asyncrat | cef9230ad3111e4a233e61b49ac977d4d25849061a90b05c3e7d6f308022b4de

Analysis

max time kernel
143s
max time network
154s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-10-2024 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rebel/RebelCracked.exe
Size

344KB
MD5

a84fd0fc75b9c761e9b7923a08da41c7
SHA1

2597048612041cd7a8c95002c73e9c2818bb2097
SHA256

9d9a79f4ae9bf7a992945f6c06c5bec642c05e4e828217c50255dabfa3677006
SHA512

a17f1144a0e3ce07c7ed6891987c5b969f291e9991442c33750028d35e2194794e8a649c397e8afc9f8ce19d485c453600c75cab4fcead09e38414d85819251a
SSDEEP

6144:lOcpeK8lucxAtLNFHUVuI/2zj1z6jZ755NofmWx4PCQL23wBw7R0ljTwrVuAdJKp:QcpSnx0LNFDQ60Ntbo5d7gBw7R7rbdJk

Score

10^/10

asyncrat stormkitty default discovery persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 5 IoCs

resource	yara_rule
behavioral13/memory/2848-27-0x0000000000400000-0x0000000000432000-memory.dmp	family_stormkitty
behavioral13/memory/2848-29-0x0000000000400000-0x0000000000432000-memory.dmp	family_stormkitty
behavioral13/memory/2848-25-0x0000000000400000-0x0000000000432000-memory.dmp	family_stormkitty
behavioral13/memory/2848-20-0x0000000000400000-0x0000000000432000-memory.dmp	family_stormkitty
behavioral13/memory/2848-22-0x0000000000400000-0x0000000000432000-memory.dmp	family_stormkitty

Executes dropped EXE 64 IoCs

pid	Process
2776	RuntimeBroker.exe
2848	RuntimeBroker.exe
2972	RuntimeBroker.exe
2352	RuntimeBroker.exe
2236	RuntimeBroker.exe
856	RuntimeBroker.exe
1772	RuntimeBroker.exe
1616	RuntimeBroker.exe
1824	RuntimeBroker.exe
552	RuntimeBroker.exe
1936	RuntimeBroker.exe
2024	RuntimeBroker.exe
2804	RuntimeBroker.exe
308	RuntimeBroker.exe
1320	RuntimeBroker.exe
1780	RuntimeBroker.exe
2168	RuntimeBroker.exe
1672	RuntimeBroker.exe
3020	RuntimeBroker.exe
1704	RuntimeBroker.exe
1576	RuntimeBroker.exe
692	RuntimeBroker.exe
1828	RuntimeBroker.exe
1620	RuntimeBroker.exe
2104	RuntimeBroker.exe
2708	RuntimeBroker.exe
1420	RuntimeBroker.exe
2104	RuntimeBroker.exe
1748	RuntimeBroker.exe
2412	RuntimeBroker.exe
872	RuntimeBroker.exe
924	RuntimeBroker.exe
2684	RuntimeBroker.exe
2856	RuntimeBroker.exe
1416	RuntimeBroker.exe
1092	RuntimeBroker.exe
2456	RuntimeBroker.exe
376	RuntimeBroker.exe
760	RuntimeBroker.exe
2724	RuntimeBroker.exe
832	RuntimeBroker.exe
2168	RuntimeBroker.exe
1076	RuntimeBroker.exe
628	RuntimeBroker.exe
1796	RuntimeBroker.exe
2288	RuntimeBroker.exe
1268	RuntimeBroker.exe
1320	RuntimeBroker.exe
3780	RuntimeBroker.exe
3824	RuntimeBroker.exe
936	RuntimeBroker.exe
3636	RuntimeBroker.exe
3408	RuntimeBroker.exe
3456	RuntimeBroker.exe
3368	RuntimeBroker.exe
3452	RuntimeBroker.exe
3796	RuntimeBroker.exe
3672	RuntimeBroker.exe
3784	RuntimeBroker.exe
3716	RuntimeBroker.exe
1716	RuntimeBroker.exe
3980	RuntimeBroker.exe
2304	RuntimeBroker.exe
3364	RuntimeBroker.exe

Loads dropped DLL 2 IoCs

pid	Process
2776	RuntimeBroker.exe
2776	RuntimeBroker.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\19b99f596f4d554fe8a883b639e4030d\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\d2a705d62e0ea7e9741c3061b549ff86\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\d2da26d3a70a87d27609e98d3e0aea54\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\f140b89e9fb8ecd5f8532e5151139f55\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\e01fa2b916e0e1663bda90e6b57169e8\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\e01fa2b916e0e1663bda90e6b57169e8\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\19b99f596f4d554fe8a883b639e4030d\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\d2a705d62e0ea7e9741c3061b549ff86\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\f140b89e9fb8ecd5f8532e5151139f55\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\12b4d00d258a1d161f055be15e52145f\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\d2a705d62e0ea7e9741c3061b549ff86\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\d2a705d62e0ea7e9741c3061b549ff86\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\d2a705d62e0ea7e9741c3061b549ff86\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\f140b89e9fb8ecd5f8532e5151139f55\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\d2a705d62e0ea7e9741c3061b549ff86\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\d2a705d62e0ea7e9741c3061b549ff86\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\e01fa2b916e0e1663bda90e6b57169e8\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\d2a705d62e0ea7e9741c3061b549ff86\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\3350a8b673d485a30a60853066ba34ac\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\12b4d00d258a1d161f055be15e52145f\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\e01fa2b916e0e1663bda90e6b57169e8\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\e01fa2b916e0e1663bda90e6b57169e8\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\d2a705d62e0ea7e9741c3061b549ff86\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\e01fa2b916e0e1663bda90e6b57169e8\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\d2a705d62e0ea7e9741c3061b549ff86\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\19b99f596f4d554fe8a883b639e4030d\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\19b99f596f4d554fe8a883b639e4030d\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\9b9ee9dd04458a34fd24efcc9cbe5a28\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\f140b89e9fb8ecd5f8532e5151139f55\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\05039a44b73f973d6341ee5ab9aaeb9b\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\12b4d00d258a1d161f055be15e52145f\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\f140b89e9fb8ecd5f8532e5151139f55\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\3350a8b673d485a30a60853066ba34ac\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\e01fa2b916e0e1663bda90e6b57169e8\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\e01fa2b916e0e1663bda90e6b57169e8\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\3350a8b673d485a30a60853066ba34ac\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\d2a705d62e0ea7e9741c3061b549ff86\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\e01fa2b916e0e1663bda90e6b57169e8\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\d2a705d62e0ea7e9741c3061b549ff86\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\d2a705d62e0ea7e9741c3061b549ff86\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\f140b89e9fb8ecd5f8532e5151139f55\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\d2a705d62e0ea7e9741c3061b549ff86\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\f140b89e9fb8ecd5f8532e5151139f55\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\e01fa2b916e0e1663bda90e6b57169e8\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\12b4d00d258a1d161f055be15e52145f\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\12b4d00d258a1d161f055be15e52145f\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\f140b89e9fb8ecd5f8532e5151139f55\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\f140b89e9fb8ecd5f8532e5151139f55\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\3350a8b673d485a30a60853066ba34ac\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\12b4d00d258a1d161f055be15e52145f\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\9b9ee9dd04458a34fd24efcc9cbe5a28\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\d2a705d62e0ea7e9741c3061b549ff86\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\05039a44b73f973d6341ee5ab9aaeb9b\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\e01fa2b916e0e1663bda90e6b57169e8\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\19b99f596f4d554fe8a883b639e4030d\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\d2a705d62e0ea7e9741c3061b549ff86\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\f140b89e9fb8ecd5f8532e5151139f55\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2776 set thread context of 2848	2776	RuntimeBroker.exe	33
PID 2972 set thread context of 2352	2972	RuntimeBroker.exe	36
PID 2236 set thread context of 856	2236	RuntimeBroker.exe	40
PID 1772 set thread context of 1616	1772	RuntimeBroker.exe	46
PID 1824 set thread context of 552	1824	RuntimeBroker.exe	49
PID 1936 set thread context of 2024	1936	RuntimeBroker.exe	52
PID 2804 set thread context of 308	2804	RuntimeBroker.exe	64
PID 1320 set thread context of 1780	1320	RuntimeBroker.exe	76
PID 2168 set thread context of 1672	2168	RuntimeBroker.exe	88
PID 3020 set thread context of 1704	3020	RuntimeBroker.exe	103
PID 1576 set thread context of 692	1576	RuntimeBroker.exe	119
PID 1828 set thread context of 1620	1828	RuntimeBroker.exe	131
PID 2104 set thread context of 2708	2104	RuntimeBroker.exe	134
PID 1420 set thread context of 2104	1420	RuntimeBroker.exe	146
PID 1748 set thread context of 2412	1748	RuntimeBroker.exe	150
PID 872 set thread context of 924	872	RuntimeBroker.exe	154
PID 2684 set thread context of 2856	2684	RuntimeBroker.exe	167
PID 1416 set thread context of 1092	1416	RuntimeBroker.exe	180
PID 2456 set thread context of 376	2456	RuntimeBroker.exe	194
PID 760 set thread context of 2724	760	RuntimeBroker.exe	205
PID 832 set thread context of 2168	832	RuntimeBroker.exe	219
PID 1076 set thread context of 628	1076	RuntimeBroker.exe	222
PID 1796 set thread context of 2288	1796	RuntimeBroker.exe	233
PID 1268 set thread context of 1320	1268	RuntimeBroker.exe	249
PID 3780 set thread context of 3824	3780	RuntimeBroker.exe	252
PID 936 set thread context of 3636	936	RuntimeBroker.exe	265
PID 3408 set thread context of 3456	3408	RuntimeBroker.exe	267
PID 3368 set thread context of 3452	3368	RuntimeBroker.exe	280
PID 3796 set thread context of 3672	3796	RuntimeBroker.exe	302
PID 3784 set thread context of 3716	3784	RuntimeBroker.exe	305
PID 1716 set thread context of 3980	1716	RuntimeBroker.exe	317
PID 2304 set thread context of 3364	2304	RuntimeBroker.exe	329
PID 3440 set thread context of 3984	3440	RuntimeBroker.exe	344
PID 3796 set thread context of 3164	3796	RuntimeBroker.exe	371
PID 3280 set thread context of 3948	3280	RuntimeBroker.exe	381
PID 2648 set thread context of 3928	2648	RuntimeBroker.exe	384
PID 3832 set thread context of 3656	3832	RuntimeBroker.exe	387
PID 3160 set thread context of 2612	3160	RuntimeBroker.exe	393
PID 2148 set thread context of 1488	2148	RuntimeBroker.exe	411
PID 4076 set thread context of 3300	4076	RuntimeBroker.exe	431
PID 4864 set thread context of 4908	4864	RuntimeBroker.exe	446
PID 4784 set thread context of 4852	4784	RuntimeBroker.exe	459
PID 4476 set thread context of 4592	4476	RuntimeBroker.exe	463
PID 4828 set thread context of 4936	4828	RuntimeBroker.exe	485
PID 4612 set thread context of 4796	4612	RuntimeBroker.exe	499
PID 4464 set thread context of 4520	4464	RuntimeBroker.exe	502
PID 4688 set thread context of 4784	4688	RuntimeBroker.exe	508
PID 4724 set thread context of 4900	4724	RuntimeBroker.exe	521
PID 4516 set thread context of 4328	4516	RuntimeBroker.exe	533
PID 4516 set thread context of 4136	4516	RuntimeBroker.exe	548
PID 4292 set thread context of 4844	4292	RuntimeBroker.exe	551
PID 4552 set thread context of 2308	4552	RuntimeBroker.exe	563
PID 4300 set thread context of 4700	4300	RuntimeBroker.exe	572
PID 4316 set thread context of 5052	4316	RuntimeBroker.exe	578
PID 4964 set thread context of 2312	4964	RuntimeBroker.exe	581
PID 5084 set thread context of 4368	5084	RuntimeBroker.exe	593
PID 4360 set thread context of 4916	4360	RuntimeBroker.exe	596
PID 4292 set thread context of 1684	4292	RuntimeBroker.exe	599
PID 5924 set thread context of 5988	5924	RuntimeBroker.exe	612
PID 5776 set thread context of 5856	5776	RuntimeBroker.exe	615
PID 6028 set thread context of 5748	6028	RuntimeBroker.exe	627
PID 5700 set thread context of 6128	5700	RuntimeBroker.exe	639
PID 6104 set thread context of 5188	6104	RuntimeBroker.exe	644
PID 6116 set thread context of 5844	6116	RuntimeBroker.exe	666

