeBroker.exe	445
PID 2608 set thread context of 6196	2608	RuntimeBroker.exe	480
PID 4408 set thread context of 6944	4408	RuntimeBroker.exe	1029
PID 2104 set thread context of 5820	2104	RuntimeBroker.exe	511
PID 4276 set thread context of 6012	4276	RuntimeBroker.exe	1088
PID 6188 set thread context of 6212	6188	RuntimeBroker.exe	544
PID 644 set thread context of 5424	644	RuntimeBroker.exe	556
PID 4976 set thread context of 6396	4976	RuntimeBroker.exe	561
PID 2992 set thread context of 5884	2992	RuntimeBroker.exe	1056
PID 868 set thread context of 2628	868	RuntimeBroker.exe	580
PID 6516 set thread context of 1536	6516	RuntimeBroker.exe	1468
PID 2664 set thread context of 4932	2664	RuntimeBroker.exe	610
PID 1788 set thread context of 7056	1788	RuntimeBroker.exe	1403
PID 1980 set thread context of 5720	1980	RuntimeBroker.exe	978
PID 1512 set thread context of 3524	1512	RuntimeBroker.exe	1444
PID 400 set thread context of 688	400	RuntimeBroker.exe	657
PID 7484 set thread context of 7596	7484	RuntimeBroker.exe	663
PID 7396 set thread context of 7568	7396	RuntimeBroker.exe	677
PID 7304 set thread context of 7580	7304	RuntimeBroker.exe	686
PID 7576 set thread context of 7772	7576	RuntimeBroker.exe	698
PID 7908 set thread context of 7484	7908	RuntimeBroker.exe	707
PID 8008 set thread context of 8144	8008	RuntimeBroker.exe	1184
PID 7716 set thread context of 7956	7716	RuntimeBroker.exe	743

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process
8692	9796	Process not Found

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 64 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
6128	cmd.exe
9432	Process not Found
7800	cmd.exe
6108	cmd.exe
3120	netsh.exe
9116	Process not Found
2992	cmd.exe
6612	netsh.exe
8508	Process not Found
5048	cmd.exe
7308	cmd.exe
7912	Process not Found
9096	Process not Found
2040	netsh.exe
632	netsh.exe
8036	cmd.exe
6628	cmd.exe
5376	netsh.exe
6920	netsh.exe
9332	Process not Found
2104	Process not Found
7084	cmd.exe
8504	Process not Found
4108	cmd.exe
6460	cmd.exe
7308	cmd.exe
556	netsh.exe
7688	Process not Found
4308	cmd.exe
5600	netsh.exe
9516	Process not Found
2484	cmd.exe
5236	cmd.exe
9736	Process not Found
6348	cmd.exe
7368	netsh.exe
4344	Process not Found
3840	Process not Found
7032	cmd.exe
3848	netsh.exe
3924	cmd.exe
7932	cmd.exe
5816	netsh.exe
4608	cmd.exe
1372	netsh.exe
6500	Process not Found
6124	Process not Found
9160	Process not Found
6708	cmd.exe
6944	netsh.exe
8628	Process not Found
3248	cmd.exe
4684	netsh.exe
6380	netsh.exe
6784	netsh.exe
5948	cmd.exe
2556	netsh.exe
7896	netsh.exe
4868	Process not Found
8532	Process not Found
4944	Process not Found
6772	netsh.exe
6904	cmd.exe
5568	Process not Found

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
32	RuntimeBroker.exe
32	RuntimeBroker.exe
4888	RuntimeBroker.exe
4888	RuntimeBroker.exe
4888	RuntimeBroker.exe
32	RuntimeBroker.exe
32	RuntimeBroker.exe
4888	RuntimeBroker.exe
4888	RuntimeBroker.exe
4888	RuntimeBroker.exe
4888	RuntimeBroker.exe
3224	RuntimeBroker.exe
3224	RuntimeBroker.exe
3224	RuntimeBroker.exe
32	RuntimeBroker.exe
32	RuntimeBroker.exe
4888	RuntimeBroker.exe
4888	RuntimeBroker.exe
32	RuntimeBroker.exe
32	RuntimeBroker.exe
32	RuntimeBroker.exe
32	RuntimeBroker.exe
32	RuntimeBroker.exe
32	RuntimeBroker.exe
4888	RuntimeBroker.exe
4888	RuntimeBroker.exe
32	RuntimeBroker.exe
32	RuntimeBroker.exe
4648	RuntimeBroker.exe
4648	RuntimeBroker.exe
4648	RuntimeBroker.exe
3224	RuntimeBroker.exe
3224	RuntimeBroker.exe
4888	RuntimeBroker.exe
4888	RuntimeBroker.exe
4888	RuntimeBroker.exe
4888	RuntimeBroker.exe
32	RuntimeBroker.exe
32	RuntimeBroker.exe
3224	RuntimeBroker.exe
3224	RuntimeBroker.exe
32	RuntimeBroker.exe
32	RuntimeBroker.exe
4888	RuntimeBroker.exe
4888	RuntimeBroker.exe
32	RuntimeBroker.exe
32	RuntimeBroker.exe
4888	RuntimeBroker.exe
4888	RuntimeBroker.exe
32	RuntimeBroker.exe
32	RuntimeBroker.exe
4888	RuntimeBroker.exe
4888	RuntimeBroker.exe
1264	RuntimeBroker.exe
1264	RuntimeBroker.exe
1264	RuntimeBroker.exe
4888	RuntimeBroker.exe
4888	RuntimeBroker.exe
3224	RuntimeBroker.exe
3224	RuntimeBroker.exe
32	RuntimeBroker.exe
32	RuntimeBroker.exe
3224	RuntimeBroker.exe
3224	RuntimeBroker.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	32	RuntimeBroker.exe
Token: SeDebugPrivilege	4888	RuntimeBroker.exe
Token: SeDebugPrivilege	3224	RuntimeBroker.exe
Token: SeDebugPrivilege	4648	RuntimeBroker.exe
Token: SeDebugPrivilege	1264	RuntimeBroker.exe
Token: SeDebugPrivilege	3120	RuntimeBroker.exe
Token: SeDebugPrivilege	4012	RuntimeBroker.exe
Token: SeDebugPrivilege	4812	RuntimeBroker.exe
Token: SeDebugPrivilege	4332	RuntimeBroker.exe
Token: SeDebugPrivilege	2744	RuntimeBroker.exe
Token: SeDebugPrivilege	2504	RuntimeBroker.exe
Token: SeDebugPrivilege	2304	RuntimeBroker.exe
Token: SeDebugPrivilege	2928	RuntimeBroker.exe
Token: SeDebugPrivilege	3288	RuntimeBroker.exe
Token: SeDebugPrivilege	2044	RuntimeBroker.exe
Token: SeDebugPrivilege	1896	RuntimeBroker.exe
Token: SeDebugPrivilege	4556	RuntimeBroker.exe
Token: SeDebugPrivilege	5008	RuntimeBroker.exe
Token: SeDebugPrivilege	4948	RuntimeBroker.exe
Token: SeDebugPrivilege	3756	RuntimeBroker.exe
Token: SeDebugPrivilege	1348	RuntimeBroker.exe
Token: SeDebugPrivilege	3168	RuntimeBroker.exe
Token: SeDebugPrivilege	4400	RuntimeBroker.exe
Token: SeDebugPrivilege	4956	RuntimeBroker.exe
Token: SeDebugPrivilege	1232	RuntimeBroker.exe
Token: SeDebugPrivilege	5672	RuntimeBroker.exe
Token: SeDebugPrivilege	2292	RuntimeBroker.exe
Token: SeDebugPrivilege	5232	RuntimeBroker.exe
Token: SeDebugPrivilege	2676	RuntimeBroker.exe
Token: SeDebugPrivilege	5568	RuntimeBroker.exe
Token: SeDebugPrivilege	3620	RuntimeBroker.exe
Token: SeDebugPrivilege	6228	RuntimeBroker.exe
Token: SeDebugPrivilege	5124	RuntimeBroker.exe
Token: SeDebugPrivilege	6732	RuntimeBroker.exe
Token: SeDebugPrivilege	6704	RuntimeBroker.exe
Token: SeDebugPrivilege	5280	RuntimeBroker.exe
Token: SeDebugPrivilege	6496	RuntimeBroker.exe
Token: SeDebugPrivilege	6948	RuntimeBroker.exe
Token: SeDebugPrivilege	2220	RuntimeBroker.exe
Token: SeDebugPrivilege	7096	RuntimeBroker.exe
Token: SeDebugPrivilege	7024	RuntimeBroker.exe
Token: SeDebugPrivilege	116	RuntimeBroker.exe
Token: SeDebugPrivilege	6196	RuntimeBroker.exe
Token: SeDebugPrivilege	6944	RuntimeBroker.exe
Token: SeDebugPrivilege	5820	RuntimeBroker.exe
Token: SeDebugPrivilege	6012	RuntimeBroker.exe
Token: SeDebugPrivilege	6212	RuntimeBroker.exe
Token: SeDebugPrivilege	5424	RuntimeBroker.exe
Token: SeDebugPrivilege	6396	RuntimeBroker.exe
Token: SeDebugPrivilege	5884	RuntimeBroker.exe
Token: SeDebugPrivilege	2628	RuntimeBroker.exe
Token: SeDebugPrivilege	1536	RuntimeBroker.exe
Token: SeDebugPrivilege	4932	RuntimeBroker.exe
Token: SeDebugPrivilege	7056	RuntimeBroker.exe
Token: SeDebugPrivilege	5720	RuntimeBroker.exe
Token: SeDebugPrivilege	3524	RuntimeBroker.exe
Token: SeDebugPrivilege	688	RuntimeBroker.exe
Token: SeDebugPrivilege	7596	RuntimeBroker.exe
Token: SeDebugPrivilege	7568	RuntimeBroker.exe
Token: SeDebugPrivilege	7580	RuntimeBroker.exe
Token: SeDebugPrivilege	7772	RuntimeBroker.exe
Token: SeDebugPrivilege	7484	RuntimeBroker.exe
Token: SeDebugPrivilege	8144	RuntimeBroker.exe
Token: SeDebugPrivilege	7956	RuntimeBroker.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 548	1876	RebelCracked.exe	88
PID 1876 wrote to memory of 548	1876	RebelCracked.exe	88
PID 1876 wrote to memory of 548	1876	RebelCracked.exe	88
PID 1876 wrote to memory of 4660	1876	RebelCracked.exe	89
PID 1876 wrote to memory of 4660	1876	RebelCracked.exe	89
PID 548 wrote to memory of 220	548	RuntimeBroker.exe	92
PID 548 wrote to memory of 220	548	RuntimeBroker.exe	92
PID 548 wrote to memory of 220	548	RuntimeBroker.exe	92
PID 548 wrote to memory of 32	548	RuntimeBroker.exe	93
PID 548 wrote to memory of 32	548	RuntimeBroker.exe	93
PID 548 wrote to memory of 32	548	RuntimeBroker.exe	93
PID 548 wrote to memory of 32	548	RuntimeBroker.exe	93
PID 548 wrote to memory of 32	548	RuntimeBroker.exe	93
PID 548 wrote to memory of 32	548	RuntimeBroker.exe	93
PID 548 wrote to memory of 32	548	RuntimeBroker.exe	93
PID 548 wrote to memory of 32	548	RuntimeBroker.exe	93
PID 4660 wrote to memory of 5048	4660	RebelCracked.exe	94
PID 4660 wrote to memory of 5048	4660	RebelCracked.exe	94
PID 4660 wrote to memory of 5048	4660	RebelCracked.exe	94
PID 4660 wrote to memory of 2156	4660	RebelCracked.exe	95
PID 4660 wrote to memory of 2156	4660	RebelCracked.exe	95
PID 5048 wrote to memory of 4888	5048	RuntimeBroker.exe	96
PID 5048 wrote to memory of 4888	5048	RuntimeBroker.exe	96
PID 5048 wrote to memory of 4888	5048	RuntimeBroker.exe	96
PID 5048 wrote to memory of 4888	5048	RuntimeBroker.exe	96
PID 5048 wrote to memory of 4888	5048	RuntimeBroker.exe	96
PID 5048 wrote to memory of 4888	5048	RuntimeBroker.exe	96
PID 5048 wrote to memory of 4888	5048	RuntimeBroker.exe	96
PID 5048 wrote to memory of 4888	5048	RuntimeBroker.exe	96
PID 2156 wrote to memory of 4276	2156	RebelCracked.exe	99
PID 2156 wrote to memory of 4276	2156	RebelCracked.exe	99
PID 2156 wrote to memory of 4276	2156	RebelCracked.exe	99
PID 2156 wrote to memory of 4628	2156	RebelCracked.exe	100
PID 2156 wrote to memory of 4628	2156	RebelCracked.exe	100
PID 4276 wrote to memory of 4288	4276	RuntimeBroker.exe	101
PID 4276 wrote to memory of 4288	4276	RuntimeBroker.exe	101
PID 4276 wrote to memory of 4288	4276	RuntimeBroker.exe	101
PID 4276 wrote to memory of 3224	4276	RuntimeBroker.exe	102
PID 4276 wrote to memory of 3224	4276	RuntimeBroker.exe	102
PID 4276 wrote to memory of 3224	4276	RuntimeBroker.exe	102
PID 4276 wrote to memory of 3224	4276	RuntimeBroker.exe	102
PID 4276 wrote to memory of 3224	4276	RuntimeBroker.exe	102
PID 4276 wrote to memory of 3224	4276	RuntimeBroker.exe	102
PID 4276 wrote to memory of 3224	4276	RuntimeBroker.exe	102
PID 4276 wrote to memory of 3224	4276	RuntimeBroker.exe	102
PID 4628 wrote to memory of 3468	4628	RebelCracked.exe	104
PID 4628 wrote to memory of 3468	4628	RebelCracked.exe	104
PID 4628 wrote to memory of 3468	4628	RebelCracked.exe	104
PID 4628 wrote to memory of 3244	4628	RebelCracked.exe	105
PID 4628 wrote to memory of 3244	4628	RebelCracked.exe	105
PID 3468 wrote to memory of 4648	3468	RuntimeBroker.exe	106
PID 3468 wrote to memory of 4648	3468	RuntimeBroker.exe	106
PID 3468 wrote to memory of 4648	3468	RuntimeBroker.exe	106
PID 3468 wrote to memory of 4648	3468	RuntimeBroker.exe	106
PID 3468 wrote to memory of 4648	3468	RuntimeBroker.exe	106
PID 3468 wrote to memory of 4648	3468	RuntimeBroker.exe	106
PID 3468 wrote to memory of 4648	3468	RuntimeBroker.exe	106
PID 3468 wrote to memory of 4648	3468	RuntimeBroker.exe	106
PID 3244 wrote to memory of 4308	3244	RebelCracked.exe	109
PID 3244 wrote to memory of 4308	3244	RebelCracked.exe	109
PID 3244 wrote to memory of 4308	3244	RebelCracked.exe	109
PID 3244 wrote to memory of 3424	3244	RebelCracked.exe	110
PID 3244 wrote to memory of 3424	3244	RebelCracked.exe	110
PID 4308 wrote to memory of 1264	4308	RuntimeBroker.exe	111

C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
"C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Users\Admin\AppData\Local\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
    3⤵
    PID:220
- - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:32
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      PID:5104
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3756
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        5⤵
        
        PID:4544
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        5⤵
        
        PID:868
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      4⤵
      PID:4016
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:5080
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:648
- C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
  "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4660
- - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:5048
  - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      Drops desktop.ini file(s)
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4888
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3896
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1456
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:5080
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1064
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        5⤵
        
        PID:2320
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1784
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        6⤵
        
        PID:5116
- - C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
    "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4276
    - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        5⤵
        
        PID:4288
    - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3224
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        6⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:648
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        7⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        7⤵
        
        PID:4752
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        6⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        7⤵
        
        PID:2516
  - - C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
      "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4628
    - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3468
      - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        7⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        8⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4928
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        8⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1896
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        8⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1592
    - - C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3244
      - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        7⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3248
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        9⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1504
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        9⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        8⤵
        
        PID:636
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        9⤵
        
        PID:2660
      - C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        6⤵
        Checks computer location settings
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        8⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        8⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        8⤵
        Blocklisted process makes network request
        Executes dropped EXE
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        9⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4308
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        10⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4400
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        9⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        10⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        7⤵
        Checks computer location settings
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        9⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        10⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4108
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        11⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4416
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        11⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        10⤵
        
        PID:456
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        11⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        8⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        10⤵
        Blocklisted process makes network request
        Executes dropped EXE
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        11⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        12⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4308
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        12⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        11⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        12⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        9⤵
        Checks computer location settings
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        11⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        11⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3576
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        13⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        13⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        12⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        13⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        10⤵
        Checks computer location settings
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        12⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        12⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        12⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        12⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        13⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        14⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        14⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        13⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        14⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        11⤵
        Checks computer location settings
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        13⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        14⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:3664
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        15⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:6708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        14⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:6992
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        15⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6656
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        12⤵
        Checks computer location settings
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        14⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        15⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6460
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        16⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6784
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        16⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        15⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        16⤵
        
        PID:7088
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        13⤵
        Checks computer location settings
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        15⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        16⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6108
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        17⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        17⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:6348
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        17⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        16⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        17⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        17⤵
        
        PID:6160
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        14⤵
        Checks computer location settings
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        16⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        17⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        18⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4956
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        18⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        17⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        18⤵
        
        PID:6328
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        15⤵
        Checks computer location settings
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        17⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        18⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        19⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        19⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4684
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        19⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        18⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        19⤵
        
        PID:688
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        19⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        16⤵
        Checks computer location settings
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        18⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        18⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        19⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:6116
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        20⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        20⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        19⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        20⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:7032
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        17⤵
        Checks computer location settings
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        19⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        20⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        21⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        21⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:6636
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        21⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        20⤵
        
        PID:5812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        21⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        21⤵
        
        PID:5432
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        18⤵
        Checks computer location settings
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        20⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        21⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5948
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        22⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        22⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        21⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:5932
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        22⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        19⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        21⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        22⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        23⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:180
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        23⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        22⤵
        
        PID:432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        23⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:7120
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        20⤵
        Checks computer location settings
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        22⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        23⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5048
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        24⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6180
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        24⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        23⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        24⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        21⤵
        Checks computer location settings
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        23⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        23⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        24⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        25⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        25⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6032
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        25⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        24⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        25⤵
        
        PID:6832
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        22⤵
        Checks computer location settings
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        24⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        24⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        24⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        25⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        
        PID:688
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        26⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2956
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        25⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:5212
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        26⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        23⤵
        Checks computer location settings
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        25⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        26⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7084
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        27⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        27⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6352
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        27⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        26⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        27⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        27⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:7036
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        24⤵
        Checks computer location settings
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        26⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        27⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6128
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        28⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2040
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        28⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        27⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        28⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        25⤵
        Checks computer location settings
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        27⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        28⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:5568
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        29⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4968
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        29⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        28⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        29⤵
        
        PID:7716
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        26⤵
        Checks computer location settings
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5176
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:5672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        29⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6348
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        30⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        30⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        29⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        30⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:6468
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        27⤵
        Checks computer location settings
        
        PID:5388
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5260
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        29⤵
        
        PID:5272
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        29⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        30⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        31⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        31⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2556
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        31⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        30⤵
        
        PID:1292
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        31⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        31⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5568
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        28⤵
        Checks computer location settings
        
        PID:5712
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6116
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        30⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:5232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        31⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        32⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        32⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5600
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        32⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:5432
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        32⤵
        
        PID:5792
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        29⤵
        Checks computer location settings
        
        PID:6084
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5176
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        31⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        32⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7032
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        33⤵
        
        PID:400
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        33⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3848
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        33⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        32⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        33⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        30⤵
        Checks computer location settings
        
        PID:5700
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5916
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        32⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        32⤵
        Blocklisted process makes network request
        Executes dropped EXE
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:5568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        33⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        34⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        34⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6816
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        34⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        33⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        34⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        34⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6344
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        31⤵
        Checks computer location settings
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        33⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        34⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        35⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        35⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2412
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        35⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:512
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        35⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        35⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        32⤵
        Checks computer location settings
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        34⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:6228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:5876
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        36⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        36⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4908
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        36⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:3316
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        36⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6296
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        33⤵
        Checks computer location settings
        
        PID:6168
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        34⤵
        Suspicious use of SetThreadContext
        
        PID:7076
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        35⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        36⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        37⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        37⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        37⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        36⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        37⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        37⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        34⤵
        Checks computer location settings
        
        PID:7124
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        35⤵
        Suspicious use of SetThreadContext
        
        PID:6356
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        36⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:6732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        37⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:6836
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        38⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5816
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        38⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        37⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:6128
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        38⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        35⤵
        Checks computer location settings
        
        PID:6652
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        36⤵
        Suspicious use of SetThreadContext
        
        PID:6352
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        37⤵
        
        PID:6856
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        37⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:6704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        38⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6708
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        39⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        39⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        39⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        38⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        39⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        39⤵
        
        PID:6592
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        36⤵
        Checks computer location settings
        
        PID:6356
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        37⤵
        Suspicious use of SetThreadContext
        
        PID:7044
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        38⤵
        
        PID:5772
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        38⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        39⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        40⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        40⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:7680
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        40⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        39⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        40⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        40⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:7992
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        37⤵
        Checks computer location settings
        
        PID:6948
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        38⤵
        Suspicious use of SetThreadContext
        
        PID:6464
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        39⤵
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:6496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        40⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3924
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        41⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        41⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6608
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        41⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        40⤵
        
        PID:5460
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        41⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        41⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        38⤵
        Checks computer location settings
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        39⤵
        Suspicious use of SetThreadContext
        
        PID:6104
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        40⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        41⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        42⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        42⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        42⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        41⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        42⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        42⤵
        
        PID:7920
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        39⤵
        Checks computer location settings
        
        PID:5468
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        40⤵
        Suspicious use of SetThreadContext
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        41⤵
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        42⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        43⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        43⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6208
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        43⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:8040
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        43⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        43⤵
        
        PID:7660
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        40⤵
        Checks computer location settings
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        41⤵
        Suspicious use of SetThreadContext
        
        PID:5816
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        42⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:7096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        43⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        44⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        44⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6380
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        44⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        43⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        44⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        44⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        41⤵
        Checks computer location settings
        
        PID:5468
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        42⤵
        Suspicious use of SetThreadContext
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        43⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        44⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        45⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        45⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3120
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        45⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        44⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        45⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        45⤵
        
        PID:7368
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        42⤵
        Checks computer location settings
        
        PID:6064
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        43⤵
        Suspicious use of SetThreadContext
        
        PID:6952
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        44⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        45⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4608
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:644
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        46⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1372
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        46⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        45⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        46⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5612
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        43⤵
        Checks computer location settings
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        44⤵
        Suspicious use of SetThreadContext
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        45⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:6196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        46⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        47⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        47⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        47⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        46⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        47⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        47⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5780
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        44⤵
        Checks computer location settings
        
        PID:6124
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        45⤵
        Suspicious use of SetThreadContext
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        46⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:6944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        47⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        48⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        48⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:7488
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        48⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        47⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        48⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        48⤵
        
        PID:7404
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        45⤵
        Checks computer location settings
        
        PID:6832
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        46⤵
        Suspicious use of SetThreadContext
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        47⤵
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:5820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        48⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        49⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        49⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4360
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        49⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        48⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        49⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        49⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:728
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        46⤵
        Checks computer location settings
        
        PID:6876
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        47⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        48⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        49⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        50⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        50⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        50⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        49⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        50⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        50⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        47⤵
        Checks computer location settings
        
        PID:6152
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        48⤵
        Suspicious use of SetThreadContext
        
        PID:6188
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        49⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        50⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        51⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        51⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        51⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        50⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        51⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        51⤵
        
        PID:7480
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        48⤵
        Checks computer location settings
        
        PID:6964
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        49⤵
        Suspicious use of SetThreadContext
        
        PID:644
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        50⤵
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:5424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        51⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:3292
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        52⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        51⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        52⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        52⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        49⤵
        Checks computer location settings
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        50⤵
        Suspicious use of SetThreadContext
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        51⤵
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:6396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        52⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2992
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        53⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        53⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        52⤵
        
        PID:952
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        53⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        53⤵
        
        PID:5512
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        50⤵
        Checks computer location settings
        
        PID:6672
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        51⤵
        Suspicious use of SetThreadContext
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        52⤵
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:5884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        53⤵
        
        PID:7812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        54⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        54⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        54⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        54⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        53⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        54⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        54⤵
        
        PID:7660
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        51⤵
        Checks computer location settings
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        52⤵
        Suspicious use of SetThreadContext
        
        PID:868
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        53⤵
        
        PID:7012
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        53⤵
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        54⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5236
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:7476
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        55⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:7812
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        55⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        54⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:7276
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        55⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:7300
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        52⤵
        Checks computer location settings
        
        PID:6684
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        53⤵
        Suspicious use of SetThreadContext
        
        PID:6516
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        54⤵
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        53⤵
        Checks computer location settings
        
        PID:6708
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        54⤵
        Suspicious use of SetThreadContext
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        55⤵
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        56⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        57⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        57⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:7852
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        57⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        56⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        57⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        57⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        54⤵
        Checks computer location settings
        
        PID:768
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        55⤵
        Suspicious use of SetThreadContext
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        56⤵
        
        PID:7048
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        56⤵
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:7056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        57⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        58⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        58⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        58⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        57⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        58⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        58⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        55⤵
        Checks computer location settings
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        56⤵
        Suspicious use of SetThreadContext
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        57⤵
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:5720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        58⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7932
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        59⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        59⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        59⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        58⤵
        
        PID:8128
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        59⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        59⤵
        
        PID:5664
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        56⤵
        Checks computer location settings
        
        PID:6516
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        57⤵
        Suspicious use of SetThreadContext
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        58⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        58⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        59⤵
        
        PID:5316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        60⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        60⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        60⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        60⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        59⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        60⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        60⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5692
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        57⤵
        Checks computer location settings
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        58⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        59⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        60⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        61⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        61⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7368
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        61⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        60⤵
        
        PID:5984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        61⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        61⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        58⤵
        Checks computer location settings
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        59⤵
        Suspicious use of SetThreadContext
        
        PID:7484
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        60⤵
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:7596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        61⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        62⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        62⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6920
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        62⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        61⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        62⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        62⤵
        
        PID:7476
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        59⤵
        Checks computer location settings
        
        PID:7548
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        60⤵
        Suspicious use of SetThreadContext
        
        PID:7396
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        61⤵
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:7568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        62⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        63⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        63⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        63⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        62⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        63⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        63⤵
        
        PID:8128
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        60⤵
        Checks computer location settings
        
        PID:7564
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        61⤵
        Suspicious use of SetThreadContext
        
        PID:7304
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        62⤵
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:7580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        63⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        64⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        64⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        64⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        63⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        64⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        64⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5612
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        61⤵
        Checks computer location settings
        
        PID:7532
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        62⤵
        Suspicious use of SetThreadContext
        
        PID:7576
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        63⤵
        
        PID:7264
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        63⤵
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:7772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        64⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:8036
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        65⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        65⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        65⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        64⤵
        
        PID:7300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        65⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        65⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        62⤵
        Checks computer location settings
        
        PID:7912
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        63⤵
        Suspicious use of SetThreadContext
        
        PID:7908
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        64⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        65⤵
        
        PID:4796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        66⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        66⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        66⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5376
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        66⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        65⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        66⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        66⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        63⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        64⤵
        Suspicious use of SetThreadContext
        
        PID:8008
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        65⤵
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:8144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        66⤵
        
        PID:7268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        67⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        67⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        67⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        66⤵
        
        PID:5044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        67⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        67⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        64⤵
        Checks computer location settings
        
        PID:8068
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        65⤵
        Suspicious use of SetThreadContext
        
        PID:7716
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        66⤵
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:7956
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        65⤵
        Checks computer location settings
        
        PID:952
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        66⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        67⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        68⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        69⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        69⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        69⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        68⤵
        
        PID:6012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        69⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        69⤵
        
        PID:6468
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        66⤵
        Checks computer location settings
        
        PID:7524
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        67⤵
        
        PID:6944
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        68⤵
        
        PID:6540
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:7340
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        67⤵
        Checks computer location settings
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        68⤵
        
        PID:6792
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        70⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        71⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        71⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        71⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        70⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        71⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        71⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        68⤵
        Checks computer location settings
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        69⤵
        
        PID:7040
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        70⤵
        
        PID:7972
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        70⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        71⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7308
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        72⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        72⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6772
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        72⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        71⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        72⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        72⤵
        
        PID:5664
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        69⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        70⤵
        
        PID:7496
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        71⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        72⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6904
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        73⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        73⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        73⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        72⤵
        
        PID:536
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        73⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        73⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        70⤵
        
        PID:5692
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        71⤵
        
        PID:6844
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        72⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        73⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6628
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        74⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        74⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6944
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        74⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        73⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        74⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        74⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        71⤵
        
        PID:6688
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        72⤵
        
        PID:5972
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        73⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        74⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7308
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        75⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        75⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:632
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        75⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        74⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        75⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        75⤵
        
        PID:5216
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        72⤵
        
        PID:7924
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        73⤵
        
        PID:7204
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        74⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        75⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        76⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        76⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        76⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        75⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        76⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        76⤵
        
        PID:6344
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        73⤵
        
        PID:6880
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        74⤵
        
        PID:7888
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        75⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        74⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        75⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        76⤵
        
        PID:8152
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        75⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        76⤵
        
        PID:7436
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        77⤵
        
        PID:7252
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        77⤵
        
        PID:8092
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        76⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        77⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        78⤵
        
        PID:8156
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        77⤵
        
        PID:7976
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        78⤵
        
        PID:5472
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        79⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        80⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        81⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        81⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6612
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        81⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        80⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        81⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        81⤵
        
        PID:6340
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        78⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        79⤵
        
        PID:6060
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        80⤵
        
        PID:7928
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        80⤵
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        79⤵
        
        PID:7544
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        80⤵
        
        PID:7816
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        81⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        82⤵
        
        PID:7744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        83⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        83⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        83⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        82⤵
        
        PID:5560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        83⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        83⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        80⤵
        
        PID:7208
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        81⤵
        
        PID:6060
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        82⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        82⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        82⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        83⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7800
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        84⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        84⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        84⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        83⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        84⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        84⤵
        
        PID:6140
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        81⤵
        
        PID:7552
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        82⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        83⤵
        
        PID:7388
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        83⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        84⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        85⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        85⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        85⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        84⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        85⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        85⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        82⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        83⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        84⤵
        
        PID:8000
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        83⤵
        
        PID:6488
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        84⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        85⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        84⤵
        
        PID:5792
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        85⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        86⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        85⤵
        
        PID:7276
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        86⤵
        
        PID:5172
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        87⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        88⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        89⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        89⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        89⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        88⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        89⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        89⤵
        
        PID:7964
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        86⤵
        
        PID:6264
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        87⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        88⤵
        
        PID:512
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        88⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        89⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        90⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        90⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7896
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        90⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        89⤵
        
        PID:1160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        90⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        90⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        90⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        87⤵
        
        PID:7244
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        88⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        89⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        89⤵
        
        PID:7880
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        88⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        89⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        90⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        91⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        92⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        92⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        92⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        91⤵
        
        PID:2752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        92⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        92⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        92⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        89⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        90⤵
        
        PID:7308
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        91⤵
        
        PID:8008
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        91⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        90⤵
        
        PID:7448
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        91⤵
        
        PID:6676
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        92⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        91⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        92⤵
        
        PID:6560
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        93⤵
        
        PID:5224
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        93⤵
        
        PID:6156
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        92⤵
        
        PID:7932
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        93⤵
        
        PID:7500
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        94⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        95⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        96⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        96⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        96⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        95⤵
        
        PID:648
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        96⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        96⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        93⤵
        
        PID:6400
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        94⤵
        
        PID:5604
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        95⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        96⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        97⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        97⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        97⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        96⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        97⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        97⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        94⤵
        
        PID:7464
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        95⤵
        
        PID:5608
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        96⤵
        
        PID:6404
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        96⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        97⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        98⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        98⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        98⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        97⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        98⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        98⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        95⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        96⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        97⤵
        
        PID:5884
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        97⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        98⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        99⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        99⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:556
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        99⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        98⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        99⤵
        
        PID:864
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        99⤵
        
        PID:7404
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        96⤵
        
        PID:6428
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        97⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        98⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        97⤵
        
        PID:7208
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        98⤵
        
        PID:5668
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        99⤵
        
        PID:7176
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        98⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        99⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        100⤵
        
        PID:7644
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        99⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        100⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        101⤵
        
        PID:7784
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        100⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        101⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        102⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        102⤵
        
        PID:7232
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        101⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        102⤵
        
        PID:6320
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        103⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        102⤵
        
        PID:5324
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        103⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        104⤵
        