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 64 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4076	cmd.exe
2736	cmd.exe
2592	netsh.exe
1580	netsh.exe
872	netsh.exe
2124	netsh.exe
3312	cmd.exe
3084	netsh.exe
4180	netsh.exe
4264	cmd.exe
5024	netsh.exe
1912	cmd.exe
4240	cmd.exe
4424	netsh.exe
5220	netsh.exe
628	netsh.exe
3588	cmd.exe
3504	netsh.exe
1584	netsh.exe
4524	cmd.exe
6116	cmd.exe
1508	netsh.exe
1552	cmd.exe
2480	cmd.exe
4684	cmd.exe
5040	netsh.exe
1364	netsh.exe
1792	cmd.exe
3388	netsh.exe
4492	cmd.exe
4284	cmd.exe
5024	netsh.exe
476	netsh.exe
1660	netsh.exe
1660	netsh.exe
1784	cmd.exe
1880	cmd.exe
3956	cmd.exe
5416	netsh.exe
5304	cmd.exe
5616	cmd.exe
1492	cmd.exe
1828	cmd.exe
1712	cmd.exe
2124	cmd.exe
3884	cmd.exe
4916	netsh.exe
5332	netsh.exe
476	netsh.exe
1088	cmd.exe
3316	netsh.exe
3664	netsh.exe
4388	cmd.exe
4768	netsh.exe
3396	netsh.exe
3208	cmd.exe
3312	netsh.exe
292	cmd.exe
3904	cmd.exe
1632	cmd.exe
4256	netsh.exe
2152	netsh.exe
3164	netsh.exe
3580	netsh.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2848	RuntimeBroker.exe
2848	RuntimeBroker.exe
2352	RuntimeBroker.exe
2352	RuntimeBroker.exe
2848	RuntimeBroker.exe
2848	RuntimeBroker.exe
2848	RuntimeBroker.exe
2848	RuntimeBroker.exe
2848	RuntimeBroker.exe
856	RuntimeBroker.exe
856	RuntimeBroker.exe
2352	RuntimeBroker.exe
2352	RuntimeBroker.exe
1616	RuntimeBroker.exe
1616	RuntimeBroker.exe
2352	RuntimeBroker.exe
2352	RuntimeBroker.exe
2352	RuntimeBroker.exe
856	RuntimeBroker.exe
856	RuntimeBroker.exe
552	RuntimeBroker.exe
552	RuntimeBroker.exe
856	RuntimeBroker.exe
1616	RuntimeBroker.exe
1616	RuntimeBroker.exe
1616	RuntimeBroker.exe
1616	RuntimeBroker.exe
2024	RuntimeBroker.exe
2024	RuntimeBroker.exe
1616	RuntimeBroker.exe
552	RuntimeBroker.exe
552	RuntimeBroker.exe
308	RuntimeBroker.exe
308	RuntimeBroker.exe
552	RuntimeBroker.exe
2024	RuntimeBroker.exe
2024	RuntimeBroker.exe
2024	RuntimeBroker.exe
2024	RuntimeBroker.exe
1780	RuntimeBroker.exe
1780	RuntimeBroker.exe
2024	RuntimeBroker.exe
1672	RuntimeBroker.exe
1672	RuntimeBroker.exe
1780	RuntimeBroker.exe
1780	RuntimeBroker.exe
308	RuntimeBroker.exe
308	RuntimeBroker.exe
308	RuntimeBroker.exe
308	RuntimeBroker.exe
1704	RuntimeBroker.exe
1704	RuntimeBroker.exe
308	RuntimeBroker.exe
692	RuntimeBroker.exe
692	RuntimeBroker.exe
1704	RuntimeBroker.exe
1704	RuntimeBroker.exe
1620	RuntimeBroker.exe
1620	RuntimeBroker.exe
1780	RuntimeBroker.exe
1780	RuntimeBroker.exe
692	RuntimeBroker.exe
692	RuntimeBroker.exe
2708	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	RuntimeBroker.exe
Token: SeDebugPrivilege	2352	RuntimeBroker.exe
Token: SeDebugPrivilege	856	RuntimeBroker.exe
Token: SeDebugPrivilege	1616	RuntimeBroker.exe
Token: SeDebugPrivilege	552	RuntimeBroker.exe
Token: SeDebugPrivilege	2024	RuntimeBroker.exe
Token: SeDebugPrivilege	308	RuntimeBroker.exe
Token: SeDebugPrivilege	1780	RuntimeBroker.exe
Token: SeDebugPrivilege	1672	RuntimeBroker.exe
Token: SeDebugPrivilege	1704	RuntimeBroker.exe
Token: SeDebugPrivilege	692	RuntimeBroker.exe
Token: SeDebugPrivilege	1620	RuntimeBroker.exe
Token: SeDebugPrivilege	2708	RuntimeBroker.exe
Token: SeDebugPrivilege	2104	RuntimeBroker.exe
Token: SeDebugPrivilege	2412	RuntimeBroker.exe
Token: SeDebugPrivilege	924	RuntimeBroker.exe
Token: SeDebugPrivilege	2856	RuntimeBroker.exe
Token: SeDebugPrivilege	1092	RuntimeBroker.exe
Token: SeDebugPrivilege	376	RuntimeBroker.exe
Token: SeDebugPrivilege	2724	RuntimeBroker.exe
Token: SeDebugPrivilege	2168	RuntimeBroker.exe
Token: SeDebugPrivilege	628	RuntimeBroker.exe
Token: SeDebugPrivilege	2288	RuntimeBroker.exe
Token: SeDebugPrivilege	1320	RuntimeBroker.exe
Token: SeDebugPrivilege	3824	RuntimeBroker.exe
Token: SeDebugPrivilege	3636	RuntimeBroker.exe
Token: SeDebugPrivilege	3456	RuntimeBroker.exe
Token: SeDebugPrivilege	3452	RuntimeBroker.exe
Token: SeDebugPrivilege	3672	RuntimeBroker.exe
Token: SeDebugPrivilege	3716	RuntimeBroker.exe
Token: SeDebugPrivilege	3980	RuntimeBroker.exe
Token: SeDebugPrivilege	3364	RuntimeBroker.exe
Token: SeDebugPrivilege	3984	RuntimeBroker.exe
Token: SeDebugPrivilege	3164	RuntimeBroker.exe
Token: SeDebugPrivilege	3948	RuntimeBroker.exe
Token: SeDebugPrivilege	3928	RuntimeBroker.exe
Token: SeDebugPrivilege	3656	RuntimeBroker.exe
Token: SeDebugPrivilege	2612	RuntimeBroker.exe
Token: SeDebugPrivilege	1488	RuntimeBroker.exe
Token: SeDebugPrivilege	3300	RuntimeBroker.exe
Token: SeDebugPrivilege	4908	RuntimeBroker.exe
Token: SeDebugPrivilege	4852	RuntimeBroker.exe
Token: SeDebugPrivilege	4592	RuntimeBroker.exe
Token: SeDebugPrivilege	4936	RuntimeBroker.exe
Token: SeDebugPrivilege	4796	RuntimeBroker.exe
Token: SeDebugPrivilege	4520	RuntimeBroker.exe
Token: SeDebugPrivilege	4784	RuntimeBroker.exe
Token: SeDebugPrivilege	4900	RuntimeBroker.exe
Token: SeDebugPrivilege	4328	RuntimeBroker.exe
Token: SeDebugPrivilege	4136	RuntimeBroker.exe
Token: SeDebugPrivilege	4844	RuntimeBroker.exe
Token: SeDebugPrivilege	2308	RuntimeBroker.exe
Token: SeDebugPrivilege	4700	RuntimeBroker.exe
Token: SeDebugPrivilege	5052	RuntimeBroker.exe
Token: SeDebugPrivilege	2312	RuntimeBroker.exe
Token: SeDebugPrivilege	4368	RuntimeBroker.exe
Token: SeDebugPrivilege	4916	RuntimeBroker.exe
Token: SeDebugPrivilege	1684	RuntimeBroker.exe
Token: SeDebugPrivilege	5988	RuntimeBroker.exe
Token: SeDebugPrivilege	5856	RuntimeBroker.exe
Token: SeDebugPrivilege	5748	RuntimeBroker.exe
Token: SeDebugPrivilege	6128	RuntimeBroker.exe
Token: SeDebugPrivilege	5188	RuntimeBroker.exe
Token: SeDebugPrivilege	5844	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2776	2648	RebelCracked.exe	30
PID 2648 wrote to memory of 2776	2648	RebelCracked.exe	30
PID 2648 wrote to memory of 2776	2648	RebelCracked.exe	30
PID 2648 wrote to memory of 2776	2648	RebelCracked.exe	30
PID 2648 wrote to memory of 2688	2648	RebelCracked.exe	31
PID 2648 wrote to memory of 2688	2648	RebelCracked.exe	31
PID 2648 wrote to memory of 2688	2648	RebelCracked.exe	31
PID 2776 wrote to memory of 2144	2776	RuntimeBroker.exe	32
PID 2776 wrote to memory of 2144	2776	RuntimeBroker.exe	32
PID 2776 wrote to memory of 2144	2776	RuntimeBroker.exe	32
PID 2776 wrote to memory of 2144	2776	RuntimeBroker.exe	32
PID 2776 wrote to memory of 2848	2776	RuntimeBroker.exe	33
PID 2776 wrote to memory of 2848	2776	RuntimeBroker.exe	33
PID 2776 wrote to memory of 2848	2776	RuntimeBroker.exe	33
PID 2776 wrote to memory of 2848	2776	RuntimeBroker.exe	33
PID 2776 wrote to memory of 2848	2776	RuntimeBroker.exe	33
PID 2776 wrote to memory of 2848	2776	RuntimeBroker.exe	33
PID 2776 wrote to memory of 2848	2776	RuntimeBroker.exe	33
PID 2776 wrote to memory of 2848	2776	RuntimeBroker.exe	33
PID 2776 wrote to memory of 2848	2776	RuntimeBroker.exe	33
PID 2688 wrote to memory of 2972	2688	RebelCracked.exe	34
PID 2688 wrote to memory of 2972	2688	RebelCracked.exe	34
PID 2688 wrote to memory of 2972	2688	RebelCracked.exe	34
PID 2688 wrote to memory of 2972	2688	RebelCracked.exe	34
PID 2688 wrote to memory of 2976	2688	RebelCracked.exe	35
PID 2688 wrote to memory of 2976	2688	RebelCracked.exe	35
PID 2688 wrote to memory of 2976	2688	RebelCracked.exe	35
PID 2972 wrote to memory of 2352	2972	RuntimeBroker.exe	36
PID 2972 wrote to memory of 2352	2972	RuntimeBroker.exe	36
PID 2972 wrote to memory of 2352	2972	RuntimeBroker.exe	36
PID 2972 wrote to memory of 2352	2972	RuntimeBroker.exe	36
PID 2972 wrote to memory of 2352	2972	RuntimeBroker.exe	36
PID 2972 wrote to memory of 2352	2972	RuntimeBroker.exe	36
PID 2972 wrote to memory of 2352	2972	RuntimeBroker.exe	36
PID 2972 wrote to memory of 2352	2972	RuntimeBroker.exe	36
PID 2972 wrote to memory of 2352	2972	RuntimeBroker.exe	36
PID 2976 wrote to memory of 2236	2976	RebelCracked.exe	37
PID 2976 wrote to memory of 2236	2976	RebelCracked.exe	37
PID 2976 wrote to memory of 2236	2976	RebelCracked.exe	37
PID 2976 wrote to memory of 2236	2976	RebelCracked.exe	37
PID 2976 wrote to memory of 2956	2976	RebelCracked.exe	38
PID 2976 wrote to memory of 2956	2976	RebelCracked.exe	38
PID 2976 wrote to memory of 2956	2976	RebelCracked.exe	38
PID 2236 wrote to memory of 2292	2236	RuntimeBroker.exe	39
PID 2236 wrote to memory of 2292	2236	RuntimeBroker.exe	39
PID 2236 wrote to memory of 2292	2236	RuntimeBroker.exe	39
PID 2236 wrote to memory of 2292	2236	RuntimeBroker.exe	39
PID 2236 wrote to memory of 856	2236	RuntimeBroker.exe	40
PID 2236 wrote to memory of 856	2236	RuntimeBroker.exe	40
PID 2236 wrote to memory of 856	2236	RuntimeBroker.exe	40
PID 2236 wrote to memory of 856	2236	RuntimeBroker.exe	40
PID 2236 wrote to memory of 856	2236	RuntimeBroker.exe	40
PID 2236 wrote to memory of 856	2236	RuntimeBroker.exe	40
PID 2236 wrote to memory of 856	2236	RuntimeBroker.exe	40
PID 2236 wrote to memory of 856	2236	RuntimeBroker.exe	40
PID 2236 wrote to memory of 856	2236	RuntimeBroker.exe	40
PID 2956 wrote to memory of 1772	2956	RebelCracked.exe	42
PID 2956 wrote to memory of 1772	2956	RebelCracked.exe	42
PID 2956 wrote to memory of 1772	2956	RebelCracked.exe	42
PID 2956 wrote to memory of 1772	2956	RebelCracked.exe	42
PID 2956 wrote to memory of 1792	2956	RebelCracked.exe	43
PID 2956 wrote to memory of 1792	2956	RebelCracked.exe	43
PID 2956 wrote to memory of 1792	2956	RebelCracked.exe	43
PID 1772 wrote to memory of 1728	1772	RuntimeBroker.exe	44