        PID:7552
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        103⤵
        
        PID:7896
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        104⤵
        
        PID:6364
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        105⤵
        
        PID:7496
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        104⤵
        
        PID:8072
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        105⤵
        
        PID:7244
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        106⤵
        
        PID:5288
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        105⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        106⤵
        
        PID:6780
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        107⤵
        
        PID:7792
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        106⤵
        
        PID:6620
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        107⤵
        
        PID:7896
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        108⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        107⤵
        
        PID:7392
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        108⤵
        
        PID:5972
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        109⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        108⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        109⤵
        
        PID:6520
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        110⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        111⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        112⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        112⤵
        
        PID:508
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        112⤵
        
        PID:7716
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        109⤵
        
        PID:8144
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        110⤵
        
        PID:7660
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        111⤵
        
        PID:5724
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        110⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        111⤵
        
        PID:7060
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        112⤵
        
        PID:7352
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        112⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        113⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        114⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        114⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        114⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        113⤵
        
        PID:8148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        114⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        114⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        114⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        111⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        112⤵
        
        PID:8120
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        113⤵
        
        PID:7944
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        113⤵
        
        PID:5536
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        112⤵
        
        PID:6492
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        113⤵
        
        PID:5948
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        114⤵
        
        PID:8124
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        113⤵
        
        PID:7056
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        114⤵
        
        PID:8148
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        115⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        114⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        115⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        116⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        115⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        116⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        117⤵
        
        PID:7992
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        117⤵
        
        PID:7624
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        116⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        117⤵
        
        PID:7964
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        118⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        118⤵
        
        PID:6600
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        117⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        118⤵
        
        PID:7464
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        119⤵
        
        PID:5860
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        119⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        118⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        119⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        120⤵
        
        PID:6528
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        119⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        120⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        121⤵
        
        PID:6452
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        120⤵
        
        PID:6344
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        121⤵
        
        PID:7268
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        122⤵
        
        PID:7200
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        121⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        122⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        123⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        123⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        122⤵
        
        PID:5048

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv sNDePGtL2U+RIZ7OiV9bgg.0.2
1⤵
PID:2408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdfc2a46f8,0x7ffdfc2a4708,0x7ffdfc2a4718
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1808,10251468808407107794,7486616166497679255,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2264 /prefetch:2
  2⤵
  PID:5184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1808,10251468808407107794,7486616166497679255,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
  2⤵
  PID:5192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1808,10251468808407107794,7486616166497679255,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2528 /prefetch:8
  2⤵
  PID:5200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,10251468808407107794,7486616166497679255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:5324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,10251468808407107794,7486616166497679255,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:5332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,10251468808407107794,7486616166497679255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:5320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,10251468808407107794,7486616166497679255,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:5772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,10251468808407107794,7486616166497679255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:5940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,10251468808407107794,7486616166497679255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,10251468808407107794,7486616166497679255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:5468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,10251468808407107794,7486616166497679255,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:6008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,10251468808407107794,7486616166497679255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:5668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,10251468808407107794,7486616166497679255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:5884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,10251468808407107794,7486616166497679255,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1808,10251468808407107794,7486616166497679255,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:8
  2⤵
  PID:5216
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1808,10251468808407107794,7486616166497679255,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:8
  2⤵
  PID:6520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,10251468808407107794,7486616166497679255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:6912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,10251468808407107794,7486616166497679255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2196 /prefetch:1
  2⤵
  PID:744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,10251468808407107794,7486616166497679255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,10251468808407107794,7486616166497679255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:6432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1808,10251468808407107794,7486616166497679255,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6316 /prefetch:2
  2⤵
  PID:8020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,10251468808407107794,7486616166497679255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6564 /prefetch:1
  2⤵
  PID:6048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,10251468808407107794,7486616166497679255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,10251468808407107794,7486616166497679255,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6716 /prefetch:1
  2⤵
  PID:628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1808,10251468808407107794,7486616166497679255,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6912 /prefetch:8
  2⤵
  PID:1580

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5868

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4 0x478
1⤵
PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0b3abc7ee26025431112385cdb7daa68\Admin@WLWOBVQV_en-US\Browsers\Edge\Cookies.txt

Filesize
3KB

MD5
17404e66e86980c8659635c32948244f

SHA1
a3fc5724fd43a0e264dcce0cf31877e0ff82576f

SHA256
4fde66eaba2ea214059ed2c06510275d3d4f10dbe0ffceff636e2e47c28d7893

SHA512
d6bdd1932b34013d0a123d1ba0ae236fa918a2393856cd83c995cb259275208de30dd7f2c7b194f86288f2fdc9eddc263322409b2c98d6d3264f4ccb48be8511

Download Submit
C:\Users\Admin\AppData\Local\0b3abc7ee26025431112385cdb7daa68\Admin@WLWOBVQV_en-US\Browsers\Edge\History.txt

Filesize
148B

MD5
8e2e34a746fce8cf7353de20d55d0d8c

SHA1
8c9facfa5956ef7f4f5f7b9ae0dc3c3ce1537ce3

SHA256
e39ba3d3a39b45582055d0149fe4f4e8f3ed89f1938c88b237ac24a1bdc2552c

SHA512
e52721773c8ee6b205a55ebb6fb9160b845ef971f846246ea6ffdb9a10e46cd66be320af780fb8de79fe1dffa371982b0b8263ecbc9c218895b4ba7bd684afe2

Download Submit
C:\Users\Admin\AppData\Local\0b3abc7ee26025431112385cdb7daa68\Admin@WLWOBVQV_en-US\Directories\Temp.txt

Filesize
25KB

MD5
39ba07402edb37bfed972909e3d534a5

SHA1
bd487e8bce501f877f89edecdac2e0a216010cd4

SHA256
49740f1936dfa64ae6c6a554a23b0500c7d99dca7da694435b2657b6eacb4d5a

SHA512
9fb64578fb1768a880f80702524112addd3140efda44cffb9cb85ab693110ed6a24f353d0949659c8403ea2f99b3c5cd2c2b5f899ce020f4a31968029ba4949d

Download Submit
C:\Users\Admin\AppData\Local\0b3abc7ee26025431112385cdb7daa68\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
167B

MD5
e67b4a8eb94a84ec9c181a0f07ed9725

SHA1
68a5c499bb75d1771624ab72bc3360805d2087d4

SHA256
b69831db9350f51bf083d6d13f6e39a78b36e76918e20a3740ff3675ddc6098c

SHA512
232cfab36221dae74d3101c332ba390cd96a4029dffc9ee8620b413cf5f66b5515c2756de5f9b786fee8e87320f5d8b5117798e4eb18e381c246001db812c886

Download Submit
C:\Users\Admin\AppData\Local\0b3abc7ee26025431112385cdb7daa68\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
461B

MD5
6aa10bd9408e0258c2c33d68af380883

SHA1
42a9d91c7fc2f40d26e3b6ba2af4bb62e61a4d5d

SHA256
24b7d8c990a56692384b0abf76afcdf9c55b3f28d60d5baadedeafc0a4d713f0

SHA512
197b989c3aa2f4af63a20380e2ccaeb9f0d1ec3c0b3e90bd4f5719aced6fe4aad5fb21d5136a5d59f216ea9956eaac36270b34cc1f694bd839fbff0ac70baf46

Download Submit
C:\Users\Admin\AppData\Local\0b3abc7ee26025431112385cdb7daa68\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
5f166777a5ecb7884fe863bad0f8a0e9

SHA1
309255bff2418f130ea3298cf4efe8e4eab0f8f9

SHA256
20c601d44ad7f10a9ea8bc8353c8e67979ad4d1114f8427d951e0365c3d13c93

SHA512
06e6b88b2795a953471703329e716b856ddcc07156b2646b6f907004586457675655eec17c035d8999fbe63ae3d9e5e4610977d66cd2bba5bd03ee1b51600a3b

Download Submit
C:\Users\Admin\AppData\Local\0b3abc7ee26025431112385cdb7daa68\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
8aea22875951d906a31ec11c85cf0436

SHA1
48e0d6e117cc7da7a688a930d37d42621d6b66ce

SHA256
edc26159fa6df5d79c0440c8287d1688d4816a326f2e36f7bdc8616d43c8a65b

SHA512
f43e9c417b821733d9727c8b3842383d100f1a8f8867b4ea7cbecf6339d9c9b32fa3788c3c851d63f8a69e86475729bb32d8ed72edbcb144abe245fa9818ce19

Download Submit
C:\Users\Admin\AppData\Local\0b3abc7ee26025431112385cdb7daa68\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
8c6b7b8785d1dc04d771d666671b3e08

SHA1
8c7f7b997b604ee72a9e077e710b2c0153943ce6

SHA256
d93f192d427a8b6e1d7f53f0602b7b3293e8cbab6dd268a7fc8a9ab71ab36754

SHA512
8433ed94f6f27117f5993b36b8f075903ad9ddaf53dd974c9fc739788bb190c06a66ca882248e5c74cddc1a6e2d69d0a9e706a5d395b3e69120c9bde99e230c3

Download Submit
C:\Users\Admin\AppData\Local\0b3abc7ee26025431112385cdb7daa68\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
4adacac15b66f8f2b17fbef2296ee594

SHA1
8c9282df95aa7a08c9cb83410bbcc908859b3bf4

SHA256
9cf1dc673d967bc3aeb0bd4340f0ac9e7bc8048c0e42025402b6076280e64228

SHA512
ccd0b0845e48dca30985e2475399d19d4a8c042352af638de5393d822c77432aaaacbb69d08ec7c1b46896551add774a924476f1e8f322b6c3fcc328c156aa0b

Download Submit
C:\Users\Admin\AppData\Local\0f9df786692a67ed658c193a7ae69544\Admin@WLWOBVQV_en-US.zip

Filesize
14KB

MD5
8d51003eb260f71ef2e297c319904368

SHA1
6f3c82b9688467cd39fc7a6e4e0341d4f25bddc6

SHA256
859a6b4b20da7d41c166ff4cc4aa17c6cf26dab7f84e4a35b572a6738aff498e

SHA512
64f3caf7a61b4f1bb13fa5219d1e0b1565ae9b377fc0cac5a4ebf669ce25eddc3e8fb2fd1bc27ffad276910b0ccaf11ae00af36d4ea73451517ac17f65b5e9bb

Download Submit
C:\Users\Admin\AppData\Local\0f9df786692a67ed658c193a7ae69544\Admin@WLWOBVQV_en-US.zip

Filesize
28KB

MD5
45477e7b7ff01ddc698190c76cd0ee18

SHA1
3b5f2f6a73277888a0f6df43cdcd306e49fe3382

SHA256
09baa59b28b0b3c398aa975c03893bcb235674e6b6a6f0ebc3fe1da38f18a11a

SHA512
bf3cdd9fc5baa85c0bfc69461d5634233c48e1cefab596b60f79eb40ed321d935c14dddb36c2b5dfba5498be1258a9dde777a7c74e14046eb25023b93af6cf88

Download Submit
C:\Users\Admin\AppData\Local\0f9df786692a67ed658c193a7ae69544\Admin@WLWOBVQV_en-US\Browsers\Edge\Cookies.txt

Filesize
5KB

MD5
ce246524295a6a23b5147f1e43839c9f

SHA1
f009b8743fdfc26c54e2f4513555e115199484cc

SHA256
f8e7951e51e2d71f33f3af04869b29a9540a20520510fce030cac90043f4b9ec

SHA512
b2c6ae3f3cedc773730df767b4bbe4a6ccf8082b2092728cf7dbdd2d4023ae81ec228cd78a7aa892892192469c3e6f69c50abb81f0cac2ec2a1ef287a9b8c61f

Download Submit
C:\Users\Admin\AppData\Local\0f9df786692a67ed658c193a7ae69544\Admin@WLWOBVQV_en-US\Browsers\Edge\History.txt

Filesize
780B

MD5
ea52c98617a225c09fba1b3b1905d00b

SHA1
e223d81b41c2be363e8c507d4b0670b0f49c5c45

SHA256
3b5ae15dec2d386a6f214b5dc5ba298f97bf166f936027b1ea6dbcdc969dc86d

SHA512
12a10db0c171781758cb7e70082b156ea82ef8fb37f85a527e34b62bfc0cb6ada4050eb50b5e1b35a5867fc1c4c4f7ed70603c740f2544a6955dc28e458b1353

Download Submit
C:\Users\Admin\AppData\Local\0f9df786692a67ed658c193a7ae69544\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
52319dc028eb810cfb2a5ef81e9e46b1

SHA1
fdb9bb5bc21a0e7948026bb368ebb6d3e31fdeaa

SHA256
7c3f3c166e73c1c4b7f8154e485ff4080265e3eb480ef85c9083559da706f8ea

SHA512
95e3ab515ea915fa2e4fae983d135cce92b006b89f152cece1e623ef41a8a710b7317c8c85f91ee90380e1264112de40a684c5dcb1b6cb8204b2db76bf94bc5b

Download Submit
C:\Users\Admin\AppData\Local\0f9df786692a67ed658c193a7ae69544\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
e5767b23c298cbbdef08e8f9805bf753

SHA1
4f47d358485871aee6f3092520d4bf91b388e0c5

SHA256
30fd4bc4c0314c14a4a12ecf3dbd343d74ba72d0111f5a2857a6922edfc47b41

SHA512
e19c448bae9dab04e443eed8dd5bea97bbe77d61fdf9e33dd4bdd0b44c61069a4fd37a9db57e63ce3a02bae19624ac056130ab6c4e3c34a6398a3320d69feef8

Download Submit
C:\Users\Admin\AppData\Local\0f9df786692a67ed658c193a7ae69544\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
53B

MD5
43124fb38a4cb6993e0302e96a8437d0

SHA1
11ee2bd45c28fb1a4077e9819bb97be2d7274bfc

SHA256
d5aff09a094fc1edd5c8000b8903c2419bb6bcdeacf0419103f8d1ededf911c6

SHA512
a001b7e65a0adb428a1473cffe6d3a06d52d311c354264f453b9e58467b7d34f21d63eeaaaf92c7deba43b9db312fa4c338be892b56ed56349b4c9df0a853fcf

Download Submit
C:\Users\Admin\AppData\Local\0f9df786692a67ed658c193a7ae69544\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
ff295e0fdf547f0b14d9a3c314bd3d07

SHA1
d347ac1ad4d1588ed44546235f4d004a0ff85e1d

SHA256
33befb476c76cb8d4a759d419d5ab9704c54bb073dccf6063021cc0a85aab98e

SHA512
094df52725d8025a7a6b567c210135debfce550728887cc98ded5b485096f82bfc75b25f073d206759eeda74405394afc7238c5cd2b1e42180ac07c2348f3df2

Download Submit
C:\Users\Admin\AppData\Local\0f9df786692a67ed658c193a7ae69544\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
1KB

MD5
b6461e998fb8f23b1aa859c861663aa8

SHA1
42df27c289cba8a09f557680164b05cdee63d96e

SHA256
2127cca7fc2fcfc9f393789f0c887966ebf9eabd88aa8b275095d99e286d25e5

SHA512
9c452e62c70c2582dcb2da87e3157631623446a142ffbd3ea79ec4cc63406bc54d413baff4e93d1f6f93f8bea52b1e9e172ac2ec1a67440267ecc43e28190fa1

Download Submit
C:\Users\Admin\AppData\Local\0f9df786692a67ed658c193a7ae69544\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
cf8b0dccdcf2e299422d3e9478dd6183

SHA1
be4769098887b7f75caa7cf14556de82b68ec8c5

SHA256
8a6b3d21921ac17d2bd40c3a01b1e823dbe9a293cddeb1e59bf565fa2a6899fb

SHA512
338d46674b923f312d588e559b9e3f6e819c77e2eb81b9984d1d9c7180da1f53a9bb953e8c4e6a3c7fe4e0878912b1976555e8c17b002e677f3b303568254b42

Download Submit
C:\Users\Admin\AppData\Local\0f9df786692a67ed658c193a7ae69544\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
124B

MD5
c08a05097641db1af2fda7d6f46e31cf

SHA1
86ed108f9dc1df2a7492ad6e43ce400a415fe4de

SHA256
870c18a563b4760db49b2456a07e81d018d0531b62c0d3cf7f6eafe6b4df1469

SHA512
42a7d647284817ba0618025556e10d87060c20dcb3fe7a319a7735b361a8e02e4e049d9687b680d0a38c90ee4e04b411766a7d98cb12dc2367752e7a17fb8bcf

Download Submit
C:\Users\Admin\AppData\Local\0f9df786692a67ed658c193a7ae69544\Admin@WLWOBVQV_en-US\System\WorldWind.jpg

Filesize
81KB

MD5
c565b38446d6e2873c187e8153da6733

SHA1
095054ca3e51929e96283cdd0792e89f0047978d

SHA256
fb0ed192222f977bb90b4f9970429473e4ce5520a0add310273100a2c9415ff9

SHA512
9d4c4b988e1ab771e45abfc1ed73a8607164c48fd0322e84da3ff3f7bd7af851470c9f383df5225203b01f5a797388b8ee03191098bafcc0db118df8765b0fad

Download Submit
C:\Users\Admin\AppData\Local\2d6c356d977278447729b5b1420edf99\Admin@WLWOBVQV_en-US\Browsers\Edge\History.txt

Filesize
964B

MD5
c64bf9fe5ff4f978d87b2bc512ca1df5

SHA1
83240d5270c3ee0d36589e68c8c1a27d5966aaa1

SHA256
02b909e2137e25e351f5710da7ffbf94f86af1809025439372871355a535b81e

SHA512
22c1f9b086622deec5b84fffb45817f88eec4dcd2cc2d5d319b72f2e82f51976afc760c44b7ac9b775603481ddf9e73ee6868fcc508200dbc07faf660d84aa05

Download Submit
C:\Users\Admin\AppData\Local\2d6c356d977278447729b5b1420edf99\Admin@WLWOBVQV_en-US\Directories\Temp.txt

Filesize
3KB

MD5
93a4aa96082c5cf6ac09934364bfb5be

SHA1
d0b0db89d0d7a58d5e09b3b1096d5bc769d14e7e

SHA256
b22bc9c3a4be6c58f033aec221841a6468f9c359be4c4cf31e7c2446dd5c06b7

SHA512
d49bc163b2835508453588403f95bff38ea59d01baf665dfa00d37107162e8c9ab72820286951fd29ffdefbdb67d05e762f5388009fa9ee792a435c026423140

Download Submit
C:\Users\Admin\AppData\Local\2d6c356d977278447729b5b1420edf99\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
eec82f634c57001a07d20b8266962847

SHA1
d729476d52a908ee696cbd3db994284cc8ba11dc

SHA256
61c662c706129bd1ad79fc22b6d7ad0325a666aaa5caf1ebd20f607df3a7ed86

SHA512
ab542143575ac152ff16d0769a893a7d0f82e302b9936a51fd41b7bcffc745858364d4a99be9c9dbd1ec81db1a14f68498ba5059f2b6afa9001dacbb11a6506a

Download Submit
C:\Users\Admin\AppData\Local\2d6c356d977278447729b5b1420edf99\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
5KB

MD5
490410af9a283e90ca6f9cb30021749f

SHA1
2417d8165d97c515f8a32030252df39baf3fd279

SHA256
dc1e0bd7ad617ab66c247ab7560edc44c1a20492c2ca0a11aa85ad8cbd43aff5

SHA512
7d2eb10d7a58981f1168abf8b532a9deabf3727ef1f652c2a8307138ba760439f33f32e94df29c5f75ff6e5ef84aaa82889c329077b495f6c69ffa721fa99807

Download Submit
C:\Users\Admin\AppData\Local\2d6c356d977278447729b5b1420edf99\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
166B

MD5
e8126728fbf9e27abe5af27079b4f1a7

SHA1
78284019a2a5926f51bbd95d2cfe725f45144490

SHA256
2b641ca65431e3fa5ec589f69387e0e383284a6ee6a2c6bad62c4da9e8fb820f

SHA512
fa13aa0f8b6b40d57db439cbc4756c12797e847d4ea3242225c277752e520cf63ea88d9f4d6457b7a138180ca14a4f83cdadecf37421ab5b2893634ffccceb9e

Download Submit
C:\Users\Admin\AppData\Local\2d6c356d977278447729b5b1420edf99\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
634B

MD5
68d3f57d85a113da1be574dc29bc643c

SHA1
03f4d028746f2246d379570c2111b571cab3d921

SHA256
5934f41d75cc10cf9b917c64f8e475d44fe06ae3178cf405f82186394aea6b1c

SHA512
d29e4582f9fed479c297a6c7e5c47dd73ded53eb66316ae4ecd88bd665c05347f2d94417e8358b3874489534ce1bb7b70df19760bfd75c1bba8fe2ba25d7f355

Download Submit
C:\Users\Admin\AppData\Local\2d6c356d977278447729b5b1420edf99\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
295c9dd0e0d0da8e0e81f4842d24b474

SHA1
e231ba26a3989c46ed2d117e98c5973f074e1a8c

SHA256
54c5a8d6ca4c3c6d126787bff22d5b1662289ab25039fe665859d13cacbc3afc

SHA512
2c3d488a0c3abbbe43050e2962fbb92d79763b5411677e41a660c369bfb8570f5aa171e6a0f675ffb1c24337d9f54a99d9ef33ae3c30abee1af69b9a92522e2a

Download Submit
C:\Users\Admin\AppData\Local\2d6c356d977278447729b5b1420edf99\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
9cca7dbcfca846934b7d142f7a3ee84a

SHA1
699bc88aa4fdd777e51afc33b7fc97dfc8b8e857

SHA256
29de81e074fa9e3d8448a94ad41eaeffbc9d6967ee5ce61341cf49a842170384

SHA512
d6a29a936c63d8a8ff3cd42d5bbebc01042b3e638cfdaf0b7de1e3db986628622b680d842cd1a2ac269b7973338dc3801910c5d0a001ceda800ed45d28c7ee5a

Download Submit
C:\Users\Admin\AppData\Local\2d6c356d977278447729b5b1420edf99\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
e93cf00857a83e42d3174b48dbba9774

SHA1
7177d2a83344b58aa22eeb5c11b43a85ccb6648f

SHA256
2391009eed8d62caa63e30d2698d331e3f57d9ef2a165690f385ab6462c9c061

SHA512
0ae7e429dd96f722e0f68fa826f6f120132513907942c2e63139523b121bbcc0aa4dad4244e1bb532e172244eac2f88d5c599a2cd85a6de796cd60af271dc5ca

Download Submit
C:\Users\Admin\AppData\Local\2d6c356d977278447729b5b1420edf99\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
4c5faf19ff7ebda97bf4aafa34585445

SHA1
63ddcdd079c47bb5961f9b299fb6c64f05fbc9d3

SHA256
c94d573894652cb6c743ae3c701aaf444f7a527b3353da5c4388f51bd5fdcfb4

SHA512
c2b1e8931f7592f7cfc919a6faddaad5dc0ec9a6582976709a6acfcdb85a5d4c94bd9446f77b252c9c3253016ce70ec846c30d8c87c87168f9508d91a3b855d8

Download Submit
C:\Users\Admin\AppData\Local\2d6c356d977278447729b5b1420edf99\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
c6d01d09076edf74c19619c31ce1c6de

SHA1
764245e2b9acb88f96941a1189d1e7fd110c09b6

SHA256
65dfc63be148e832e6e019092eeba4f63eaad72a5036e68d8ed26f7aa7ff7785

SHA512
1434a33e14ed5160ced5d7310a9fafa902bd0ed3bcfb0ee7bda078b85082573dce477d7d29c7aa303a63a7ce5f7c9bd9b16237e1d3f6f7e0332a2be8f7277ad6

Download Submit
C:\Users\Admin\AppData\Local\2d6c356d977278447729b5b1420edf99\Admin@WLWOBVQV_en-US\System\Windows.txt

Filesize
169B

MD5
79db6bfb359abedd4231aa0499adf76a

SHA1
f489c71bee0a80451500be160c30c18ed6bfb7e7

SHA256
5b22b8d8842c628856cedca4c5d084a6ec32ed1fc2eb4509f216e02e71cde6c1

SHA512
4a785ba8b10c07540e9c766a4ca9305da0411ccf2e8475a0b38ecc9c5a7adfa198260493f71432bca713384f8266615babab01ee769c283ecc33fd5b971fe54f

Download Submit
C:\Users\Admin\AppData\Local\2d6c356d977278447729b5b1420edf99\Admin@WLWOBVQV_en-US\System\WorldWind.jpg

Filesize
90KB

MD5
d9b82c2fb0d4bf9ec1193a53bdbd4ca4

SHA1
53775b67073041e6280c4afa9b05aa8e3888015f

SHA256
6d2535e69616f1e55a70514c5fa4b733d9ab9212d2264eaaae7f12d1eac23364

SHA512
73552b42eb52d0cf4d13182ad8d4fd78dbd52525c227693df841fbae094354619600ae1d26e89a366eea7025dcca4122b89c251da64e8f43d8ba36dea69ff5dd

Download Submit
C:\Users\Admin\AppData\Local\419b8aaa7cba6e4dff05a70cc7016228\Admin@WLWOBVQV_en-US\Directories\Temp.txt

Filesize
12KB

MD5
05341e0047ff7cf11f8ad89dd75e7e5b

SHA1
f36ed870233c0c877dca7f001c797428593e66b5

SHA256
81d267d55f46841bfee888c3f055a18fa31de4cc7e80bbad7948d12202aecf03

SHA512
0d2bde2966bd1a09c5b6cd97ea7e5f3fb6879fb141d5bf2208236b28e350a06b8146056df312cf9fd9a38eba94af8436f56affa5505fccd42d1a17d82eceeecc

Download Submit
C:\Users\Admin\AppData\Local\419b8aaa7cba6e4dff05a70cc7016228\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
a53efa180659bcdbb180a2e94df3ea60

SHA1
fe7c3e8429553c7214f03db20841d1d84aa9844a

SHA256
c0ced854e8150f06231f360f0cdcbf704c8700a1643b84bc2fbe46ea4028a8df

SHA512
bbb627d61e665dd5bce7e9824109f25d6eadfdabc38377b259ded4a9642d7dd21e5e66001e0c277d4f6cd253e4af40dbb206f6b17f168858b67b3c9678500f70

Download Submit
C:\Users\Admin\AppData\Local\419b8aaa7cba6e4dff05a70cc7016228\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
117B

MD5
972893fc461e0cdcab995d0bd3c10390

SHA1
682f8c939a7c512df2cfbbe1585442f49457e2b5

SHA256
e977e56525ca60afaf90f3b86c42ff1f1fec1c39f6c177550800c334922faa4c

SHA512
58de7c35c92dfa3686178eff1dd1b6f52a9dbd83f2f88f93658361b70271b832cf128e7ff0042a911fb404163604aabba16836e4b5c5d91dee79cf1c08dbe4e7

Download Submit
C:\Users\Admin\AppData\Local\419b8aaa7cba6e4dff05a70cc7016228\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
174B

MD5
07a56f005c4af8eda9b1620df2f5fd4d

SHA1
b40880f939da60e616a6c87b633d3cb1975b7d00

SHA256
7e7988e6f4fd169b12a90a67b0a868fbeaea658abda53595e9c03e16a1b32471

SHA512
597a9c309e9c6a888c432b26e58b0e595a67fd837904c70498386ca3085e16bb551c6fc23fedc11e11603bfc03c4c661ffb911b9970290eccde1fc3000fb9ec1

Download Submit
C:\Users\Admin\AppData\Local\419b8aaa7cba6e4dff05a70cc7016228\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
238B

MD5
9440a51b6cb9a706ff7eb9c0616ab755

SHA1
0d4dd3ffcb37e2a42d94a96ffc6e5cc8825f51ec

SHA256
bbab916ea9adab6a6247c4b038245714ccf7a619ddc430518b0fdd0c41afbcb7

SHA512
9ca5c9adbb2ee6478ea57a5912885945ab471ca1f80dc09825bb2a1e8fa053355941d922d6ae085f7bf7b9b6f9fab51f82102d420e60abf046658ef1534f0b7d

Download Submit
C:\Users\Admin\AppData\Local\419b8aaa7cba6e4dff05a70cc7016228\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
3bedc186ba7ca0db745de9d30d2e726e

SHA1
aad507842a38a0b743d1db9839349c55d6331254

SHA256
25dc355bd9bb9364e1719b874ba7f905969710805e573c3a4ac945b9edfa9b9d

SHA512
a68bb62638752a939fc54f77747c7d19d31c82709fdc5c818acf6e969c06e163c0e6f16e0297aa802d9223d2d017c4f9b90a6af41124ce30ad24d5e36db0b839

Download Submit
C:\Users\Admin\AppData\Local\419b8aaa7cba6e4dff05a70cc7016228\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
85B

MD5
b5160670f2cff22d68bc90bc1af8d2aa

SHA1
ce01c1ce05d69e93056b9aedbec9fc7248cc95d3

SHA256
117cc36f55d52f4fcf8c69b3b37ea24bfe39fc6bca612e1bf64d2ce3a69f4ce6

SHA512
0d31af634da18cc408451ccfe089a094a093559d7eb10173d6f1dfc88c503f48dcf21744540a7d7568cee1dbc8aa6a690144e2df3d9012b802800f0420a9ce7a

Download Submit
C:\Users\Admin\AppData\Local\419b8aaa7cba6e4dff05a70cc7016228\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
209B

MD5
e15d637cf7c7112ff8717c00ec2fa474

SHA1
6608457418b223310f120bbb16dbbff5aa545d3d

SHA256
c400006f09296cc1b9b3e46f4429d9a3d26125410d458dac89b011058bfe1fdb

SHA512
2740dd2c0357f9186fc2d12934c1496fd503a24b13dc689a8a8782876cc3842d82715121d7d943b61b3b7b9a0840c817a065fe3084e2a61d05509d4fb5bf0752

Download Submit
C:\Users\Admin\AppData\Local\419b8aaa7cba6e4dff05a70cc7016228\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
ecb6979e2bfdb742db8b3a7b2f0a34e3

SHA1
10ece4c7ce043965613a53f4b111fe903c55f38c

SHA256
aed87c67352e4ee816a76e7394a141955783e1889e643c18eac5b981f068eb22

SHA512
0ca0a03acc78be0f07d7c82c5d1828d001b930f4bbfd5a8cd8759f5403dc27736fe804c69ed8728537f478be76ac17848e7c3193202876c4422b1d98b01d84d2

Download Submit
C:\Users\Admin\AppData\Local\419b8aaa7cba6e4dff05a70cc7016228\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
1KB

MD5
b976e203a77bbc63636586f43a03564f

SHA1
eded7180ebbf8c730d1de7fb52cef1759b11784f

SHA256
a835d5722f22e63f6d350a74e1e942e7881e11f3c4ba818576ff9f892f8e9aee

SHA512
87bff72cc7c33a2bb89e19600c15065cde633a10d12df18d9efefb651ffa14cb60f1e2dcc3934480199007ff9cd5c75db73fdc77bc10bcda836eefd76291adeb

Download Submit
C:\Users\Admin\AppData\Local\419b8aaa7cba6e4dff05a70cc7016228\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
1KB

MD5
c455f72bb801760ba31cd3f9eac7c273

SHA1
88b5a0aad9ddd62b82080947ecafc5824ecd586b

SHA256
c2a5f5f4fee4fb044dcc23fe859b5fc7a7f591e5b375a3abdbfce0cfbbb70f10

SHA512
3282e1fc7335150bcbb1c5d5e50df07e22693bdcbf29b9ec0f46eb472eea72af86effe2f442f46d004a5517c2f0dba210a8063d42d2b8f7964d05458344b5ecb

Download Submit
C:\Users\Admin\AppData\Local\419b8aaa7cba6e4dff05a70cc7016228\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
1c8d3c7e7e3a15299fc5abf7b4867ccf

SHA1
3d3290f4b0375f5418afd8ad6e833ec722b565fa

SHA256
af7991eb105f32f6169dc16ca0f4124f1e6b7b8953a13552425be7581801e191

SHA512
861fdf2dfbf30a185812f7b1a7ac5390787d4862d5b100893a126e091db88467b1d04c6b73fb1a82a8b72644b0cc2c65839fb92a76bd9e038d66c937ca4617c0

Download Submit
C:\Users\Admin\AppData\Local\419b8aaa7cba6e4dff05a70cc7016228\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
469B

MD5
4c0f30464a0e8d06e808f4ea1a9948ef

SHA1
92d1fe2e1a11130889cf2c49f2a6603e0cbf6854

SHA256
059280f959b773799f7bbebed35a3eeb6f0ffae02bcd1785aa5d95d79058fe34

SHA512
979e5eeb3c2079d045b092ed16ab8fba1e223fc74b4b973c8a287211f995d44512ec780dd2fa6564110fe7be45c1fbdb6575e29fbfc73769df3c25cc13304565

Download Submit
C:\Users\Admin\AppData\Local\419b8aaa7cba6e4dff05a70cc7016228\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
533B