C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
"C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
    3⤵
    PID:2144
- - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2848
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1492
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2872
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1364
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        5⤵
        
        PID:1780
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      4⤵
      PID:1840
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:628
- C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
  "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      Drops desktop.ini file(s)
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2352
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1880
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2224
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:476
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        6⤵
        
        PID:1948
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        5⤵
        
        PID:376
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3016
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1856
- - C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
    "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2236
    - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        5⤵
        
        PID:2292
    - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:856
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1828
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        7⤵
        
        PID:2044
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        6⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        7⤵
        
        PID:1076
  - - C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
      "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2956
    - - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1772
      - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        6⤵
        
        PID:1728
      - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        6⤵
        
        PID:2136
      - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        8⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        8⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        7⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        8⤵
        
        PID:1092
    - - C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        5⤵
        
        PID:1792
      - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        8⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        9⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1580
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        8⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        9⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2792
      - C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        6⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        8⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        9⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        10⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        10⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        9⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        10⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        7⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        9⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        10⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        11⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:628
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        11⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        10⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        11⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        8⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        10⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        11⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1792
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        12⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        12⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        11⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        12⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        9⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        11⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        12⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1712
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        13⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:476
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        13⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        12⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        13⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        10⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        12⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        12⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        12⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        12⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        13⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        14⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        14⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        13⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        14⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        11⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        13⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        13⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        13⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        13⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        13⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        14⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1552
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        15⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1516
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        15⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        14⤵
        
        PID:876
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        12⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        14⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        15⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1912
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1660
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        16⤵
        
        PID:476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        15⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        13⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        15⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        16⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        17⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        17⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1660
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        17⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        16⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        17⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        14⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        16⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        17⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1784
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        
        PID:292
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        18⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:872
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        17⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        18⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        15⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        17⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        17⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        18⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        19⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        19⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3396
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        19⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        18⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        19⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        19⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        16⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:872
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        18⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        18⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        19⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3588
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        20⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3164
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        20⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        19⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        20⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        17⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        19⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        19⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        20⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1088
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:476
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        21⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        21⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        20⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        21⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        18⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        20⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        20⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        21⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3208
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        22⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3504
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        22⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        21⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        22⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        19⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        21⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        21⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        22⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3312
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        23⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        23⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3316
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        23⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        22⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        23⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        20⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:760
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        22⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        23⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        24⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3388
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        24⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        23⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        24⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        21⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:832
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        23⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        23⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        24⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3884
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        25⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        25⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3868
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        25⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        24⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:4012
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        25⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        22⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        24⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        25⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:292
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        26⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3084
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        26⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        25⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        26⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        23⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        25⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        26⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3956
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        27⤵
        
        PID:916
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        27⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3312
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        27⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        26⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        27⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        27⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        24⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        26⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        26⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        26⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        26⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        27⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4076
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        28⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3580
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        28⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        27⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:3084
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        28⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        25⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        27⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        28⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3904
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        29⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        29⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1584
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        29⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        28⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        29⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        29⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        26⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:936
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        28⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        28⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        29⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2480
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:3904
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        30⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        29⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        30⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        27⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        30⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1632
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        31⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        31⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3664
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        31⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        30⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        31⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        31⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        28⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        30⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        31⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4388
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        32⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        32⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        32⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        31⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        32⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        29⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        31⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        31⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        32⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        33⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        33⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4764
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        33⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        32⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        33⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        33⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        30⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        32⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        33⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4524
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        34⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        34⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4768
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        34⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        33⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        34⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        31⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        33⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        34⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4684
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        35⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        35⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4916
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        35⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        34⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        35⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        35⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        32⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        34⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        35⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        36⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        36⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5040
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        36⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        35⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        36⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        33⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        34⤵
        Suspicious use of SetThreadContext
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        35⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        36⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4240
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        37⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        37⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        37⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        36⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        37⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        37⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        34⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        35⤵
        Suspicious use of SetThreadContext
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        36⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        37⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4284
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        38⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4180
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        38⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        37⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        38⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        38⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        35⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        36⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        37⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        37⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        37⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        37⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        37⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        36⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        37⤵
        Suspicious use of SetThreadContext
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        38⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        39⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4492
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:4544
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        40⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4520
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        40⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        39⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        40⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        40⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        37⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        38⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        39⤵
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        40⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        41⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        41⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5024
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        41⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        40⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        41⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        38⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        39⤵
        Suspicious use of SetThreadContext
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        40⤵
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:5284
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        42⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        42⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5416
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        42⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        41⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        42⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        42⤵
        
        PID:5520
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        39⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        40⤵
        Suspicious use of SetThreadContext
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        41⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        41⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        41⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        41⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        42⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        43⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        43⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4256
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        43⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        42⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        43⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        43⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        40⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        41⤵
        Suspicious use of SetThreadContext
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        42⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        42⤵
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        43⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5304
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        44⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        44⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5332
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        44⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        43⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:3724
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        44⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5392
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        41⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        42⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        43⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        43⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        43⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        43⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        43⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        42⤵
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        43⤵
        Suspicious use of SetThreadContext
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        44⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        45⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        46⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        46⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5220
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        46⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        45⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        46⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        46⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        43⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        44⤵
        Suspicious use of SetThreadContext
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        45⤵
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        44⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        45⤵
        Suspicious use of SetThreadContext
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        46⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        46⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        45⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        46⤵
        Suspicious use of SetThreadContext
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        47⤵
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        46⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        47⤵
        Suspicious use of SetThreadContext
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        48⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        48⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        48⤵
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        47⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        48⤵
        Suspicious use of SetThreadContext
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        49⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        49⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        49⤵
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        48⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        49⤵
        Suspicious use of SetThreadContext
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        50⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        51⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4264
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        52⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        52⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4188
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        51⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        52⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        52⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        49⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        50⤵
        Suspicious use of SetThreadContext
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        51⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        51⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        51⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        51⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        50⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        51⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        52⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        52⤵
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        51⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        52⤵
        Suspicious use of SetThreadContext
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        53⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        52⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        53⤵
        Suspicious use of SetThreadContext
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        54⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        54⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        54⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        54⤵
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        53⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        54⤵
        Suspicious use of SetThreadContext
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        55⤵
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        56⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5616
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        57⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        57⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5804
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        57⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        56⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        57⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        57⤵
        
        PID:5632
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        54⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        55⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        56⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        57⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6116
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        58⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        58⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5024
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        58⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        57⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        58⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        58⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        55⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        56⤵
        Suspicious use of SetThreadContext
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        57⤵
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        56⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        57⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        58⤵
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        57⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        58⤵
        Suspicious use of SetThreadContext
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        59⤵
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        58⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        59⤵
        Suspicious use of SetThreadContext
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        60⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        59⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        60⤵
        Suspicious use of SetThreadContext
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        61⤵
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:5608
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        63⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        63⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5824
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        63⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        62⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        63⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:5504
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        60⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        61⤵
        Suspicious use of SetThreadContext
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        62⤵
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        61⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        62⤵
        Suspicious use of SetThreadContext
        
        PID:5924
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        63⤵
        
        PID:5972
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        63⤵
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:5988
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        62⤵
        
        PID:5948
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        63⤵
        Suspicious use of SetThreadContext
        
        PID:5776
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        64⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5856
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        63⤵
        
        PID:5836
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        64⤵
        Suspicious use of SetThreadContext
        
        PID:6028
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        65⤵
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5748
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        64⤵
        
        PID:6092
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        65⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5700
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        66⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6128
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        65⤵
        
        PID:5884
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        66⤵
        Suspicious use of SetThreadContext
        
        PID:6104
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        67⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        67⤵
        
        PID:5208
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        67⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5188
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        66⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        67⤵
        Suspicious use of SetThreadContext
        
        PID:6116
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        68⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5844
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        67⤵
        
        PID:5852
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        68⤵
        
        PID:6100
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        69⤵
        
        PID:5360
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        68⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        69⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        70⤵
        
        PID:5220
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        69⤵
        
        PID:5324
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        70⤵
        
        PID:5928
        
        C:\Users\Admin\AppData\Local\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
        71⤵
        
        PID:5884
        
        C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        70⤵
        
        PID:5528

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "131219613813358215441314826899675746025-278945081-2508647612105179712113917957"
1⤵
PID:4180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\05039a44b73f973d6341ee5ab9aaeb9b\Admin@CCJBVTGQ_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\05039a44b73f973d6341ee5ab9aaeb9b\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
591B

MD5
03127309ebc4d98bc0e81a1d3348483e

SHA1
00777ac706b233c4bcfc66efa400cd8d8000d7a6

SHA256
ad76999dea60d311bc70c90b674d992790f81717e4442b8c88187b5a64624e52

SHA512
efefe1be292817e3b832e0e20726854fdf45e6ddc4afb288f7c3ffbf34cf17a44c0353c1b116cf5f719548c52c6cfc5c594e1abb453e6483090752ffcf8f2c7c

Download Submit
C:\Users\Admin\AppData\Local\05039a44b73f973d6341ee5ab9aaeb9b\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\12b4d00d258a1d161f055be15e52145f\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
4KB

MD5
dc6d06385febe55e9225bf8baefb4128

SHA1
91b922f1c553dc7615c93b84b5473fcb139fe738

SHA256
db6069d5f869149d7aa5e737628c575c42b519795761e42f7dff7d66a172f8f2

SHA512
a70babba941014caba661712303d79d6a170874537f20526133e5e1b06a381cdf4a806a7b3255ac0361106c7731180c328876b0c9010e581e7b00cdb5586a801

Download Submit
C:\Users\Admin\AppData\Local\12b4d00d258a1d161f055be15e52145f\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
513B

MD5
dba12169ebb088ffc6fe766149852ed5

SHA1
79dc6e5d5128d1971fb36e913c9b376f7cf60000

SHA256
11d473453fd464b91296f78f7f058ca5c2ae01a33e95a03041d410258d523dbb

SHA512
d86c025de64fdf3e175a642bb38733884f81bb0cdb0853dbcde1e8e22b5f5b69f4bcb48d740bd0f6b034a0df27d32d20246b89b30d93f405707fdca5d65bd3ea

Download Submit
C:\Users\Admin\AppData\Local\12b4d00d258a1d161f055be15e52145f\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
4KB

MD5
d36150a7aab0745de5aa6a453e53b675

SHA1
d23595d099c82a9a4308478c506c64e785f79c1c

SHA256
5701dae14c8cf50bcc5e6e487fddf8a5288e8c7fa06c724ba86e45bd2abb2d3f

SHA512
acbbd707a2452b3959a7bc7a85924248d87bbe68a612de6090cd81e89d05e8504f6da425aabaa0bdfc94b8daa5a1e1290c8a01ec1f87f2791fa5e1b42f5d5743

Download Submit
C:\Users\Admin\AppData\Local\12b4d00d258a1d161f055be15e52145f\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
3KB

MD5
c29a0e68458c083f1518487a32ee6fba

SHA1
3c5f1aed189f6889e647f5f829651d6db845b67a

SHA256
bdc2c641bbb69949427aa4b0c4ff3c863dbd484b7bff0d3e30454dab82298e7b

SHA512
491e7ca8083d6b215e6fb4ec7274c7099d673e040221a90f62df510f4de637bfe5f830466f561db8bb1a0ae4435231a26ea545a5ca5e9e68bfb5f530574c4249

Download Submit
C:\Users\Admin\AppData\Local\12b4d00d258a1d161f055be15e52145f\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
4KB

MD5
ff8e4bf12d8aa83ad4c59b769241edd4

SHA1
18149c656e49a905fcda2480c42879fa3c395340

SHA256
999a7f4a504d238d12f5b5d1b76c0f3bd6f1a7697bad1d60a0525a235dbdebb1

SHA512
b87b05e1d6da0e055443ab0225a3258723a89d9a96f0914d7f041fa3b7b16f75c8c0059ccb770ea2117f66fa81e69eb5c4eabca2b96da8b507f240a5057ca254

Download Submit
C:\Users\Admin\AppData\Local\12b4d00d258a1d161f055be15e52145f\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
4KB

MD5
88cc9567b91ae8267832d33cdc782f6c

SHA1
b45d4c46f663f4de3be3ee9408532b3e80167820

SHA256
f375c9c18ce13ad315643bb724991e793a7392fdc97006f8e1f833ed7b6bc867

SHA512
2e1037a2e686940bc1182227a6dcfcbdce59ee3d6b2beb73e0a84584637cf69fc9914fa6a723f136bce9e1c534c15e7c33a6d330593cf34812f346013bce0ebf

Download Submit
C:\Users\Admin\AppData\Local\19b99f596f4d554fe8a883b639e4030d\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
292B

MD5
61d5ca1401bae6e49e616a99bb7b8739

SHA1
1a15f1880309577952ae5f8f65f19f3ba686a7a4

SHA256
07e9e61ba0e41795c8611eb419404ed3de648e9b73b9b567489d97f708643fd7

SHA512
0b8cd237397608f5a80236ac58e90a51ffd9ddaa2fd229f9029a693eed264d5464876e6d052f825fc97d55dcadaa3433656746e02360960b1892ddae7ebdc114

Download Submit
C:\Users\Admin\AppData\Local\19b99f596f4d554fe8a883b639e4030d\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
2KB

MD5
266db110946cb167adcd0a71c9ae8fbc

SHA1
da23edca42aea8aec6e232705a6f7f6bbfd769d1

SHA256
e96fe1d1d62801667019aa56251f05e528b36e215bf9b74fac2832ca2cdfeab7

SHA512
c92bdf0ea848e6a7b91c5013d6758b66128b83bbce82f40047b85e629e0acd26c6d645106976cd9db54d08354f3fb01dcdfd92a063f4bdc5899c26d5f494ff1f

Download Submit
C:\Users\Admin\AppData\Local\19b99f596f4d554fe8a883b639e4030d\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
4KB

MD5
d73550a9b07595e0382524c354e98313

SHA1
487ee7b7e29e2ea0ce07cbe4bf67bfffa1f14687

SHA256
dab2bac94c9cc203e1c00aa849b59ea034228c30d48a57b955ca3573ce8a267f

SHA512
03d9a41375fadc066e799bb9276748d12d9ee228a0b248ba51d1df853bc249c02ecd2a7a1ffe13a3abd80d7ca4e1def1ce126d66c0a2e9ae659af4391b81e442

Download Submit
C:\Users\Admin\AppData\Local\19b99f596f4d554fe8a883b639e4030d\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
546B

MD5
eb1d16ae96df9522f22350e247ec423b

SHA1
096bb822afcdf49d1271c14d50b995e17df909c7

SHA256
9a1b8450ab572a1b145ff1c0beb029f82499d134da4c0da23dc34707fa59ff06

SHA512
7165b8652d6e5f44a8e55760b5be5d43ce7f2a2fcc5043569af105517e27615c58400e8a0c1a71e0d191afa52f30ddf6600b6770a977fc0fccac4e9b5dbaff8b

Download Submit
C:\Users\Admin\AppData\Local\19b99f596f4d554fe8a883b639e4030d\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
4KB

MD5
1966a07cc10d7ab5410dc12bae86ffeb

SHA1
a13b5050cd59c72173bb2c736e7899c6e431bf08

SHA256
b04cb29204e181b794e5bf667cd0e4b0fb7675be528dcdaa1ee16def2bc8bd37

SHA512
5852aa13517493ed2a7e6a251038a961d4ca02dc94a42128b4c487a6a88840bb8a0ca47ae412f844faa0539b2f1a7e60fce3e9cb00cbdc32021783b956fc4c8c

Download Submit
C:\Users\Admin\AppData\Local\19b99f596f4d554fe8a883b639e4030d\Admin@CCJBVTGQ_en-US\System\ScanningNetworks.txt

Filesize
177B

MD5
d220a95c190f1333babf48da5b0f7920

SHA1
14791ec4d13c1c53b27c2df2055f18e900b55223

SHA256
40478483dcb5ed969c76a7a8eae97c3a1a674ac9516b518d4e67f38392528f6a

SHA512
ef53c8257bf40163bc7c518f493102614ae50136a06b50b73d92d1e59f29561cd3a8ac9784dccac81af00905314cc8b407d974d99ae43124f36f5dea7066b096

Download Submit
C:\Users\Admin\AppData\Local\3350a8b673d485a30a60853066ba34ac\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
196B

MD5
9b06710feda1336bfe3eab2c5807d65d

SHA1
a3bfad4a95eaee6d53808f98a8697f25e9f7de94

SHA256
80ee92ba379b2728bb1696d42616ebd5eed173bb1917199b919ae1d5d4404724

SHA512
36434992e8c9d587c6c221b11cc1688ef0a76b61010c8bbd35f5645e43dd1f694a718e4ea00ed58ad1c91434cb97929affe71a335fe34e7316b6987c9300c130

Download Submit
C:\Users\Admin\AppData\Local\3350a8b673d485a30a60853066ba34ac\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
259B

MD5
c099b7bb60c1ba737c77891d6d3102c9

SHA1
5e5f5061469d94a81a62c2461b5f03e9825ef80a

SHA256
c32b87b63413b5a542174ac3776592ff240a5358d3aad386e32a286808bbe210

SHA512
32f1bc4e852f9cc9dccebdba99a9886d12bf837e9d1b45588d6c7836483584df185cd4d60509e18e152822cf8166b19f55520a2c363f200f2669e52876985e84

Download Submit
C:\Users\Admin\AppData\Local\3350a8b673d485a30a60853066ba34ac\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
4KB