MD5
d7b3f3ccb09a10cfc5b706bb5598d81a

SHA1
4335ce003a35af1f0975915c8acec0afcc08ca28

SHA256
e915fb54a8e845f65ab705e589b519a88e36374918e9dd3c6476e2eee7d4d4aa

SHA512
f98fe1c262668965908a14332830c770fc16836ec94235fdf82133862f8994d5362a0dbffc70b3552a92bc1b4f6b5256a21502692fed05a6965c188f3aa24054

Download Submit
C:\Users\Admin\AppData\Local\419b8aaa7cba6e4dff05a70cc7016228\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
923B

MD5
7260edbb4a935570855f566e69a917b6

SHA1
2bc16d22114556957509f20634e3adff04897152

SHA256
fcb7a9ca159d15f023eeb9bf747996610e431ac356e0b1e84a5e54d7cfbdc9ea

SHA512
0a828442d0be66138b975d192d11e7d2b4a2f3720f2c5a81c05adbc7149753dfae2a71a14755f3199c5f0bfaed159fc45a6ea1ce3a9b693211090fd9f4c80330

Download Submit
C:\Users\Admin\AppData\Local\419b8aaa7cba6e4dff05a70cc7016228\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
506B

MD5
f4836cf6c4ec09f44682863cbe84a78e

SHA1
7044915372cbc717c4ae3a509ea95efe6c7f254c

SHA256
f2382d3b92a5cb3d4afec7b5ca5efef8f6470a4a107dabaac8de6abe00f38b3b

SHA512
d2b239e1fc6e50a0ff49792dd5d22a9a775639de5a2bbe23b3078f42a44b00c7742c9c41263ee76a56e169693d2df382592c26ad6a3c1709dedec3b420381427

Download Submit
C:\Users\Admin\AppData\Local\419b8aaa7cba6e4dff05a70cc7016228\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
2KB

MD5
8be1ee1429129ad3f6ff1f91b413443a

SHA1
39b30af47a9db07757fb229da9a662a355b59d6e

SHA256
de2929c1ce171fe2910a731657d5c4013c2b041054d6f34714c5b9549c17be8a

SHA512
77f350c78b2f88b4379e8e23c3b5b3ef41ef15e7b221b9e122de8875a8952aedcf7bfb1af9441f7f0ed0ab4fa35e4c74f42b89444268a1d12d865755252a3a5e

Download Submit
C:\Users\Admin\AppData\Local\419b8aaa7cba6e4dff05a70cc7016228\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
b605ed8cd3828623d13b6144bee8f468

SHA1
c3f6ecd1c35d4979cffbc28ad89fd5f62cb29cde

SHA256
6417799bbc520e9706ce323e619fd2f8605244d5320493ba959341fea52dba5a

SHA512
9c03b63814f4f2501faa6cfbbc1903a9268f4c53d34a845dfafa566ee40dd17c355cda1cae1f99414d25dadd651b47c0c0148ac9920a1097e3774151b3272f58

Download Submit
C:\Users\Admin\AppData\Local\419b8aaa7cba6e4dff05a70cc7016228\Admin@WLWOBVQV_en-US\System\ScanningNetworks.txt

Filesize
168B

MD5
9f11565dd11db9fb676140e888f22313

SHA1
35ae1ce345de569db59b52ed9aee5d83fea37635

SHA256
bd652c6bfa16a30133dd622f065e53aee489e9066e81ecb883af1c3892af727d

SHA512
d70edbd84693afbdb90424b9f72a4bd4a51bd27c719506e17a58b171c251046aea23ca7228ccd8b98b47cd8eb1227bc2d90a07c4f50e8b080f9a41d253935ace

Download Submit
C:\Users\Admin\AppData\Local\419b8aaa7cba6e4dff05a70cc7016228\Admin@WLWOBVQV_en-US\System\WorldWind.jpg

Filesize
96KB

MD5
387134553e986ac4c981b4bc9a6a3dda

SHA1
2ff0d31f8ae187743815d283a378dc4d5b0b9be9

SHA256
b949c2225752a1aee3450944c3a8b6c18dc221daeb1cc093dddced109a53ad2d

SHA512
a9fdefb6514887f188a42fb284e1b095c5ed058dde0632a62414346044f3a1d93ba2bd1acd476707f535428e2cd090fa3cd53961b2825de7820de18764e7df64

Download Submit
C:\Users\Admin\AppData\Local\4c72cbc49fc893b68d51772d0468ae43\Admin@WLWOBVQV_en-US.zip

Filesize
10KB

MD5
c0940f90e8c886e81a4c3fd113e6b243

SHA1
abe40da1af22a3b6aab574d3acca862d58551391

SHA256
ae2a0139c83850874a71f997d2cda6322029a710f131f4178a75247e568b222b

SHA512
e67467559b9400d628455494bafe0ff06b90805f6276341691df02c1c013d2ba7a797ac199ffdb72b032dd5edad751f695e8ef820f1ef0c985072fb2087ce458

Download Submit
C:\Users\Admin\AppData\Local\4c72cbc49fc893b68d51772d0468ae43\Admin@WLWOBVQV_en-US\Browsers\Edge\Cookies.txt

Filesize
3KB

MD5
e070f4419d7ac7ea16d1642d59389082

SHA1
36a65fb2590f1bf9fbccde425b70db40c9e06e5f

SHA256
913af5ccf61b19712ef316f5082e05f88506e0abe0a4bd4f7067c66523a2e307

SHA512
9f0eed39debd7367765c0a50767a0489fd59e765b6dc08c81d221b32c7364bf212874d22a56e587dfccacaaa72abab7c87fca07f98a4a706a38a46ac595d88eb

Download Submit
C:\Users\Admin\AppData\Local\4c72cbc49fc893b68d51772d0468ae43\Admin@WLWOBVQV_en-US\Browsers\Edge\Cookies.txt

Filesize
6KB

MD5
142489d50b2f9e974fd446721f61a17c

SHA1
cc4c2c70f96b8a5eb80fc554ae46700aecd498ce

SHA256
2620bcbdddcbc913be7d4e4b474261d5a0073b00dd6a18113a9b58ab2c4b5699

SHA512
d9c57395d2b9347c25cd78b631d1f9cab6025c2ae831cc00122080650e2e708c2a407daa57ff62941af65963e8a6510c96b3abfffd85efa3612e0ca78faf36eb

Download Submit
C:\Users\Admin\AppData\Local\4c72cbc49fc893b68d51772d0468ae43\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
1KB

MD5
1693d0e4c9d8ba315c8bfabbf1fb02b1

SHA1
f1d7487095c9085eabd73d7fd6dd0ee3dd059a93

SHA256
1c9a79e4bc5f881a6f6853b4533c8ba3d5e182bb7aec70fd71fdfba4c2de69f2

SHA512
b97066a91b9f42676d3d160cbfb4fa7f7ea973a9e4c4e81cd9ee10e110fb49aa4c59995b374e7977ba0dac236ba01ea64db5308fbcd04899e0dc60e4107bcb20

Download Submit
C:\Users\Admin\AppData\Local\4c72cbc49fc893b68d51772d0468ae43\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
e5858be79d2d9f20a01ccc2ca315a6b8

SHA1
7eb31b017ef9677a58e92bda99b5f05157a6069b

SHA256
fc7db3c3a8f616f4ffdf1adf82f97520fec827bfb142e7536698ee2d2f8c9fd4

SHA512
979c0dc27e0e5ea46029d6838837388df0f79a00803c11371ea4755c018a9bafdb167bf4af4afc4879293930814059369961943466c44f332f9cb90c43ac6d8b

Download Submit
C:\Users\Admin\AppData\Local\4c72cbc49fc893b68d51772d0468ae43\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
7df387f864cf5c2cf1943209a4d45cfe

SHA1
cec37ab87b61fee5ad70b88f2ede79c0618f5482

SHA256
b207a70ef0472aa343d1e7323a7c5402c9c0a6651fc66ff217ba29e7a58f2718

SHA512
a44a93fa4be2c014923051b19c4549e10e2653b9c8386124c6e1e8dff20dcd50c8b7a56277323dd90c9e1ac4f4b230b7c08226ef61fb9a469462893ef668ac6b

Download Submit
C:\Users\Admin\AppData\Local\4c72cbc49fc893b68d51772d0468ae43\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
fe847b14b0a82fccbdbe99aa60960032

SHA1
57e27f209c87b887d188dc62ec1325f71682c4f8

SHA256
93e19bd338cd3b0e76db455e0a6ba13c7372342aa981845f2471b036a4efc7bf

SHA512
7d99df76f72102f121d4a53f9cc9a6a63e552868e80441ed7bfa62c1e47c75d79632a32c358c4769e9d25800c0329b866c7aad6dbf12b5dfa1282be7dda94b8e

Download Submit
C:\Users\Admin\AppData\Local\4c72cbc49fc893b68d51772d0468ae43\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
658f55e59bc168813437f0bd69f18791

SHA1
766ba157690d41e1e83942a586ed1db76005a5e2

SHA256
57fe36b30c3464c8976a842cadaade14a7ea1f79bac9e4e06257f6f5252cae1e

SHA512
dbd4afb0bf75eb6fc92fe424f393b2ca060f134cec22e904878b6dfb22b86e067c8cb89f69bbc9ec33d85af1cd7ba9c7e4b504c4a452c78979ff63011c3fb3bf

Download Submit
C:\Users\Admin\AppData\Local\4c72cbc49fc893b68d51772d0468ae43\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
aaa89b1c876473c68a82384438a3798f

SHA1
aba2bf0a32d2b0c8e74eda35a92837c0cbdec0b8

SHA256
9219dd3105ea1bcc899e76177a1e5875b985421ebf6f271b08918729a368f643

SHA512
f8eca51e6d9afc188dcd59b9f41711eda6734eff67bd67d2c39eb0a8f8d75da1ccdca40e1634704124362944ab49b3c8a54be118dda5e43203614c32904f4ee0

Download Submit
C:\Users\Admin\AppData\Local\51c533bf59b511f2f6e36fb839dd6db9\Admin@WLWOBVQV_en-US\Directories\Temp.txt

Filesize
19KB

MD5
3dc5e0dfd2972898693e2982f423592f

SHA1
a95736cd849a302c7d8a20d7c27dfccb88d82185

SHA256
a353c85a1764cee669a925d276e6f6cc6cce4fce073d8a884f1867cb2c139899

SHA512
89d5c17ab26f61b0cef530d9e4550aecd778821339c954e02b3d7d84978527fd8f7d8b1da9141b066366c81ef1fd4b406eb6b2c8157d01f292dea69fe18731bd

Download Submit
C:\Users\Admin\AppData\Local\51c533bf59b511f2f6e36fb839dd6db9\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
321B

MD5
e9120990900e3a19a2c47ee1d582b36b

SHA1
287fc9e3c7cd2a4e0fe52bf1b3bbda8fc854cacc

SHA256
23330dcdf0eb6b8f994306dcfa242f07b5c4b0b61569c73def643d80105c41c1

SHA512
e6cc5374289381b09f7709955b71b6ed65f3c8939c475b380f0754e89fa8d05c6003ffd87474d5591b7429ddc271827f227aad8116fcd9ea796ba982475dda0b

Download Submit
C:\Users\Admin\AppData\Local\51c533bf59b511f2f6e36fb839dd6db9\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
1KB

MD5
ee861c4610c35695a090c2dac3795d3f

SHA1
5f07132970c7d7455c6a953161afc77a8d5b81d2

SHA256
38b45c3f720b88705ae55d46d3a13afc1b5f456dc0fbbcbce2469bce73499d68

SHA512
2ba41dd902a62d5df937b1ba28f1af08d89c7b2564a03161038c995843f88de580fe771cdc91e9215e55965186bd112a13e8e44f0b0a7e211164ea970a084b1d

Download Submit
C:\Users\Admin\AppData\Local\51c533bf59b511f2f6e36fb839dd6db9\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
0177cacfd78c4f734e148ed2173c0c2f

SHA1
1edadab97668d04a310ced8a69da2fc161afbef0

SHA256
696d209b1ea3333b104e8ccfde3e707f71f5566cd439030abb0af2aeb06fc6bb

SHA512
2462af9f9317bc20285e739ba1be4e7285417175edc1de5c181274b343a81bf3331cfd947149f57486363ef6c9e53b2b0d9f40923252d8cbe25bcf8811fe3cd8

Download Submit
C:\Users\Admin\AppData\Local\51c533bf59b511f2f6e36fb839dd6db9\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
5f5fe5aee38f1baec4e96fd02619efee

SHA1
605a61f2bf164a9a36be57387c60e920438417b5

SHA256
1b756efa08cc6991f5f78174c3355801eb04738885c19a2d74b647e1a035ae9f

SHA512
48963632b1f2fa1420e61fc953d9b28664e40acfdc0039193924af37022279319eae6ab4740ccd8e534970d14b500dc7a6572040b2c87e525cfb3ed58e22a061

Download Submit
C:\Users\Admin\AppData\Local\51c533bf59b511f2f6e36fb839dd6db9\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
c3520c69343f8b5b68ce2aa9679399f5

SHA1
9a7d3707f64379228a3c8d1b81ecaf8b0efa00af

SHA256
0d78b0da1ce519c9b7db4a3842d49c854b54048bcee3370bb860f0ac69130bb3

SHA512
775fc4eb5b49ecd0a1b7217c8c4ad516fdbbd2e026a3096e1d47506b1069512ee693153bb85316eba55d5d50c298e2a0e8093deaf8b3d4f3fdb0c56175cc8b41

Download Submit
C:\Users\Admin\AppData\Local\51c533bf59b511f2f6e36fb839dd6db9\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
2KB

MD5
9abe3bd44a8e767f926026328a57ce47

SHA1
3b84d2090c91781fc93fc81bce894834c122b1f3

SHA256
d8e2819d2135ba5344dca9619eaa0f0ba3cfc088fff04b781c8777b21df34d2a

SHA512
074b35e71141bb7e4f81a8bc558ee282b4b755c4b2ebc2cab7b6ab3df4f229a306a2a9e7fba7c98117aebe682087417c1e04e09e1e9237f8259d72aed45d45a1

Download Submit
C:\Users\Admin\AppData\Local\54af8aa9286eab1ac406bb1322b37d00\Admin@WLWOBVQV_en-US\Browsers\Edge\History.txt

Filesize
650B

MD5
ebcba824ba73e917f5dbbbe80bb94ef3

SHA1
b6e502a4c76e5c663a87cc7b538dc691cc1932e9

SHA256
36e4723d13219bfb74d7748280295189405a7492748988d068b2ee2e9fc0eab9

SHA512
d4bd5ba93e409560d75277f879bd7944a4a2372916cdaa4391ef98e25195b6eff60c26c7ca2f8708e5e3a27d926b6768cf68ec5fd6092709ce4c0fd356d57b9a

Download Submit
C:\Users\Admin\AppData\Local\54af8aa9286eab1ac406bb1322b37d00\Admin@WLWOBVQV_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\54af8aa9286eab1ac406bb1322b37d00\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
24c002ab4f626e173aebb19fad17e347

SHA1
2e6589c6b40d4462937a49f5b53c97062c0e2fa4

SHA256
32692b42b2baf7623f6a44f1a98541893de89315826220d23743cdd64f2b4d53

SHA512
ca5941887a544d670f0af62c2fbb684530e7492c82e612d1a2fda290e3f0dac05a1528eee188367571c54784073c6781de7539c126dc7711b97efcc7085440b7

Download Submit
C:\Users\Admin\AppData\Local\54af8aa9286eab1ac406bb1322b37d00\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
2607e77c0615a6c788d90a9b3456559a

SHA1
29746b5009f2153d01872e7dc6d33f2d3a2859d5

SHA256
6798058a336a63ffce0b93639bdf6ef4832ea4a6818e5712209046fff1c67984

SHA512
05411b4b3aa16cf8d95515e7c636f3ee484db525e70b8263e3655ac9e6ade7abf6f6144260f0d834c2897f6832d078a7b284c5a9d926e7368230ef9befeaed8c

Download Submit
C:\Users\Admin\AppData\Local\54af8aa9286eab1ac406bb1322b37d00\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
525dbd97c9fb4234d432948dcd845b84

SHA1
a21028d7e852f940dfc4c22a8983c4d0d1373e2c

SHA256
182873b2f6600fa6909a8ad942923b812f5ae84d2f03e9ac17182aab79a05d51

SHA512
a06042eac8f108988fb5e8721bb3de3c0458b4e35994ebb796837bd87b2fc91340a6626cb64336438c5547c83718f4a2e1dfc3cc42a6b91906c905aea0bc1d41

Download Submit
C:\Users\Admin\AppData\Local\54af8aa9286eab1ac406bb1322b37d00\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
302B