MD5
b2184725352803d7e35a84cffcfa2dcf

SHA1
6069ea2608e1e6298ed5b0df6cfcc4fa6f2513e6

SHA256
09f2fbeef2ad41717e4d8f42d3aff8c06260e7fe9ae3692bb4fbfa384c2ee6f2

SHA512
9a6cbe1c2df7a092b9b58dd1618a446573556d3c74c8c54c6b7088626521925852849414d8747b26a13eaf44aa7dd8782fc80da85857f02e311e4e081c02455e

Download Submit
C:\Users\Admin\AppData\Local\9b9ee9dd04458a34fd24efcc9cbe5a28\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
748B

MD5
d689147805083f910760e43d590e903c

SHA1
745c9221e82f1dd03848d1cff19bcbda23112c17

SHA256
b9365e88a110b9927691ba651d5e395de70001020399d5548ac01729ac692410

SHA512
a24803e89b829833f157f7ab50c25c07b4a705acb9840c197506272f18e696dfbd470d45632074ef2dfc3b23e2756e44c42f510ca8d38d777db2981d191781e2

Download Submit
C:\Users\Admin\AppData\Local\9b9ee9dd04458a34fd24efcc9cbe5a28\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
412B

MD5
e005677684ac9f6c87d6dd1c9a4d47a7

SHA1
d31a54a8c2542aa656fd797650613cbdd9851453

SHA256
4417ece206c30f425f854d5555059b12f1059b7b3c318cd37501c772464502ff

SHA512
e43ed90b80a813e93e8d30fc37d02642692981f2c0f3f5e2c5f22ed4e31cc4dc5a3bb13a8b5c49715464be0782f6aaeb783c5428929d5e2a6e7a5c1298bddfe8

Download Submit
C:\Users\Admin\AppData\Local\9b9ee9dd04458a34fd24efcc9cbe5a28\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
601B

MD5
b3a5e0e2583b7e1890f6bc686ccc6456

SHA1
c35423f5607262c56a66a8cb0caa297698c87d03

SHA256
e28e51add847c9682a2950ff6a082b12b571e26880d2601dc3836d493c27ff73

SHA512
3217a782fc25540c54c1d28224aae4810ec40d22df96a9bdd792e97c0b13a823c72969eea4df0a457263b951fc6a2698ef664dd70728c3705ac5a6ec306ef961

Download Submit
C:\Users\Admin\AppData\Local\9b9ee9dd04458a34fd24efcc9cbe5a28\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
3KB

MD5
ee9372d936572173136b4dd9e7ebdfae

SHA1
8dae1169d7337173a006330c22a57637bab7da07

SHA256
eb4a9b3542e84af40da1710e02fdc82a7adea3d5019bb6809f8f14f4ae06fb95

SHA512
7f69f08b0ca8c974e2e76e2d814bb04d8ec76c139a1b9c3cd4728304056dc19e568a11d029b3b6ac8532f7f05f6e24f6b75bdf6d6866635674d0644dca324577

Download Submit
C:\Users\Admin\AppData\Local\9b9ee9dd04458a34fd24efcc9cbe5a28\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
4KB

MD5
29e782d8f88a2e534d7232aca3759444

SHA1
efb1e7c796cbe1f6650b121e9e8b3227049751d5

SHA256
7dd3808fc22369f04b04093f114ed760265e95fd73d9d70edaac4a196ad1430a

SHA512
1382dbbe50a3cfe709c9c887e26f968416bf3238fff14881fab7e12145e16bb492ae000c11d00fcec5afc288bb561750c39814645e37d7298a83e5f203764877

Download Submit
C:\Users\Admin\AppData\Local\9b9ee9dd04458a34fd24efcc9cbe5a28\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
287B

MD5
210db602e9098991cd54ced6bc61d8bb

SHA1
d3740bc6c2024263acd5db7644ece63cd1a644dc

SHA256
25cd7b07266d55448c1ef7e5a428ab3d9c5f67593b74d370d4477e2942501b3c

SHA512
9a422e4a840b7e56f000103d644398c52d6813accfac31f2242ef57819388000634023ecaf339f3c6c0ba3cbbbd451ec8e42d8f53b7201df84b45cec7be5efd5

Download Submit
C:\Users\Admin\AppData\Local\9b9ee9dd04458a34fd24efcc9cbe5a28\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
4KB

MD5
3897019c673fed64ec288f7c36ced165

SHA1
9154083d5644829b86f9b0c81b285347fec6609e

SHA256
e3021c71ed5437dc1dc4672d907d6ef99a21ee1f0522cb7d0443560e991e3b09

SHA512
9d357f6e9ab44518ef3069698ace6054ee5434a1d2e0dd83c0b856ba921261d97f4c6c64c6c142ccad8ef0bdfefc891d30bfda0a3341bb99121624199fa269b1

Download Submit
C:\Users\Admin\AppData\Local\RuntimeBroker.exe

Filesize
330KB

MD5
75e456775c0a52b6bbe724739fa3b4a7

SHA1
1f4c575e98d48775f239ceae474e03a3058099ea

SHA256
e8d52d0d352317b3da0be6673099d32e10e7b0e44d23a0c1a6a5277d37b95cf3

SHA512
b376146c6fa91f741d69acf7b02a57442d2ea059be37b9bdb06af6cc01272f4ded1a82e4e21b9c803d0e91e22fc12f70391f5e8c8704d51b2435afc9624e8471

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
c5ec8e3a3ac8a0b4def250704fadbe97

SHA1
0673f991bef6c568e04e37ae93567ab6369b8b46

SHA256
d72959f1ac7ba38109198851384bac6b086b0b4d859334719d8898b81ce4ca70

SHA512
2094ed53e365418bfc58ea71947280e71f712a20a28c1f49c44b3128032796a3066323a717dc74e4240fd03187c007660b285a5a300d5603d68ae61847e562d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3A23.tmp.dat

Filesize
92KB

MD5
102841a614a648b375e94e751611b38f

SHA1
1368e0d6d73fa3cee946bdbf474f577afffe2a43

SHA256
c82ee2a0dc2518cb1771e07ce4b91f5ef763dd3dd006819aece867e82a139264

SHA512
ca18a888dca452c6b08ad9f14b4936eb9223346c45c96629c3ee4dd6742e947b6825662b42e793135e205af77ad35e6765ac6a2b42cefed94781b3463a811f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3A35.tmp.dat

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp42DB.tmp.dat

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp42FE.tmp.dat

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\d2a705d62e0ea7e9741c3061b549ff86\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
4KB

MD5
ef04eae9fe0e3f9a23f81b9811bf620f

SHA1
f4c40d65cfc22395fb4f24b94fed0571878c4fb1

SHA256
d434db7ecffd45ff7a223f93aefe32a46089e66639b08e91d2b18c52ccd6cfc7

SHA512
70568dc095330a96f448ea599830ecd80089a40cbc85495872631f425f5f46d66f30a532a39ce6e2473c436072b16292812433e07f2ef933fedb0002b3da0f90

Download Submit
C:\Users\Admin\AppData\Local\d2a705d62e0ea7e9741c3061b549ff86\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
369B

MD5
340c2a22db05b41a3d61e65b4f7ac703

SHA1
fd4d7845ac7a6cc0506dac13dae79366060962ea

SHA256
6752d67ded940083d50e39abf569160b1bdf65f6e82c563a368df6afdd64ea6e

SHA512
71aa3e4025981f098ac03bd54439a128e39dd53616826a977cfd8f5f4f3e83c105c144e5351ca670b0ff0829c09fc8ba14bde54d6bb380168248a60df60bd538

Download Submit
C:\Users\Admin\AppData\Local\d2a705d62e0ea7e9741c3061b549ff86\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
2KB

MD5
65aa37c8e048f69e53d407a6b8545d97

SHA1
b992cff9de9bf4b29b3cd8bc45331464f66ef0a5

SHA256
e990302be471b24d7c189159bfa622d9eda8e7f2f3ff143758e328afa7fe79b8

SHA512
550b854ea1d8688fe8a4478a2bc98e10a2ec17a29a1c26a7043997e32502575e58f43c8d96af0edc315df66c6fc5494bf24cd7a2ab2555a05f2578285e81ec45

Download Submit
C:\Users\Admin\AppData\Local\d2a705d62e0ea7e9741c3061b549ff86\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
4KB

MD5
0e6049beccd3c2c65dd89017dab9c205

SHA1
e44a4032f458c3d9bfdaaed32daf05a2d8c4fbd0

SHA256
2d441fa6277f900824b620c12bafbdd4599a32c5c1a2fe6c98f26e27893cf82c

SHA512
a25dad75d52e53f827bc7bc730733b34585e70bea18f7187058eb529e1597358f437e768221ba4003894a707e08a194b66ff0055254045b0a5ba19f2c0af094f

Download Submit
C:\Users\Admin\AppData\Local\d2a705d62e0ea7e9741c3061b549ff86\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
4KB

MD5
2ee19264fb4f52c34f127f08f1fbdc64

SHA1
186cfdaa67934aeb4eab9cc6801cb1657a9c91ea

SHA256
e3e4fd707e75c5a0af63806f60cb5c0b7114b23339e2c0d92cc9296c7e318ac7

SHA512
e92360520cbf1347eb73cbe3b06427a31a5d56f1c24c8639c7beea5bcb11e745983691e67818d31f71e41d92b7e78e2f790166901ddb7d6af6c238e157ff25c0

Download Submit
C:\Users\Admin\AppData\Local\d2a705d62e0ea7e9741c3061b549ff86\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
1KB

MD5
32a612b927f59740606423620d83eb45

SHA1
efb8f1ec21f8fe913f358d8368d519303996f994

SHA256
a9b13946a237857e8ad97ffd4b177b21f93e3b8bf979c62f8b965fe8cf1d0018

SHA512
efdee5993ebe55dcbaef4fddc46c643c4792448f4a5fcdbca8c87c23c8fa95318cd1d00b8cfc69ded5de0a5e6ce41473ce712e5e359e673ae6a8b6104a284af2

Download Submit
C:\Users\Admin\AppData\Local\d2a705d62e0ea7e9741c3061b549ff86\Admin@CCJBVTGQ_en-US\System\ScanningNetworks.txt

Filesize
118B

MD5
2a5b1b68e8c60a7bbc64ccbdab5c059b

SHA1
9ed50f7bdc446b08407a43ea4144ed3d7062c3bb

SHA256
1dbd461d3e88a299f97ae8779e98a20f20f906fbbc7c6f61f2ca1b663b997189

SHA512
d13f54fa81639cef910a0406372bf5bb190bfe7cecb7b6ab045d2939c323e29dd2893f3c20e2ffd15ea452dafdbf94320b15b8cac47791f00d545c862a17a930

Download Submit
C:\Users\Admin\AppData\Local\d2da26d3a70a87d27609e98d3e0aea54\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
38B

MD5
4d8c84065b2940b92d707701545950c2

SHA1
a126037b826ed3e9006f04a12d2815b605592b8a

SHA256
d5269785764b0f47f6c0105bc7c2a861991d029578cc8832db8e94b58fd5e234

SHA512
85e2b87b9265729eac60de4de69ebfaa098106d7988ddf98476ec7b2ddaaf1fb5c96586d36f70ef487376586839446ebfac4727aa5b36bc896698581d0d77deb