MD5
a0ec20be7da780bbcd5546e478205da4

SHA1
0d5e3e18f7780d98d4a7553fe3181fb1b587cc6c

SHA256
fd5294178aff3f6c836b8b7f5e1bec620892a14ee3fc39696794fa4ddddc90c8

SHA512
c2e8b985adc9687e597ced7cc132b4f77b98b16a34f5e32196a43c38fb768468f846478f0f946d0efe9b7c0e99b766ef47da4a81ca6c5d11ef8b97b1dabea6bf

Download Submit
C:\Users\Admin\AppData\Local\54af8aa9286eab1ac406bb1322b37d00\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
e5aa043df12e437af802c2b7100e8411

SHA1
a3c83f254215e2d5bcb7fe5430a27990debb8778

SHA256
9b91c2d63bc6672b9d5b7c33cae91861c0bb165a7be6497e69c0368cd7fc400d

SHA512
155e2f9e4e9dea44cb7236a1f234098fdb691ae4f2b2147b15bc2f3e2a03d8161cd0824516528192b1fa0466720e2643cb4b17143100cced5ba779b7cda3a007

Download Submit
C:\Users\Admin\AppData\Local\54af8aa9286eab1ac406bb1322b37d00\Admin@WLWOBVQV_en-US\System\ProductKey.txt

Filesize
29B

MD5
71eb5479298c7afc6d126fa04d2a9bde

SHA1
a9b3d5505cf9f84bb6c2be2acece53cb40075113

SHA256
f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3

SHA512
7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

Download Submit
C:\Users\Admin\AppData\Local\54af8aa9286eab1ac406bb1322b37d00\Admin@WLWOBVQV_en-US\System\ScanningNetworks.txt

Filesize
84B

MD5
58cd2334cfc77db470202487d5034610

SHA1
61fa242465f53c9e64b3752fe76b2adcceb1f237

SHA256
59b3120c5ce1a7d1819510272a927e1c8f1c95385213fccbcdd429ff3492040d

SHA512
c8f52d85ec99177c722527c306a64ba61adc3ad3a5fec6d87749fbad12da424ba6b34880ab9da627fb183412875f241e1c1864d723e62130281e44c14ad1481e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RebelCracked.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RuntimeBroker.exe.log

Filesize
706B

MD5
9b4d7ccdebef642a9ad493e2c2925952

SHA1
c020c622c215e880c8415fa867cb50210b443ef0

SHA256
e6f068d76bd941b4118225b130db2c70128e77a45dcdbf5cbab0f8a563b867ff

SHA512
8577ecd7597d4b540bc1c6ccc4150eae7443da2e4be1343cc42242714d04dd16e48c3fcaefd95c4a148fe9f14c5b6f3166b752ae20d608676cf6fb48919968e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b80cf20d9e8cf6a579981bfaab1bdce2

SHA1
171a886be3a882bd04206295ce7f1db5b8b7035e

SHA256
10d995b136b604440ac4033b2222543975779068a321d7bddf675d0cb2a4c2b1

SHA512
0233b34866be1afd214a1c8a9dcf8328d16246b3a5ef142295333547b4cfdc787c8627439a2ca03c20cb49107f7428d39696143b71f56b7f1f05029b3a14376a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7006aacd11b992cd29fca21e619e86ea

SHA1
f224b726a114d4c73d7379236739d5fbb8e7f7b7

SHA256
3c434b96841d5a0fa0a04a6b503c3c4d46f1c4e3a1be77853175e5680e182814

SHA512
6de169882c0e01217c4ca01f6ead8e5ebb316a77558e51cd862532dbf9147d9e267f8db667ff6e9fa33164243724f5e437cb882392382f3cae1072dadb762c1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
27KB

MD5
b5a390e47fadf517154dadade3166e9e

SHA1
0f6f631d2e2a6e91d82e8e02adba683d29aed446

SHA256
70bb1155da50141a5f47b30f00eb91b9b58f992209024fc768f830ba20cac5ce

SHA512
b2d588eda28f3ce3b761976eab060f95adf3398da27c77a54ddada0e05c611a1d2f9e1ba57bfc59805528ae8bf73ed50210573a5059094c67b835f23f9f47269

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
65KB

MD5
6638cc3f022b8ef3ec71a05073f0973e

SHA1
694caad7313b73bb7532c0e7d47f226c587644f8

SHA256
92fe78671933943c5c4d0ee252f6b56149c91cc6aa5710de57f4036e3815d058

SHA512
0008950da302fb27a70c637aa3902915417fbb2964e2d31a517c3fa4b05f9231c9e72f722e4d6d95b0e4c498e1ca42737f1f0ff52faf54bd4d02e62f440087e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
83KB

MD5
799d18eda9bbc8172b6635dd88368f1a

SHA1
8484c6d4d639d9a4553eb1b118ff771ae4d3e4df

SHA256
26b1b8e39d95748de6d79f862acfcbc328c73e9ee067cfe281a110633f09e550

SHA512
497fadb9aeee1f4a45f90e68eed813c1f199c16b44dd02f3ca25a7df7c15edb696e6f2cf6a06cdf50ae006f729cd3c292baa0f952b897e8b57e0673bb1992c2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
102KB

MD5
f9f5001f3a1e06fb5623f394c95ffd1a

SHA1
d81428204503c05eb88391b9fdc9d6d8c6ecd35b

SHA256
91527e260c023b13ca0f5f21dea9993f4fad49c54e4d51ba4462be8c46663a95

SHA512
dca55c139073369f07584738efad31e4dc6dcf55a2ed9a76123a7ea78dc29e6a64ddd741c462936b2082e9656c580b6edd33283d9c5972ae5b869d5ccc7d0ddf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000047

Filesize
16KB

MD5
48c80c7c28b5b00a8b4ff94a22b72fe3

SHA1
d57303c2ad2fd5cedc5cb20f264a6965a7819cee

SHA256
6e9be773031b3234fb9c2d6cf3d9740db1208f4351beca325ec34f76fd38f356

SHA512
c7381e462c72900fdbb82b5c365080efa009287273eb5109ef25c8d0a5df33dd07664fd1aed6eb0d132fa6a3cb6a3ff6b784bffeeca9a2313b1e6eb6e32ab658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000048

Filesize
29KB

MD5
f85e85276ba5f87111add53684ec3fcb

SHA1
ecaf9aa3c5dd50eca0b83f1fb9effad801336441

SHA256
4b0beec41cb9785652a4a3172a4badbdaa200b5e0b17a7bcc81af25afd9b2432

SHA512
1915a2d4218ee2dbb73c490b1acac722a35f7864b7d488a791c96a16889cd86eee965174b59498295b3491a9783facce5660d719133e9c5fb3b96df47dde7a53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
3687d4d57579be5647580cdb59f7891a

SHA1
84a01f6dd23e2a7356fb6169fcab1488b0715167

SHA256
e36959388f823b94bebde165c398c90b9b0c802768b4b436c093beb8952b1ff8

SHA512
d8c8486377286650318c209431b58d7a17528195fe10863059621d3ba09501064cf99a7d906ee8ad4804d099b2c89e89f550f1bc9991416d7e24244d3e6ea2d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
4406c8877ed1b4886fd628472512462a

SHA1
4df1a14eb6d07c291fb8ff8ff9eb8f180c55cfc2

SHA256
c208962ba085893a8261f79782e4de5922c2f4eb5d98d1cf14b8c0988b737d0b

SHA512
b83c9a743413745189efe8af2d6b82f144d2d1f36445c8b7122f32398ae4c1b8375bad0e19a83a885e65415e17bb2c1914958963698cfce98a1c6ec73e0ac704

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
888B

MD5
2470a6481aad9fc6f5b1a8e58a6c344f

SHA1
36ce9d38e6b00bb34b9baff5047b8b0fb63d0831

SHA256
e7dcefceb2a4725fd4ac1bbd21f4a7e978d66b9b37a0ecbb43c4a53db00eb173

SHA512
5cfbb6b4a9c9f0e4cdc1395105118b8854fa6742100affb57b8c8881bf0ee65f40c57c218edb32b78a41b511beab912de1446afe2db635a3f9a14c3b80f40b15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
fa8e322099f645f3f4458e01d5743eb0

SHA1
b381d9f9d13395f978f7ebc58522426401a8a858

SHA256
e199d2eafaace00711068757c7618925d6397ef80f85646851e51ce056df12f1

SHA512
32034dc6cbb3bdb697e4758f367982bc5ac6eac71ce4ff07f71429832be7e4c6dd1f8a4f8048cbc271c4e58dd996a8408de7d1b4de52e904347942970d2bbfe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ae014ad5813873ed5930818d6dab6eb1

SHA1
6b1abf89b048a2c2248a227f13197f96bdf7cac0

SHA256
224ad1ff0a4b33a477c217639fba04498724cde1b2c105405301532c5e57df19

SHA512
ce221877e25661ae1dc123e281487d1abe3b68e0ee041bce91a30aca7145327cf3ef843298ccc4709b9e7ccdc7d1476bcee5eda6752f4a101a40b833f9e1a1dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
7da479cb6ccd63c2fb6e9e43994ddd55

SHA1
c87f92e8c29445a8dbe3a5e112cc4e12e90be6c1

SHA256
f3a5df634e66a038165392183b8a522ce1d1bdb1ef2eb11d74c17d973bedb9c3

SHA512
3c75c8267dd9a3c13bbe114a505ce8494e398bdbeea4a234dd0a905cbfcdedefe2f8991ff1dc1ce0b003abfd7e65e50f499fb294cc9fa68d1bfafe229a65204e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
2516e688323461b88ec84242adf5613b

SHA1
19b0c40c20ea5d455c5d4b9e211fbab0e7a5c767

SHA256
ac374520ba866da44ecebe4abccde084e231891f788b97bf68d082c67f12b6ca

SHA512
4c1260e589863c432ffeeb33c58018bf73b37bfcf1cdaa6fb19037e88803e33ddb984406e4543dfb33eba342e2d0f61f01efd26084a1eeb144a036f8bcf28be3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9d704c488de210dd5cbbbe3a24ad62a3

SHA1
76a656aa124c3d3294ac7ed40d78f4a5406e7cf4

SHA256
7d251ffdc794c6b0b5a4925dc44de9e8ce62de502b83b17c0aedd021c1223713

SHA512
5b1779269b9dc1102fe24563a2fd2c746f03d1ef9a4a189b9128e7b63eec15320d9a234cccfe2eae8006f571ca885157d616e998fedd18eee238e5b258540b59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
f2785e2386fd239d07073dc9effbd973

SHA1
25f912deb4b19aa748f760d09e53f4577cc459bb

SHA256
b7916d3f947a19e40df567bae14da6be852831aa2330f75a68ae280a3c1cd5f6

SHA512
5c3d1fad0ebd9c43e679077e11203d8d75f517445db591fba0457968d79ca262d9c62589011d251eda4b96fdac19084b812756ee8fc4416e0c7c43dc858801ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
775f925c9ebef44da66964612003e864

SHA1
a1c0f6aead47037cd3de15c87a89919de9cd0c73

SHA256
a770a0a542a66ff4ea51df030d29097ef2c0f6aa94681da43659254728435f31

SHA512
0e99ca9ada0bdd18b4d240caf0ce51307cc63d14d2697af8d5cdee138b97af8545a9889f00fef20b229def8c535806318c785a0d92ff74f5c08fec4d14831fcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c35a11d802179d828d44ab36c537517e

SHA1
53b5e6889c3bb1cc9dfef8b8f9594a5cae14fd3f

SHA256
78b35dfa1855b1e957985c8c43f57a469d9832d11fda738c36326b5b7ce39148

SHA512
2d4e5c5c7534487e8d1d3d714384fad87de735e78a15e6b91b5dfddc5be0c714bda7aef588efdfba55dd3905990e9590e89800a22227cac9a21461918ca0f1a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
8b96786d98bcb9845cb4ddb7b04de134

SHA1
b039aa09d585a1cd6c245888abf6a0fc3cc6634a

SHA256
b007f4cf6c04dbd92cc59068cdcbbcbe4528b5878e0920ac04bbccb0f3eaf14a

SHA512
89e9d85237678d4bbbc0971c43bdad5ef89e994590b68617378edbd8512239430c4f41e799e051d64750bc1970154faa88750780856bafe73c92f46bb39c8b96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d4047d322d418a0e4bac63dba0307534

SHA1
b4aefc63f6971df820e2340dfa26e09f9d434e16

SHA256
4011ee9191432278d882fa31b48a36e42188d4ecd57a73c8958a4468d593c067

SHA512
9a454443cb50c43493f7a3e70ce95da7611d5e5cde661b29ee6ed5fc258f97734980c844e4a03e3be68a9af37366ed72c7f72a58128e73958b9115d4b30e0fdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
51fc8b7403a2453353c39a7a98853b97

SHA1
6293f2bbbf1cb3490c893e7d89c2291ebf0ef2a3

SHA256
dd6238d9b85236070ca10fbbd0a5bd30aaa90f26fc8943efd409c4948f63008e

SHA512
7f877b712c50a2efe748c3a04132f8838519bb3247b543584e975ae9dc7d9ffc861d9c24b501657c556bf1c07e1cb146bdb91c4d59e7f12569090137aa65c9ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
6ea4a7e7f1ecb4a9a56618976ddf07cb

SHA1
3acddf3fc74c95889040f96b2ce84bc45359906e

SHA256
9d0029eec9a74b443cd26ecad1abeb37fb1536fa9de403122a1d0a864115d6f4

SHA512
f951800da3fb3bd97bc90dd1a59759012267eba9aaab5d85d57e32e3d480c61507d86d287aac7ad17e69f69454d62fcc8b91b6a986da1be6391bb8c44acffdf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
333931b2c7bc66d7d445c23b5b5ae28d

SHA1
8063acaaa435c59c048de8f934ef76485fa13923

SHA256
12f91087357e70e992a136dbaf4e8301b14eb8fad50deb3d2bb88547fe174500

SHA512
250520dd8ba2ddb0d3176592ad20ddc0bec277e0d3ce7444762ef0c07da341c04b403d725601d0a45d4c23fa0a1b0c57b510832a153b8348648ef8b79f8e7829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5a12fd.TMP

Filesize
48B

MD5
fcd3f67f72e78d8e014f556858f175ea

SHA1
5ee2d965e2b4f519114afffce4b1b199f137820c

SHA256
856e6c6dd7a129bcf697b873e43229409d7a7612adfbf5b497aa8bbf431a5167

SHA512
1f69cba99c3634f8f7bdae191a4f708485178f3aba1d19a5588b9c3b80c499c4020dc2e7cfbe429578c176143d77a9c7c79d62d438ca2e94aa5ef273e8009b8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
c09a28c99c20ecae45c9ed76ab90e3ae

SHA1
07959d8da72e3f49b2813d097c615c86bf280b39

SHA256
91f9aac6c5670f8ab54694eb31e707ddf2d6b8f6d6aad12c01dc09b707844003

SHA512
703a6a1a25cfd74e6f40b94cbf9f02663fcfcd8718fc22abfc1e306f377840fa657966d7965eb70ac7c53d2a4fa243f2ee0af88127a4c6ae079fdcb4c60ee1ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
937218633fcd4bac210c96a8f5d9833f

SHA1
64744ae7aa6553049e63415788fc0a5b93c9db17

SHA256
33ed9446f835f0d11102aa618b64f2b4560e1f1b498c09fbaa6256698a52916a

SHA512
b82206c3559512461ed5403273d3318b3d1f5e6b75ede550d3bf465bec7a46da18e62f2af049cab9ed85caeb31daee5e2686881fd131745e560bfc9ee52dbcc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
ecc92196774fbfa20a9449b4c0b14258

SHA1
9e4be8af1cc944f21509fce5ff468c8dd80d633b

SHA256
32804be1b387770914c7867f263c3067b2e9ff2143e210de328867a2071e8805

SHA512
24998bb4097e6f00921469cc7d7fbda2c38d1cb2f73842f4b81b3dd8e8c80da1a9bc028ac0b4842deec9de5ba3fa6762c1b36f010aa3107ac1dbf9488d132316

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
6d2548bee1dc42c393408693bf5786b9

SHA1
b39054f3e6d732bc94dc109c804f9b0808026b7c

SHA256
d3602601f0fae144f2e6b25fddf9b92fef98a1ab947634eb9389bd3c8c28711e

SHA512
32f8639d0a9d97f2dfa679078fb3a166e8c825bab040c01ac74d92a8283abd75204cabbd8a708e4194c4852fe492815949be0a8105c0091d86bcb9b8102d1d7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1382a1246c046636fe1e606dc708ffc4

SHA1
966f1a2a5bd95b98c56ab0777238c18961a423c7

SHA256
ec26989473244d466e979ef20c31ebaa513aec94e89e69419c79ba1de9e796f5

SHA512
7fa6444265dd4e934075439ed4118a95f827d6f5a64127d7fc9fcba6caec7c8679fb8ab6dc16eddd8aa0e9f1d268bc62e8c167faa6c86c5e67c422c681572df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c7e228a3afdbda8cdd111db7e54c3ff8

SHA1
8a250905a67bfee2ba28676e8b240a61c2b8aa9e

SHA256
c0d9cf32d8a56748f78c98524900578aaf03c9ed1fa4e5f843bd0b234ee76dbf

SHA512
a3343d75fc3d9a2e0fc199b33a0eaaf23f0c64d6296765bc245411476224883f065a3e7823e697d92db7866906634374fea8f462b8bffdf5e7d4cedd822a079b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
9f9a3b27a723de7bf7920a80fcf09584

SHA1
5b05c2114bce56a2a84a8c4ad733cd497a53f11a

SHA256
cdff3ce56aca730032cb747f6d94021767a57de2601929408d74a3530834eeea

SHA512
1cf3142c41dc645ad1c59cd68284557d5de1f80da6f70e9eaa376ac64ecc9f9d0027f190549e59b5b8448c3c9d62dcdcecbf57325c5133b6e688c90687c9c2ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59e10f.TMP

Filesize
538B

MD5
539b791f24d8256f024c451b1f17127c

SHA1
72a563c0ab3e54a5271c36d1ef4c6888da661209

SHA256
5fde9d3ded786cf3fbd774c7482ea64bfe4a4fa4747e6788d461ed24bf86c621

SHA512
00c70749a76fdade53a0be540bb2b28aa956e565f6f1a3f52d9c5097314a627a54bf651d9a26d883d18074a48fe5ae125937d99d6f6c41161f2c62be98cf2d0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4bd17d99a31324ad4feac1dca96e7851

SHA1
fb2f8df6758e32ba466b0fe2b326ec972a6f0258

SHA256
cc96f598afd1da2fca20516b5a639289429cbbf80571189ee0e73666bd0c22d4

SHA512
646b279da7ea79c3c6e7f26f383ff0dd7316f2ae368134e009d8b4028f55784d61eafc54b35fea249c07dcd38de34f366e5bc2c6e15114120a59a7f34e068464

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ce39e091900e7dbeefe1ac6c748610a2

SHA1
5320232fa33e4c343962043e4533b05ce957562b

SHA256
49e7644f6e879b7069b4d4502493aec68c38acba095056c0c7ddd4c4c65c863a

SHA512
2e12c9053cb72b091ba99d4377ccedcd4a10f8244baf697dc69c7089e801803eedd28949fe9cbb5504fed3f43746e953bc428a672291369dd5b231bdc2504bfd

Download Submit
C:\Users\Admin\AppData\Local\RuntimeBroker.exe

Filesize
330KB

MD5
75e456775c0a52b6bbe724739fa3b4a7

SHA1
1f4c575e98d48775f239ceae474e03a3058099ea

SHA256
e8d52d0d352317b3da0be6673099d32e10e7b0e44d23a0c1a6a5277d37b95cf3

SHA512
b376146c6fa91f741d69acf7b02a57442d2ea059be37b9bdb06af6cc01272f4ded1a82e4e21b9c803d0e91e22fc12f70391f5e8c8704d51b2435afc9624e8471

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
cef12327847e0a0619480ecfd8b28826

SHA1
4fe8beb4b7795a794552614ad993ab1670179286

SHA256
59333884653d1b1658f004e34577df0d11b1173563f789b2ed19c10be2e415d4

SHA512
3056f42ff05d9acee68057a6944b6bb19a6d11f23bc93ba8bf07ca4cbd8a42293670a4ab12c18db7a1cadd470d8569021114a0d9ed767eef07678c4952280715

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1D1D.tmp.dat

Filesize
32KB

MD5
f686d2c61c8d1eb95a407f3c25193717

SHA1
7bdc8e915fd7e45bf8c5e6af33fdb1e8f12b5b73

SHA256
7c54c8303f270ca016e6b54635c5d29f4483de3e05e8b3ef7871357c5f158e9c

SHA512
dfed37c2d92191018c060d4f0bfc54fb8a0bb55f381e85b9689988d40083b036cd5710de4f276f02f63eeaad87619e08f8f7a72cd11c82e3af49925b3267cb72

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp395B.tmp.dat

Filesize
114KB

MD5
f0dcd0735cfcef0c15ceda75deb5cb3e

SHA1
af257a650681983a6c9e087615165269a6d0ceab

SHA256
d3ca053889263104532ef68de1a1200f5e1b1177cfeea702e882c5c4075c35ee

SHA512
cc2a123eea72756ce0914ec7c2e077b9f14c6def40a3131fdc02d5f981c5c79bba7859d02296cb1a15e4ff2491818e91c3790706cf46fffdf9a7b7fcb5a33ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp395D.tmp.dat

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp396F.tmp.dat

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp436E.tmp.dat

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4383.tmp.dat

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4384.tmp.dat

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4385.tmp.dat

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp43A6.tmp.dat

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp48DC.tmp.dat

Filesize
116KB

MD5
f45d798a5f043f9f08481b8bba5e4351

SHA1
9611b04b6ce8b042e7baa7dcd220bc29827b3b9c

SHA256
fdb51337562d543ea116d5880f070937f5fe3419be031485dc37aba71cd9511c

SHA512
d045fc75e5d87ebf17f6ff24ddfe4e8c5f2bbc0f5361771b72c5331b16f8eb58a63e2874c9e71eb73376716c44cbd4c64fe8b8105089dbec581a4b9cdd813629

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4C26.tmp.dat

Filesize
28KB

MD5
6245984a4979f5708d1acb0102532da3

SHA1
2f11cf9d0052209d82013c223f66bf2662133965

SHA256
c222e39c0cafc59013191bfc84a8eefe842c3f9be46bf8176a883271e6b40796

SHA512
721f952eb222d90f54c337762351c70a63cc7e86b40a1cdb5ce2ce2b5aa1eabc5701c159bcec4ff0414f4c6e583defbb3f126aac0da0e200f8fb563ef6d0762e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp67B2.tmp.dat

Filesize
124KB

MD5
1f8f5561e6d499ca4e3f9bb82e09c23d

SHA1
4fb377595b2a62c176f5b474307c6255c91d5477

SHA256
b9e1f49430866222db41647a798a222fc953c6687c456c65f5c1fe6682db3567

SHA512
5c42d02b7a84ed675f50417699f10a1ab01d8e049a0584ab38b06351a9d1c6f900ad075fedd5d2bf394bd2896bb5e70cac73f5fc50e903c121a8f998759fa254

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9203.tmp.dat

Filesize
32KB

MD5
ffc76874144cb45eb90287ed45b26e56

SHA1
7492c1eafbe6fcd7d405e8f3e3cd8abe3560f135

SHA256
430ed499ee635d70eec50bfccc0a13cdd16108fc59eea5edb111015b54a2ca60

SHA512
483513b785acc005243f080326a4235be832fdc7317b1df20bda1f8a8ad2901716cc32324f2c931ea8fcbc605f4ecb4475059bf81144ded38c897759412d7a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB479.tmp.dat

Filesize
28KB

MD5
3bb55daaecd77cb8e454db5f9a64f8d0

SHA1
8d8b08610aa6afcd6bd855d7d1b210293d2359fa

SHA256
29f7b2c60cb4d228efaffb0b8bca4edd23f48297f3c5978b1e4432c2691f2753

SHA512
666e0f3858b397ffa188cf6a77bc68525af7f371d3b971a2fc34746adc6068393c07be22c4b201e21270d575afb56f668493fdb27e42ad4fee35500502427f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE180.tmp.dat

Filesize
28KB

MD5
952fb834633c7088f477497a6e01a3f1

SHA1
843b00ab220102056e0959b5398b23062e2a097c

SHA256
1bdb8f13a47836a50adf9864c8f2989c2c8b07a2de80271c820f68151aefe8b7

SHA512
a67bcf89159ba3a56fa361d92a1030f2d8a3360977e45c27bd1acca2e48c8bdc9a1d714bf0a3cec0028868fc9494c35aa01a88006c481a97e3b5b928253c807b

Download Submit
C:\Users\Admin\AppData\Local\b3739a9836fd4b31afd459a7980e2aac\Admin@WLWOBVQV_en-US\Directories\Temp.txt

Filesize
13KB

MD5
18bfbbf4a69f9c9a93d1d8b8ffb35c69

SHA1
68824de0a3e6948a7107ba75b890c72119369c7b

SHA256
2125a7cf81d7259f6a12f8a9181ce5da2335b913880bf8228c7ae655abc15820

SHA512
06c99fd0f6dcea38cc854573e0330106eb009687530063423f4388c281b55d1ff12fafb136e4f40d49eee9f23bc6e2ecd5b54fd582f632a39869473dcf67dd9a

Download Submit
C:\Users\Admin\AppData\Local\b3739a9836fd4b31afd459a7980e2aac\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
167B

MD5
a996c4aeb0180ce757ff237ea4b37d76

SHA1
6b80d892f4c401f83613de0908e8b6cd6f9a6a65

SHA256
846073c400229636fbf7438e24be06be0996714021ba55ff2f4baa2863508ecc

SHA512
7b1f89b557bb9f07a419a7b24d521a6c6df8aab697c788549d57c8ca4d4081c1f148676bf72a6c5682a87f2047f728b9a85792b05050c2859aacafb774868330

Download Submit
C:\Users\Admin\AppData\Local\b3739a9836fd4b31afd459a7980e2aac\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
3d7d360291b4627f24bdcd32a048058a

SHA1
56c36d79aa7cd0b2350ddb011fc59f630a94e4b2

SHA256
694e6f48942e06ce95f4a8fb7323948dbf53b4b82827ffdbd6ea1c836095e7c0

SHA512
220031dab11fe920c5aa5d156060730d071a77d7ac23273b5299e79b5b0e5bfc6a504601de975f9b08eccd25a5036b6a4fb2e11a18341392f4c2a2529481f05d

Download Submit
C:\Users\Admin\AppData\Local\b3739a9836fd4b31afd459a7980e2aac\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
821412d09bb1cc72ab1f049ab6076ec8

SHA1
46dd12909d254d1c00b543e017043dabd24d5d95

SHA256
765f31553bb05befea0d6e71961977380ab72ef8ad8331b9c9a55c4c0261e098

SHA512
4a46ea28a00e4cf831dbf62f9e341479264d3460fe9404b38f49e7c8b93a277b1527f5175768be9f0b97c90351bc016449af5ba1b2e9221ceec6a92497621505

Download Submit
C:\Users\Admin\AppData\Local\b3739a9836fd4b31afd459a7980e2aac\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
124B

MD5
abfda011798c77d8e6d36cf10b78d15a

SHA1
0b29571ddf52ba161dc47288279ffcec6f1e0f1a

SHA256
6cfdd713dedcc8d9ec8842f8c6e2ec6bf581ca140ecf205b0752d4179827bae6

SHA512
bc03ba171dfab9cc2808eb0312847443283a54244c8411b2d76ee8add9730a498d49cf4814445c194e6011563da5af29475a06c139c735e6df506c10fd9b6d00

Download Submit
C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US.zip

Filesize
12KB

MD5
04206d9842f9a304ddf4bbd16c7ea4cd

SHA1
13053d71cdc1dc25ee73a6be02cb82edcf52ae7c

SHA256
41a35157a6f2e243c99e318d60762964c514916bdebb01eae2bf155a7a9e234d

SHA512
0c8cc2402b4680528675f6e3bb75ab65aee8ee8621ad5bda051c77a8c3904172fea0129d2ab407a86166134b046ad2fe50ffcacf144984211eb1610192610ce1

Download Submit
C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US.zip

Filesize
7KB

MD5
c394e3ddc8571790e07d4b5a9e0df4cc

SHA1
a64ab01c0fb8aaf788b1b35d68086b822305f4bf

SHA256
605ca84086b0c4b69a835394f058a14cfb1d4b6d34d6b4df10c004c36cac228c

SHA512
d4c2510451b93b59f1e110e05926c5dde0249cf6565ae8fbe661289f4c43484e02be1f70c063fd41779ef2c143855f9294f58a984c5638f9d6f168aacc286978

Download Submit
C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\Directories\Desktop.txt

Filesize
668B

MD5
541168f6ca3ec2582877fa2a4ccee48f

SHA1
14ff894687208dd4e831569737e761ed57aaf9d1

SHA256
e1da7ac12ac2175c6f6942834863e1f65cdc43fd3d6c781d3224ae1f9988fd09

SHA512
e66b1e740815e0852a7bc03b6011adb3dd10ea7beab1096ce0cec7545ecef48ec41449c4cf6ff390fc2c93b3db3b4a3ec6eb9ef3806b544eaac3d452554aab2a

Download Submit
C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\Directories\Documents.txt

Filesize
509B

MD5
5e851fe620fdeca61439770f55e971b3

SHA1
b3a9426e19f8ddce63a64344c974d36fc8cc49e1

SHA256
cffceccc28b93b1bc8c9255955b5ae2c6c50d3193f96f39482ec09b9a08028d6

SHA512
04bb95cc55beb27072ad5c310d980912836511787292c1564e087a49f11edd3f20e8c09be7b5afdf897b34613ebb4fb60404b6030687ce4d021b27fb5450d301

Download Submit
C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\Directories\Downloads.txt

Filesize
647B

MD5
040f354d371ff8de83ff41ad2dde9eea

SHA1
65c1cd37debc0c9fcebd4cf93c054a7776c7e222

SHA256
608be1c81ee5776ee8d585eac31192b96aef47d5db4808a20b8e2a625d537aed

SHA512
25af22672b30203561e853381be3da849b8dc23a137c4f5bef66cc3a556cf15d95ecf4ea1c7fa47f36c843d72693f856e2171e064ad20e4c8fbd281650862cfe

Download Submit
C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\Directories\OneDrive.txt

Filesize
25B

MD5
966247eb3ee749e21597d73c4176bd52

SHA1
1e9e63c2872cef8f015d4b888eb9f81b00a35c79

SHA256
8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e

SHA512
bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

Download Submit
C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\Directories\Pictures.txt

Filesize
711B

MD5
ee981da1a628847cff9c1f3ad4328c03

SHA1
3dd606fd6eadf8d9f12a3809176b665704afdc7e

SHA256
5673983817762bf7c8149f19b1b9ef7b4409ebcfa73a48fc2d4f67afc025f98c

SHA512
f2ab33c007f50ea1ea17087bb28405bc97c7317534e790a31c25c8a267ca0591401aeeba9d39bdbbbec8dda44f552700a3bc773c19502e84e79b347ba9b09887

Download Submit
C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\Directories\Startup.txt

Filesize
24B

MD5
68c93da4981d591704cea7b71cebfb97

SHA1
fd0f8d97463cd33892cc828b4ad04e03fc014fa6

SHA256
889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

SHA512
63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

Download Submit
C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\Directories\Temp.txt

Filesize
3KB

MD5
ba340215916d1c538048583db08cc21e

SHA1
366b2bf38f925a23849cd739a10eae924d9843f4

SHA256
d3d649121945b21803c4a8261697a75de51261e097173e899531529add77b535

SHA512
0decd1ace19ccfc77f8274c4ec7c1a1573059aa3b4ebb168c7b385ac9aac40d1cd8158d924831df52e699bed943e80477a3241b98c006c80bd7dafa89bd26662

Download Submit
C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\Directories\Temp.txt

Filesize
14KB

MD5
bfec90e6628c0a7cc0a02c795c9731f1

SHA1
f6d6fc7fc54e6d9e438f1372742a4b34d9ffe4ad

SHA256
19605d2ff30cc8a3e2e61a8fda1ae9fa443f1cb3d17ddd034303c328c918b5fb

SHA512
1134611bc65ea3b352423f9e9af42d6595376f78ef9b2b3935d8a708d704261c14e8e4210eb04fb70a470d50cf338fdd1b1ca132cabb01ccf0347879284153d0

Download Submit
C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\Directories\Temp.txt

Filesize
16KB

MD5
bb9c4c525783d877967096a799fb7a94

SHA1
5b18243618549223b1c36df2d95304353cb17427

SHA256
86a33b2bcf6862232fe99f8a7dc79b49afb3a44751765e6a42d976569a78c44d

SHA512
972bee30370ff294438372d19d0b485729ab4270074d63c5c37a0f73a077002890af4633a7376a1215f9db056ff82d7ecb99726503dfe489b55cbbb995c8906d