Download Submit
C:\Users\Admin\AppData\Local\d2da26d3a70a87d27609e98d3e0aea54\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
101B

MD5
2dbeb6ef858d588cd5e98769eb5551f3

SHA1
940e84820181d4a2f3d479dfb62a6159e0eab8fa

SHA256
b7d177aed71a0a69eadcb3fcb13ee08233bf2ec281a5ed44df08c278a1d3ce81

SHA512
9b82a7a632c0cecaf32d9a437de57bfdb1b44c89ce948ec2855de50d1d3c3ea8bbb38f2cba35ec2110edb96195abdf1e1bc48577bfa93246668652df4cdb7283

Download Submit
C:\Users\Admin\AppData\Local\d2da26d3a70a87d27609e98d3e0aea54\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
163B

MD5
481e865dc36da5231fcbab92747c1a75

SHA1
d3c7a9979d9117ecabd807456b388b89d9c8e7fd

SHA256
4b3ae8a2e5a1c21c13d6f4f8af72a141303e4ddbedd10b7c7385f9b71964945e

SHA512
8b9131ad7c94d3985971c54a2268b30730931367c71d5647df1189ec290f5160d9899dc9acbc95985c53e6a764e6d6ef241092bcca8fada0e30f481069b9138f

Download Submit
C:\Users\Admin\AppData\Local\d2da26d3a70a87d27609e98d3e0aea54\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
202B

MD5
4b08bdd0950f855a60b129e5d386ed7d

SHA1
4d247bac82a2b39c4d1dad9e25cf4a52243acc2c

SHA256
748b0e85f8b7afc66ad30174d44335aacde4444eedf85487830e2d43ca92a5a7

SHA512
43167cef53fc8093bc88d466aebfa5d10ea50f1932a814853529dd080c633d10e4aa2f45c60072b398d29d9d43cf6d18088c0301cef7b7479eb3262a28746bd5

Download Submit
C:\Users\Admin\AppData\Local\d2da26d3a70a87d27609e98d3e0aea54\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
4KB

MD5
526e3b33e0d3edf3399fe3bfba413f30

SHA1
12c5c363484d449a4732422e40d3dc196b76fa2e

SHA256
0c8badd56daf4e2cdba02f7c32ee603936a13f4abc7b957437ed5493ecf39606

SHA512
ea4111eac0abea4bda8ba13e89c6d621e2bb4da6dc5797921c3ca2a149b9b012e29ceb6437c8d8aef9e9b988630bd9a197414489d85e2bfadd70646c2c4c7100

Download Submit
C:\Users\Admin\AppData\Local\d2da26d3a70a87d27609e98d3e0aea54\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
552B

MD5
1452275735dc8d1853b165321ee6fce2

SHA1
bad117fdaf9222182d781f9d623c9d475ecef804

SHA256
9a4acfa7cc200e2108b4d19023e884cf3e249c169a6823831a73805d5443e477

SHA512
3de15122cc8e070658a7ce3e1c0773f4f64a95f44d8ac292d24a7fb7e050b1b39c8116d53da79337528314209cd89f98cce325c9e913d7df25b327c9e7caca07

Download Submit
C:\Users\Admin\AppData\Local\d2da26d3a70a87d27609e98d3e0aea54\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
701B

MD5
2ba8cc1c8d32a2b76bdafe61fedc1417

SHA1
eeeb1b4873912751db658006eddda0a2ea86cbf5

SHA256
c7d65a3b4a98d5eb34fad3b6b6ab20580948cf3b2084dc05870142fa8ac6b937

SHA512
0342fd1de350f61a6a290e223d31efcb0f40572302e5ddc55641968a5884af4dbd0ad0da46114f92cef2992920067b9562c1926443ce1bb129be04dd802c7261

Download Submit
C:\Users\Admin\AppData\Local\d2da26d3a70a87d27609e98d3e0aea54\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
3KB

MD5
963d54e8355b666506859d0400b40761

SHA1
ae7c2a9efc9eaa29ab2df918e25a5648f97c24bf

SHA256
a07fea0ed464359f10dffdf401c5fe98ee02defd39ce9b877e6a8fb053e99a15

SHA512
362d041a58efc1a0664dd36887daf713e4641b7996ae5e73877373c2a5bd75df711c9d6e5748d65f9e29d68956786e889e2a529757c1fc6e56e1bec2d7425f86

Download Submit
C:\Users\Admin\AppData\Local\d2da26d3a70a87d27609e98d3e0aea54\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
4KB

MD5
e0179e988cdb6b83c4eb967ee87232c8

SHA1
564ed1fd81fb06bfe1747a50b0c94809d6263425

SHA256
e390bfce93e40370717a844f8dce740c7c89a147109e40083cb9957dcf010ad9

SHA512
e2d0cd86ede975e7e56d98cd864d85cb2a9027b789372ca3f13f6be5ee3d50980c0e83fd9facdfd99955ae25299cc2af00803506ada28b675cf39365ded0c1d2

Download Submit
C:\Users\Admin\AppData\Local\d2da26d3a70a87d27609e98d3e0aea54\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
679B

MD5
e3575beee3ce1cfe0b5044ae6478251b

SHA1
e54b671c4252783bb7c50d863871656eb4da197a

SHA256
f7ba52ff2e46d02bbc7b584e3baad5da5f22c81e0bf2a094a3b6ee57c8b45cfe

SHA512
ff9366f2275f9659e3c421a2e6b27e4500439a1db1e0911b286dba1ac8e74b866cf5f8120d986eb6ae78dd41df79c1b57561d0bf6c8f31cbbd28c4d30447be26

Download Submit
C:\Users\Admin\AppData\Local\d2da26d3a70a87d27609e98d3e0aea54\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
2KB

MD5
ea1458e111a8d7f50624442da9ab4b86

SHA1
abe933d107490fd7d470a1c7ef89744104e3d421

SHA256
fb05e2dc517b7a79e2bf470b3a5ffbc5d06dd8798b002046b9ce86308e8bfef1

SHA512
e785a9f012e55f296aa8f8fbaaf0ba5d7aea28cc6bb51e1b96138c3b03f3208d54a1ff40d531d2bf95d712e2d4e70ffc4def86ba523e4c549c9822173d71fca4

Download Submit
C:\Users\Admin\AppData\Local\d2da26d3a70a87d27609e98d3e0aea54\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
3KB

MD5
b5808c0bd409a35362e53a9d8d3d65a8

SHA1
7a7122ffc4118aec99cc0fba4eba70e5a2e745f9

SHA256
f264a0cbee050167353f30364df3d7a2b4f95f1d5dde9ac0612c5035b4ce1883

SHA512
52906afff47c7166406943630baa5be9a629a5cc754c6d5b8d47711614b3e6353ffbe19d53f9fd107b332ec8ccea71e917726628a774cd27b909e4c7dd07d542

Download Submit
C:\Users\Admin\AppData\Local\d2da26d3a70a87d27609e98d3e0aea54\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
4KB

MD5
ff6e90dc8a7d195db4b38370284600c4

SHA1
5da418a6a61f282c1bcc1968296eaafcd3a7d561

SHA256
d61b0084f5e31b36b82325a44028409298801b617b01be3e2cc20f5e4701d28f

SHA512
e81d79c96f5c26ec1c339d12c8f9d9291a6a524f8ccff901376cac821b0872b28ac3382330ccde580b3ae710032cc9ae147c59ff738a3edcc29f27a1a22653c7

Download Submit
C:\Users\Admin\AppData\Local\e01fa2b916e0e1663bda90e6b57169e8\Admin@CCJBVTGQ_en-US\Directories\Temp.txt

Filesize
5KB

MD5
e866c30c11563ffd57532a8d6c1b910e

SHA1
fbafe98b1b5b6886c4c02daab44a37b678cd93b3

SHA256
ee08dd9df3dfae44dcb935837ca33e244212c33f46ce19df57baf4e78f4b65bc

SHA512
688e6dd4a7f556cb7051bd1d1f58cce5f355f5ccf60cb0de17599b737353a795dd419e5207a3cc06f4fd292b37ee838b9781346baa63d3bfae2a89d4277b3dfa

Download Submit
C:\Users\Admin\AppData\Local\e01fa2b916e0e1663bda90e6b57169e8\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
71B

MD5
af5698af3d23efab36df1ec39647d8c0

SHA1
34a4020970235938aa7d5d200214aad98e4c5320

SHA256
efae278d2b69d97dd7cf8f01375d7ec78c5a9c43ed929f1a7afbcf5e8a524646

SHA512
f23291dfc161b0d0638b2cb78610551faef5d755f87c6b24b5b9093d789dcee1d2a3fc7c5bc2b0d6c08e3a9113d48463aa15ed0e3d3098923053156eb96a507a

Download Submit
C:\Users\Admin\AppData\Local\e01fa2b916e0e1663bda90e6b57169e8\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
133B

MD5
b3bc0f80b916a9ae1adf384fa895586b

SHA1
43c0f0ce553011330f042a8e158456e0e44ce198

SHA256
8b1d8decb25ecd8cbbbd1993607142abf1f04f0c140a30c60c12cccf1a42e6ea

SHA512
db6308345eb3643b15d8c6a4bbdf73d2537f239f7e5d5a65bad698f8aa7b07965c15e981021dd69a00d8b9cf3591199f0a1961468c33d05e04201c88cc5cc4c3

Download Submit
C:\Users\Admin\AppData\Local\e01fa2b916e0e1663bda90e6b57169e8\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
343B

MD5
eabbcf4d92862aa1bb3867501027f174

SHA1
49018c205be5c5c684afea67b33ae148682aafa4

SHA256
e365d7563e3e0299f1142ee45e12ceb73d72f60325ea3ddefe227b624c6aac36

SHA512
638a02c3d57691937dbec387555f241f593a6f3935c6bb678cb0579115b84bd383552c0b575bb7c5e1e019b9e5f59b97bee19bcb423a0ce369af598e0bb84e19

Download Submit
C:\Users\Admin\AppData\Local\e01fa2b916e0e1663bda90e6b57169e8\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
529B

MD5
eab0ba6d87c713ef91871aca1ab90105

SHA1
10896243ba141422d047b51e05a1f286c26e8945

SHA256
728254fa1536d14166d58c5ee8811231fc33ca942e3f886d867530c1e8fae79e

SHA512
41e7424195abae78728f917f9cd0ef85240f7fc0c5706ac68b713a70af7f01d83b34c6a2bb93580b1232c274f6225a55b80742aaf167f2d58683dab3d35e187f

Download Submit
C:\Users\Admin\AppData\Local\e01fa2b916e0e1663bda90e6b57169e8\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
1KB

MD5
700fa9814daef45c20dc70fc12c2b6ab

SHA1
e5dbdf9b41dd2093e880eec8b62ad66e82511cd3

SHA256
4f0f273aa22cc61f8b975a332e95b458bd8fac3ea864b888afe5072be6d61878

SHA512
1c8d07ed619b6f16d171980da4ac02610779c4f58683ec7954606d210ae7944c0a30d9c6018ac813f402461814f40a9c44103ba56966a65b13649754256a09c1

Download Submit
C:\Users\Admin\AppData\Local\e01fa2b916e0e1663bda90e6b57169e8\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
4KB

MD5
9aa934ee93c2e6b76b2ca9edd688b82f

SHA1
e345497e47a6e57d288032251e3482851a79dc7a

SHA256
50c0a943aba31c8b825ab9cb2d9cb9a6047da98c983d482651e7bca226429c66

SHA512
0a93ed29d0215548534ecc85ced155669d2871c2202a2fd85641ac688f7208ae1c40a6d5475f10954999ab9ec37e59aa0920b3be729bfef7658cc62cfa968e21

Download Submit
C:\Users\Admin\AppData\Local\e01fa2b916e0e1663bda90e6b57169e8\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
265B

MD5
1dc1c24b89856ff8790ceba6e221c2ee

SHA1
2af7bab7da320ff6b0cde4fbe41326ed8d74970d

SHA256
c73fb4fbf9bc65a228134fdf6fa429ce81fdf15eead75622d6a02e51ed892f6d

SHA512
ffb1237c0432344f8ec157ce6e46d9a9c0d24a2013a9287e901e16f5bfa19abb424441e25521e68d380d1bdc7a57c63fff0ddf198ecfdba680fedefb8b040e50

Download Submit
C:\Users\Admin\AppData\Local\e01fa2b916e0e1663bda90e6b57169e8\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
4KB

MD5
ce519017d542eb3dcb4ea82ad1670713

SHA1
63e7e55d6d79261484193d954b5a85aa50502785

SHA256
9e40dbbf16ccf608fa0c70f5a7ea89f33034db80887da98d9374caabba6b12a4

SHA512
13d8a3115c9b5b9befc4755537320ea70c2d1536567c8a7baf5b2fe460d36bceb11d644462b91ca946d5d20d180f9db248acde4b00f00cbc473229c572fa4ac9

Download Submit
C:\Users\Admin\AppData\Local\e01fa2b916e0e1663bda90e6b57169e8\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
4KB

MD5
b8f2d7e22271036c0c105e98603a360c

SHA1
37b36a8622f08c5f45d24b8d8fe47cb8f44f4ed2

SHA256
e6b2446963a66622580faceabd50e3c27be02b125298de66562ce46f751f3690

SHA512
56c33d458484e06dd3ba8ec5b55df390975e64096527d832a6ab1527fb674d3b1cf5414fcd58916ee9d8bfdea41d8539b3edc20d362834b15dfabb2c770bbdc4

Download Submit
C:\Users\Admin\AppData\Local\e01fa2b916e0e1663bda90e6b57169e8\Admin@CCJBVTGQ_en-US\System\ScanningNetworks.txt

Filesize
59B

MD5
409930721dbce1ee58227d109cca4570

SHA1
767f86ffec769d8415f07b4372a108cba1bf7221

SHA256
6b6dd8b11f84fb78e3e8cfaa7c5fca569d79402b9fc5861b00960b25607c911e

SHA512
4875187fce9545a92df636e384f92dcb403dfe80f3cad4a68e79329a1f42e12e9d04948f2a52b939638481da6d3e3b5f5096fe6dfd674ee53cca7c655ec03f17

Download Submit
C:\Users\Admin\AppData\Local\f140b89e9fb8ecd5f8532e5151139f55\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
2KB

MD5
d9ef1cab0db4ed501acae563c57164a9

SHA1
c5e8b6b556fd0b0599da1275c2c296e58cc276d7

SHA256
593ecb9cacf2efe50b4d7edb0fe43673356e66051193322acd1eeb76a0c229b8

SHA512
1ffc7ef46677f2a00dbd879a89a1ad6e2a234b441d7508943d0116d616710be8e6765f5b5516546bc52906178ad66bf1fc57186637cfc6be8a4718ae78844801

Download Submit
C:\Users\Admin\AppData\Local\f140b89e9fb8ecd5f8532e5151139f55\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
1KB

MD5
cd7fee514d47454dd823b9eb73e70964

SHA1
9dc6287a85b2a6745971f74eaecff56d61560339

SHA256
d1c3a9eed46072435d7e4d166b180fc23ea231e5f794da43e50d0cd909819be6

SHA512
e42f3bd8f8670b1c43e26295c5e6191aca2349d7785125b6cd2acab315c6ae789d7615ab6178f536afe7c9a27e0cc47e017f727a2c804cfddfdb3ab9686d39a6

Download Submit
C:\Users\Admin\AppData\Local\f140b89e9fb8ecd5f8532e5151139f55\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
2KB

MD5
fd060e237ada274757135549365026cf

SHA1
463b80294b4c68635d34e0ab1f41831ad4e33012

SHA256
8e347a6a1b946b6a6a0bd9e33520517e9ba55452eb53d848738dc7fb9f71859f

SHA512
29892082c0a24c568eb89f363ac8461586f70ea7db0e786e6d1587e0b57f0848bdc6a9b0878d31ea46f9d49b0573f3123e8a8d737c1bf8a37cea2ba90ad98147

Download Submit
C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\Directories\Desktop.txt

Filesize
681B

MD5
e5b7bca330f4a9f3732bb4302fb0681c

SHA1
512a0db24e3f68d2e66419bdc2232ea6446d56d7

SHA256
a78171bccb1a809ffaf0633c31cf5cd5d031724dad4402748090fdaab4feb4f8

SHA512
ed35ff589d4524210970501d5b3a83ae4608b6b113d0d1180de4aa8efa71483bca77e864f287bdd8fa8720ed30f58300ce89ec1e670cad79b3d2cf44b1b8017d

Download Submit
C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\Directories\Documents.txt

Filesize
571B

MD5
48b63f12a0e888ebe318f4e122a3c9a7

SHA1
b3cf18486ebd251c12312228f2a4fa69169366a4

SHA256
737d8ef3500486b3e294769b701c9a5564a8f57b89e392510a7921e787d98366

SHA512
6d8a74cd48c58ea9048315c4b1c3e17163863378648d410c21842169ecebd048edddba4e5f0e8b99adb129bcb046af8bd3e8ef4a9b872451cba5b0863f6c7baf

Download Submit
C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\Directories\Downloads.txt

Filesize
779B

MD5
2a65f1ca8c3720deed26520662efe86d

SHA1
6c185d46bff1e14c5b6ccefe34b7f32698f41a35

SHA256
b4c18a084d661ecc68a0bb8b3d7660167df7076cb9f4986898c59734d5059400

SHA512
01d97f465597173d69f6fc3cb58a76b2a07d9305484bfa7f5b6a3c8f36261a085f1af727ea46b8b38cd375d4cdb7b0785d9401e9c0fa3c823b04d60c5257395f

Download Submit
C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\Directories\Pictures.txt

Filesize
246B

MD5
7a7cfafae14bc5c82a55af38d892d6b3

SHA1
d5c804286d208ce0646a598868c549c335b7c9ff

SHA256
1fbc08b11180e6d45d2090337a59f32862f1beb40ef55ffe6f05305263ba5ed3

SHA512
c856eb69cffd2dc1ec0cc335bf42a6ca94648dcbc2d280acbe9e69f76c95ddab1e32cd6e0325c95274ddbfdf04cf5fc5e470ad0508afc2b3c5d7d6e9b6f30a74

Download Submit
C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\Directories\Startup.txt

Filesize
24B

MD5
68c93da4981d591704cea7b71cebfb97

SHA1
fd0f8d97463cd33892cc828b4ad04e03fc014fa6

SHA256
889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

SHA512
63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

Download Submit
C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\Directories\Temp.txt

Filesize
1KB

MD5
b57d6c9d0c3c8c8ae1f57c449deba420

SHA1
d62c5dae08fe2134adfd17f7e707be9965b5d9aa

SHA256
222b886140bf81549ea04669cf8f1ebbe04baa2781c8e90c77a4919e4083fc96

SHA512
ec37e5ce74aa5d216de1384c4fc9d57ad06eff31ede2859b950a1d4e187545153c8de3b6efde2d36c77390ce89c2f58c35027a86dacbb92dfade76ad928210fd

Download Submit
C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\Directories\Videos.txt

Filesize
23B

MD5
1fddbf1169b6c75898b86e7e24bc7c1f

SHA1
d2091060cb5191ff70eb99c0088c182e80c20f8c

SHA256
a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

SHA512
20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

Download Submit
C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini

Filesize
282B

MD5
9e36cc3537ee9ee1e3b10fa4e761045b

SHA1
7726f55012e1e26cc762c9982e7c6c54ca7bb303

SHA256
4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

SHA512
5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

Download Submit
C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini

Filesize
402B

MD5
ecf88f261853fe08d58e2e903220da14

SHA1
f72807a9e081906654ae196605e681d5938a2e6c

SHA256
cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844

SHA512
82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

Download Submit
C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini

Filesize
282B

MD5
3a37312509712d4e12d27240137ff377

SHA1
30ced927e23b584725cf16351394175a6d2a9577

SHA256
b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3

SHA512
dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

Download Submit
C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini

Filesize
504B

MD5
29eae335b77f438e05594d86a6ca22ff

SHA1
d62ccc830c249de6b6532381b4c16a5f17f95d89

SHA256
88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4

SHA512
5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

Download Submit
C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
4KB

MD5
632f5ada001e69bcc960dd4c4fa3cbe5

SHA1
cc315edfa748950f221990f65c3fa36d76d32d15

SHA256
a93e91c979313a1c9caeb5a568375b4a32ee0e15f9617ede23078d215852b3f4

SHA512
aceae5d48f13a93537f152f807695868e1652fd8b1e5bcd76b3a3c6ecf4b98c17fe4a7214bf6d4570712cfbb29665228c9f3d5261ec8cf9220f79df68dfbb389

Download Submit
C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
326B

MD5
bf89850aa352cffac98408b17cba567e

SHA1
f2bc3cb84f5029e2b4939d1d5b4066de470ab138

SHA256
2a236424c3a974b9b9a2283d5405b17099b7175627817b39e29f700574cfbd3b

SHA512
448c78e02cfcb41e098c8d0d8b7c3149e2f6562b04f04c69681df420f88c6e300c0796525edb23045a91daf0f2e252d2ee02b74f9eca570a5234bf4319b1e7dd

Download Submit
C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
823B

MD5
5c53472e2f69776bec7d21086557de83

SHA1
95a8887764a62d5431a26f0c69b314d184b418fd

SHA256
6b68cc4b988775ca51c6cdccb811746461d1e4fba4c6d1318d64a037f47f9ff1

SHA512
4da05a9eb92a2d621cb7f54dbd9887eaf0778e2717b97807d0a047e50aaab2c9497fab88b8297c697212f574c80621bc6551afc689788b5f96b852ad9c7bba8c