Download Submit
C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\Directories\Temp.txt

Filesize
5KB

MD5
24bbf94972d674e7cda6aa2850d38cfe

SHA1
887cc70f50b42d0e0fd6385fd5b8ded360218c34

SHA256
145e71c3d1afce1f0f181f5cbb525196c08d3e86b212158ad345e3d6ae54dcb8

SHA512
0cdab4b08141f68989dd7e906475876e6f597575496d63c85d3e7a81b1a18acd87721b98196147893bdf81cb4940356691ad706fedec2f80a6189fbbf9183349

Download Submit
C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\Directories\Temp.txt

Filesize
18KB

MD5
6c119205bcb7c553fab37bd2923efdb2

SHA1
fd7420f95b0dd4ea70772e8a5aefb35126f5c4b7

SHA256
0e33fd3c48c150276f8008c829d6fcdb90cce0b762ab60519cf9f25e3e30b285

SHA512
c5e09f7b393b74ed53ba14cb4147f03ddba6f1b4551c00ee01cf801b503bb3e8c923ef56f5d89f89370ba579ba0307d7bca8b6ae9ccc7814948dafe01d2c0800

Download Submit
C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\Directories\Videos.txt

Filesize
23B

MD5
1fddbf1169b6c75898b86e7e24bc7c1f

SHA1
d2091060cb5191ff70eb99c0088c182e80c20f8c

SHA256
a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

SHA512
20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

Download Submit
C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini

Filesize
282B

MD5
9e36cc3537ee9ee1e3b10fa4e761045b

SHA1
7726f55012e1e26cc762c9982e7c6c54ca7bb303

SHA256
4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

SHA512
5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

Download Submit
C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini

Filesize
402B

MD5
ecf88f261853fe08d58e2e903220da14

SHA1
f72807a9e081906654ae196605e681d5938a2e6c

SHA256
cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844

SHA512
82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

Download Submit
C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini

Filesize
282B

MD5
3a37312509712d4e12d27240137ff377

SHA1
30ced927e23b584725cf16351394175a6d2a9577

SHA256
b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3

SHA512
dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

Download Submit
C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini

Filesize
190B

MD5
d48fce44e0f298e5db52fd5894502727

SHA1
fce1e65756138a3ca4eaaf8f7642867205b44897

SHA256
231a08caba1f9ba9f14bd3e46834288f3c351079fcedda15e391b724ac0c7ea8

SHA512
a1c0378db4e6dac9a8638586f6797bad877769d76334b976779cd90324029d755fb466260ef27bd1e7f9fdf97696cd8cd1318377970a1b5bf340efb12a4feb4a

Download Submit
C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini

Filesize
190B

MD5
87a524a2f34307c674dba10708585a5e

SHA1
e0508c3f1496073b9f6f9ecb2fb01cb91f9e8201

SHA256
d01a7ef6233ef4ab3ea7210c0f2837931d334a20ae4d2a05ed03291e59e576c9

SHA512
7cfa6d47190075e1209fb081e36ed7e50e735c9682bfb482dbf5a36746abdad0dccfdb8803ef5042e155e8c1f326770f3c8f7aa32ce66cf3b47cd13781884c38

Download Submit
C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini

Filesize
504B

MD5
29eae335b77f438e05594d86a6ca22ff

SHA1
d62ccc830c249de6b6532381b4c16a5f17f95d89

SHA256
88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4

SHA512
5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

Download Submit
C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
1KB

MD5
a14b63ebbc272d79df49b81e8f524d9d

SHA1
5f9e2b1d71d37ba41772fa9eb30d28b8b41e7da1

SHA256
bc450c0f172709448b6e256aaa9a742935604c872c2198b926d2445e00e77985

SHA512
b42458d0ba493c712da0ef649c464fc18e4b8f40b678a329898ea65f931bc772585b6fcaaaa412f3c4245fb838cedabe75a357e2022f0a392878cc7d1a21d37b

Download Submit
C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
f5c94025ea4519692c0c8f4bc60b6cb7

SHA1
c1d10d49b725740f30d9d1c4e6d4ed10368bd26d

SHA256
ee6316894491eff9cbfa63fc100557d2f3c1a6c54abaa1df6a8bdd36bd859c6c

SHA512
eca80947a30da8715fa6d25570524739cf490eaf0e6dee38b4e620950f37dddc302a3145301d3d9fb7a9c8f25fc27c1f5765bb2dcd6402e49bd82fb7bc79a2a0

Download Submit
C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
64B

MD5
b192e6c77ff2b3cce3591b77304f1d1d

SHA1
2cb107cec411648f1643d7a320ae730875cb06f1

SHA256
a5a2d3d07cec892573a5b6d4e39b7e1a7fb1db422b22387ed3f2257bc529b964

SHA512
85575b64784359f7bea543ec979ddaac5ba2e1e98c4243d898a1e8889d8785e9b5f8d7ce03d2d8dd7522d033dea9c9d8f4ccffb86562c6311842ac09e17c6c9c

Download Submit
C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
128B

MD5
e5520bbffd06c362a5988f3c18b49175

SHA1
5272751761de127509080f675058784e4a785529

SHA256
a89c6b55206687c6d16b8c1361babbab39e459d48477b9b68ac9fe96d034bbb1

SHA512
0314e6b2805168a4bafdd68e4525d295afebab7fa642d31ae8fc6bf195a7a02fd5c117aa0f8e6979d4fc88e025a2bdd664036f7d2e21a1391bffea52d65456b3

Download Submit
C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
f435518a3adda9cea5a624bb9b2d1326

SHA1
16f046e98e181ba881ead95a7b6ac41e84dc3fdb

SHA256
508a436037c5ff8c26e19702774a0805c0777ad1d8bd4dc243f222ae653c73b0

SHA512
1941acb7196979c5c7c94e2464530f388a6de986e2e002cb7e6393671625a13d4f5dcef24fef622ad7180cbdafd1727f6cd78a185015b87e2d0dd86e2f289d10

Download Submit
C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
ab36aa32e09766ec02b5f8e3200832f3

SHA1
45a17bdbb6fdecd88b879e2578c9b739a58ce822

SHA256
f69fc4b1277fc4492b357f039b8315f154450146ee339496bce4f8f6a24d64da

SHA512
daaedcc05658b79fe85f65232a66262243438eee6d1d8f958d8fada838732415b631cd9580caaf5308be194063c16943622a668e3ba053c4cd3ffed7553e2185

Download Submit
C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
35c0eb2d52375306dad2cd017f741d61

SHA1
3132f56fdcfdbaed1d4ac532e1f77aabbfe9fb49

SHA256
2e38f1d47875a9d5b25512988127f3c46d8d812e264851541f50ff96449c707b

SHA512
00a61ab26a33c8a385f1036b0be2df33762ac7a7129385dcce6c49b95d0f6cc15970a506c51ec0393ab321afeea5f95673e7b86de6fc73737098d11a663cf748

Download Submit
C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
1KB

MD5
52bf57b96c887a894f24e2d4e17cf3f6

SHA1
576203bbb781905dbfc9db661d1014cb25665f62

SHA256
cb85e57600112797c330ab5a53b2cbae6ccdb5d42dbf21248dc227708b89e2b5

SHA512
79cba3e1f1bfa8b7910e50da9c9716d1950438feb5e7c7b5a5d2341a4eadefc2d7ff34ffb59df71b50b83b344ec0a32043b4b0d7f236bb6cc0a79f5afec631c0

Download Submit
C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\System\WorldWind.jpg

Filesize
87KB

MD5
d6aa93c94f1971b7476db98fe4202cb6

SHA1
acffff9816bd7383f64a10640b8c9d7e05aa1d79

SHA256
eec4b8496ed031a43cb7696e8db0386957ef31510255ba21653071cb4c2ae49b

SHA512
71fa9c78d21ef4f0c12039182872e0d82e695216696ff5e7e8e6590c97c83a7e2ab8d0008876149bbc6da2a7a05bce8dc810c3fc1afbaadc04ba01b96cfad99a

Download Submit
C:\Users\Admin\AppData\Local\ec025c2ab0533d25cf7bd78c58061070\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
500B

MD5
33b19cb9082ee20a12b3f757710f30d6

SHA1
957690a4f4eea75f2f7fc696b19867cf9ba659ae

SHA256
af935a7d584eb26fba4622868fac2d718e9846fc7717f095b084f5da8112c57f

SHA512
7ba540e51818de0e33035d8b3d8715dd3a24b64dc58db356e14e83cf00f675d5762052bcdfe00103197d1bec4bef4c22e503991f19998ada14027b99605672f6

Download Submit
C:\Users\Admin\AppData\Local\ec025c2ab0533d25cf7bd78c58061070\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
4b82723b7bac81b83c7011dbdb798af2

SHA1
cc4af9e71553396aeb92cd08be03441c16bb8b63

SHA256
f7a0bf2d2c637aff4c0fdbeaf15a1c5e4abf8dab5028fd0742f85d58fd7a18a4

SHA512
56092df34f78f706f15c60455e401ca2c060a5e96a579f4ba916953565eb6821376e36d52f990de0c89065a58d3b5185d5fb85a87992f159a8036222e1296a13

Download Submit
C:\Users\Admin\AppData\Local\ec025c2ab0533d25cf7bd78c58061070\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
366B

MD5
3e7fa9c469734c1577f67d59beb3e2e8

SHA1
9530060d8adbccdbc62a5c4044dfc321759bd2b4

SHA256
83006695e1b0203effa21fe012316421868ee0f616211e04cb2c63fcfb552469

SHA512
1517888590ab889d19abe5b680406370568f645be404697d7b44cfd85e2a4b85cad8f4f046f9a36293f2de85805d3a815ad3526a832216343fc4b0908b8bd561

Download Submit
C:\Users\Admin\AppData\Local\ec025c2ab0533d25cf7bd78c58061070\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
430B

MD5
377cac40afb881d5f914f55efbc4e208

SHA1
26d79f006c21f72b7b49a9e2bc2917e595edf579

SHA256
18c6874a3964b24ce2e2ad07c50d879a4f9e50a8f27f194b0737dac3f79150b3

SHA512
44d95404c327ae615baa4254bb0eafc4bc8ea053e4f486126d2b73002723eb4a6f047c539e06d0d332f19b71040110c751d76a68e08cd89f0b4d750174e4eea2

Download Submit
C:\Users\Admin\AppData\Local\ec025c2ab0533d25cf7bd78c58061070\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
767B

MD5
8d0b86b75d94586098712b544c097fe1

SHA1
7a8ddeec97864cc20526a73178db086a7e2fdbf5

SHA256
5e9a2528d0a9885df0677417e3e06dc25ab2739cd79728f570d77da0b6ec91ca

SHA512
fe17e1d50ecd0557624603fec1e2bfd7a6b702db184ebd7b8cb1b0195bf1d2c2c39daf5d4721562428e6dea37c19da95273dc81b368a734c07014222e310dc53

Download Submit
C:\Users\Admin\AppData\Local\ec025c2ab0533d25cf7bd78c58061070\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
adbbcc5ff12dbb8641892d19cd68f177

SHA1
a5e457233176314b87a5293454d065b3dd07f1a0

SHA256
f578daeb681235406e7d924a943f18c3a320ce81e0e8eff56e52e69c8b1063e7

SHA512
31d905a0865fdffe1dcdbb8bc851d31a066fa77b7f5c3aa83c3fa68950d90d0b854b7ce333c930c9c104d783a32a9e68e6ea863c38c77635519a7ec03a49ac51

Download Submit
C:\Users\Admin\AppData\Local\ec025c2ab0533d25cf7bd78c58061070\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
42435b7c2bf845e7794fa5a2a6b19b44

SHA1
ca92555a881e07b9514e656d2249904513b04d3a

SHA256
e973068868427084d273592319f2b15f18c9afdcee93297c28b5e7d74f607940

SHA512
9eb7b2be56a1068c3bd4a008d239c8edbd7e9aea6194581f9699293514bf2cd82028b4940fa5c10d94da56e4b979b0946691c6013335ebb032262317e7da30d6

Download Submit
C:\Users\Admin\AppData\Local\ec025c2ab0533d25cf7bd78c58061070\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
4KB

MD5
8ad06815e5bd7acabb36eb704ca492f1

SHA1
e55ba9df457046ff555def56188afb829e0b07c3

SHA256
c4744d51a244573b3b66345e16e99a8b094f83a7de1f2e71ed0b592070b228b6

SHA512
4e4c514630c4e16c913b79d41a5bd35098c388dfe640570c1d164361f634d25dc2d6421938ae3405d0aa7de05a3da904ab33e3df5e7bc0aa9cd799c7dd130236

Download Submit
C:\Users\Admin\AppData\Local\ec025c2ab0533d25cf7bd78c58061070\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
426B

MD5
a8f8c4b5c799562830c9b38d5d28323e

SHA1
b9601dc8903928ef333152ad06331936c347b2ff

SHA256
04f39fee8564db67d25d554ac6d3895d2d605118129d94dfaddc6987d07bcbaa

SHA512
cf3da43b9d32330f167d1c2a04f72a0d837fc65cd711d29342b13dd458533541c4e8a3cfc33b80135ea69773b53a2fcc83a7e1e4d6327ecc5e1f0b5a5ae4029b

Download Submit
C:\Users\Admin\AppData\Local\ec025c2ab0533d25cf7bd78c58061070\Admin@WLWOBVQV_en-US\System\Windows.txt

Filesize
146B

MD5
8f1110d9d985c21adcbe628ab3ee03e4

SHA1
ca374f95ef46c2d2a3e8f7688b619a3d2d1afd83

SHA256
32d4a4f0db40b722c8481b483de40825627410d3e6e155e7efad9f3125d98756

SHA512
a4af8ae378872e9e1b3ef5dd60e66603cf03415788b0afaccaad1bb6b92ccce6e8c412382f86d273bffb9fdde7a9f73f445f6a2312035f7844546fc1ae336ab8

Download Submit
C:\Users\Admin\AppData\Local\ec025c2ab0533d25cf7bd78c58061070\Admin@WLWOBVQV_en-US\System\Windows.txt

Filesize
315B

MD5
5a86487e58db20f0bc40b519a6cb5e07

SHA1
c700c0a205d7b99a89867ea95ead54f78db0188e

SHA256
e051e67e08de4c2bb21add97643af9bdb456333465df6ea2bb756c35208329f2

SHA512
eaebaed49f5e214f9a4584a20e5d4ab6369b7e60dcdd483324ada8932f86427851fe2f5a29b3c870fc9bc052020dd955a288caccc89d85d92f907ab57bc2ea5e

Download Submit
C:\Users\Admin\AppData\Local\ec025c2ab0533d25cf7bd78c58061070\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/32-36-0x00000000058A0000-0x0000000005906000-memory.dmp

Filesize
408KB

Download
memory/32-25-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/548-24-0x0000000005B90000-0x0000000005B9A000-memory.dmp

Filesize
40KB

Download
memory/548-19-0x0000000000A40000-0x0000000000A98000-memory.dmp

Filesize
352KB

Download
memory/548-21-0x0000000005AA0000-0x0000000005B32000-memory.dmp

Filesize
584KB

Download
memory/548-22-0x0000000005B40000-0x0000000005B8A000-memory.dmp

Filesize
296KB

Download
memory/548-23-0x0000000005C30000-0x0000000005CCC000-memory.dmp

Filesize
624KB

Download
memory/548-20-0x0000000005FB0000-0x0000000006554000-memory.dmp

Filesize
5.6MB

Download
memory/548-18-0x000000007508E000-0x000000007508F000-memory.dmp

Filesize
4KB

Download
memory/1876-17-0x00007FFDFDD70000-0x00007FFDFE831000-memory.dmp

Filesize
10.8MB

Download
memory/1876-0-0x00007FFDFDD73000-0x00007FFDFDD75000-memory.dmp

Filesize
8KB

Download
memory/1876-10-0x00007FFDFDD70000-0x00007FFDFE831000-memory.dmp

Filesize
10.8MB

Download
memory/1876-1-0x00000000002F0000-0x000000000034C000-memory.dmp

Filesize
368KB

Download
memory/4648-1048-0x0000000006900000-0x0000000006912000-memory.dmp

Filesize
72KB

Download
memory/4648-915-0x00000000062D0000-0x00000000062DA000-memory.dmp

Filesize
40KB

Download
memory/4660-16-0x00007FFDFDD70000-0x00007FFDFE831000-memory.dmp

Filesize
10.8MB

Download
memory/4660-30-0x00007FFDFDD70000-0x00007FFDFE831000-memory.dmp

Filesize
10.8MB

Download