Download Submit
C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
4KB

MD5
73629976e17128d8d8c57d9403d1eb59

SHA1
b98df917bb609deda54dfa84d724083934449251

SHA256
ada96f291bd8812f0dbe4055084be3ec5e1028391cee8e49aee3d0b07514642a

SHA512
1801b6951c1c97bd70d809602d3dbbe06d136687d465fc5a5bc4d1d8a0ab1271719b70dd3f339ffc6079316c5a52a205066f22f7702b7da88909f6d6ca2c4dfc

Download Submit
C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
1KB

MD5
3b7407254b6d1bf3deb5491ad864787d

SHA1
2fa21b15fa60dad97bfec9a3b40ea06c31d65351

SHA256
24e0f972ffadcf119e0104a9f8b9ffb97c71e81485bd8ce97680e1201a481327

SHA512
5ea5f439fd7936aafff840919f87766b00ecd10f7362f605203fcf1fb40230db54f25712a7c0080ce594627a684e7ed74a68ae97c3b64ad844ea20302ffdc920

Download Submit
C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
1KB

MD5
81b726c887e287a21c398bd49ff63f49

SHA1
8e5c539c46bee87f878315510d8e5a678cc58acc

SHA256
20e99024f013ff41df602603d60160df6a0c2a07be7f7aa995299a56bf146854

SHA512
dcc165ff60cb4cd3de51b01c54240b1e85f5959fda3b903018c46c771995fc292b529546821f5dc639feda570f0574d0d433b2f325db378fa752fd73d361ae58

Download Submit
C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
1KB

MD5
cbfb2f57a3849b13adcbc6f151e25402

SHA1
a363f252cef52d1162a8001f7b9eed0957ae72f4

SHA256
5bfaf598a23352461c36307c30437689a50439a412d093cb58faf10391ef2bb8

SHA512
5745a780303d264fbe68041c44263a80cdf3e2fb8d884e005b9fab73d65ce6593a0a84557de1344f4bbff5165c8a85234c1e3e6f2e22b3f3f3e8aa386e7fe93c

Download Submit
C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
1KB

MD5
c2d8b4620a25fef4f55e39502f255708

SHA1
ff7fca9d252365e7611a8fe96c5cd60c2b658301

SHA256
6370bf12642dc25d25cfe690122a50187c97479fcea418202ff5c244832824bf

SHA512
7270d3b211469644aa019b53521c833ee34b77f17400aec4196de5ac6fce3c6f04be9129b03875d74e2c859ac477a21292fba7f6575df7a410afaa1d0c011756

Download Submit
C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
1KB

MD5
339aa860c9f029c2d1e78710957c1b47

SHA1
74da5840d118ce40ee8eda4fe28974e0e39181b9

SHA256
4e3951800e0c02664b2fd15a40416f5d83419a5c73367e6bbb341191b66264e9

SHA512
9cf0b8b10ac542d36e508ae5e6fdb94bc355658df5ec9b452e961468751cb25ae1e2937a738ab1922fb4d2cef4b3c719c412a53b1c091a44219f749eaf7db88e

Download Submit
C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
1KB

MD5
66bcc8c7444f51fd3db86ed6847472bc

SHA1
f836e274fdbc4818771591abe4ea6d4543912f3c

SHA256
600471030e8db2b44bdeea1a4fe2d58829622ae22e557fa126873e995fcf922d

SHA512
3056155b3dc6bed81ed05cdf5afac83a0c50b25e4d7aab62f74ef5b36f4eecd325bfc14f8cac73da8796606ee20adea0e89985f7a57749fad880cf02e6d10d85

Download Submit
C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
2KB

MD5
7b623fef4b246f5a1c1e78c4174c84e0

SHA1
9ea099112fbaf480c9a6c98880fe97e009ca4f97

SHA256
82575bd4dd9fe7bf1b3d202f39bffc414db202ebfc0e3ae952cb84993498e5f7

SHA512
109bc4386467eaa18522b2fec6b9519aeb6853132133728a2def659054b41d1033c8d67e9373c90bd08594d03c30da15246f2b91248feee6f02827f95bf3392b

Download Submit
C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
2KB

MD5
db0acbfea68d752364f00bd7dfc3032b

SHA1
286b3f6de47dd670cb6f18f06ba1734b0ce935f8

SHA256
4d9ca9ee660200caf30bff051bf94943fb51fde28e080cf509f78f0122b912d6

SHA512
312663d06880294524bc2b63201297f954b217fa7b9bbcd1c68035c50d52afe65b4bd09892dc70c8d4acc06fb98b617c8f6c89654b2f9fde44080a0e7760ed3f

Download Submit
C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
2KB

MD5
92ba6772b1e97c07a63e5b2be9bb6d10

SHA1
117c5f632dc5c0156b4e8a8a8284607b7c260d5a

SHA256
1a77569b46196d2591ea4cf5ecf3523df2861d5df6d7db515b54e375c5e64466

SHA512
0fd3f513dbc548083091a535310c26d19862bbb2f092e9b7655ed1a0c9a7eacc235f987cfa13704bb7f72fdb288ad3e134da9eaec4997dfc3550401ca844336d

Download Submit
C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
2KB

MD5
3be4ccce4541c2103e2f3a0585e98d3a

SHA1
4502c0a38eadf0eab65e47cc4f7871e332a07f12

SHA256
5ccbf4f0bd213d822587804f20f49565442a12606518371a90a94da1e9a68066

SHA512
d6d9d999bdda6bdf4b14d8fbdf712ac018231696f5ec147f3f83f05301fbeca8b7a11bd288c8810619372a1075a629a855c30a53d995d00f8a98bb4ab86441de

Download Submit
C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
2KB

MD5
9c6cb635fa01f267a2b891dc67802d28

SHA1
bf386d112a6c1d868fd82f7c0184e3a5efb0e8bc

SHA256
f7b5e28405e457483e2e8939ebaab4b0205a418b3bcb9124a3167bcf8a0998c0

SHA512
a62497b7293557a73fac5f62e25708d7e544f6f56b61017f7cd2fa38ddb74221941ee2c6409772bc33340faee8489b82c077cb2bb98124c14fa0892e4a28e1df

Download Submit
C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
2KB

MD5
c60bd252d533c224a10c669de5ece047

SHA1
7621db3a2fd60e8902e00f406aa318a19bd4d199

SHA256
b8e3c3a9140ba1d415d7733e856ba87da9bc3da594e62eab6d4329a42ff8c7b2

SHA512
dd61a7656c00bec05d00b31ac138d9501e5f6e0bbf7f48a0d2c51a3f99f78749e0f6ea5bfd98b6b01cf8d404ecf8b33d76d7a12883113bf41dcef2a63d42b1a2

Download Submit
C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
2KB

MD5
9563deceb27c51f2265d51005eefdbec

SHA1
7d6f9a2458dbc8009f087ab4925322a9665fc046

SHA256
c2c4da547a58ecedfe99ba05156a5f97c29ad45fd1d10bd018687f82c8b4563d

SHA512
65b22680b2d945eb020176ca7bd38111ebed0a1e68dfc3f22e4aeae50aa366dcceaf20452c3eced4c39fd363f7e0f9ec5ac2984644436d570e9ffa76cf099696

Download Submit
C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
2KB

MD5
89b3ce53dfde32a844fd793398eb1da7

SHA1
ec668a4483f1c5b51032906b344eb405d00a034c

SHA256
376138610623b30c1afb1e299d5b777a822782353529d3f86ce737a2f51a1628

SHA512
67a2222ba3b96aa22a58e6d7809023289e5cf2b7db6fe0c4b92954f7482a0d4256d1dd31f4ab9fcbdf77bc480749b62ecd274618fa319b00c54fc756d0ffc2e6

Download Submit
C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
3KB

MD5
a8c2dbcfd3b961944baa874fe6673c36

SHA1
1979bf6f6c263fca93a0c40bc862f41f9e6a32d9

SHA256
1155469b374457e233bdefb6c34891fa647983434621a4cb1562b1122786858f

SHA512
9acbbc118d63803375d976aa5500f65a631c9c11834c165dfe65ca6ab8f237687cc95fce35d00c85bd81206452aef674c1540cb187c4f1f97d21bb018029305c

Download Submit
C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
4KB

MD5
863467d233321380ef97950f486c88b9

SHA1
fadcd74c6240d9223b3d73e7f8921ec7a7996be7

SHA256
597824db9f9417d7d8c84b301153684461d73e736d2c1f897a1e9abcd231ba7a

SHA512
330fe76fc9955b9b53d4bed88acde03c4c428517b3839ad3ac47100a7ad60373ce3389d3d60c5ebe9a3e97b3836d7ac8f96c319879d464a292dd4cda8db6bfb8

Download Submit
C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\System\ProductKey.txt

Filesize
29B

MD5
cad6c6bee6c11c88f5e2f69f0be6deb7

SHA1
289d74c3bebe6cca4e1d2e084482ad6d21316c84

SHA256
dc288491fadc4a85e71085890e3d6a7746e99a317cd5ef09a30272dfb10398c0

SHA512
e02cf6bff8b4ebd7a1346ecb1667be36c3ef7415fff77c3b9cfb370f3d0dc861f74d3e0e49065699850ba6cc025cd68d14ceb73f3b512c2a9b28873a69aff097

Download Submit
C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\System\WorldWind.jpg

Filesize
68KB

MD5
f2d1efdcdde9b39fddb8784c8805ff97

SHA1
f7f247d8b0df93607fd0352a110a46d04397517c

SHA256
a12e5c9a0508afa7c23e85330e5b1544bad19330c1cdb7067d9f5ffc37f577d7

SHA512
3724a40604e31614efc6f6ebb195dbdbb69446b2eb5dd6f762509894080c30bc54064cb093f354d4e3cfb779af2819a0b05a9ac8480eebc2ef9801507b427658

Download Submit
memory/2648-1-0x0000000000D80000-0x0000000000DDC000-memory.dmp

Filesize
368KB

Download
memory/2648-8-0x000007FEF4D20000-0x000007FEF570C000-memory.dmp

Filesize
9.9MB

Download
memory/2648-11-0x000007FEF4D20000-0x000007FEF570C000-memory.dmp

Filesize
9.9MB

Download
memory/2648-0-0x000007FEF4D23000-0x000007FEF4D24000-memory.dmp

Filesize
4KB

Download
memory/2776-9-0x0000000073D1E000-0x0000000073D1F000-memory.dmp

Filesize
4KB

Download
memory/2776-12-0x0000000000720000-0x000000000076A000-memory.dmp

Filesize
296KB

Download
memory/2776-13-0x0000000000380000-0x000000000038A000-memory.dmp

Filesize
40KB

Download
memory/2776-10-0x0000000000100000-0x0000000000158000-memory.dmp

Filesize
352KB

Download
memory/2848-18-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2848-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2848-27-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2848-17-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2848-29-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2848-25-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2848-20-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2848-22-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download