asyncrat | hxxps://www[.]mediafire[.]com/file/by9n59rwi4ek33p/Rebel[.]7z/file

Analysis

max time kernel
100s
max time network
95s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
10-11-2024 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/by9n59rwi4ek33p/Rebel.7z/file

Score

10^/10

asyncrat stormkitty default discovery rat stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2396-448-0x0000000000400000-0x0000000000432000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Executes dropped EXE 4 IoCs

Processes:

RebelCracked.exeRuntimeBroker.exeRebelCracked.exeRuntimeBroker.exe

pid process

3252 RebelCracked.exe
4892 RuntimeBroker.exe
4404 RebelCracked.exe
2396 RuntimeBroker.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

RuntimeBroker.exe

description pid process target process

PID 4892 set thread context of 2396 4892 RuntimeBroker.exe RuntimeBroker.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3252	RebelCracked.exe
4892	RuntimeBroker.exe
4404	RebelCracked.exe
2396	RuntimeBroker.exe

description	pid	process	target process
PID 4892 set thread context of 2396	4892	RuntimeBroker.exe	RuntimeBroker.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

RuntimeBroker.exeRuntimeBroker.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 2 IoCs

Processes:

OpenWith.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Rebel.7z:Zone.Identifier msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Rebel.7z:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
5228	msedge.exe
5228	msedge.exe
5348	msedge.exe
5348	msedge.exe
5600	msedge.exe
5600	msedge.exe
2600	identity_helper.exe
2600	identity_helper.exe
5244	msedge.exe
5244	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zG.exe

pid process

1332 7zG.exe

pid	process
1332	7zG.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

Processes:

msedge.exe

pid	process
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

7zG.exe7zG.exe7zG.exeRuntimeBroker.exe

description	pid	process
Token: SeRestorePrivilege	1332	7zG.exe
Token: 35	1332	7zG.exe
Token: SeSecurityPrivilege	1332	7zG.exe
Token: SeSecurityPrivilege	1332	7zG.exe
Token: SeRestorePrivilege	5676	7zG.exe
Token: 35	5676	7zG.exe
Token: SeSecurityPrivilege	5676	7zG.exe
Token: SeSecurityPrivilege	5676	7zG.exe
Token: SeRestorePrivilege	2260	7zG.exe
Token: 35	2260	7zG.exe
Token: SeSecurityPrivilege	2260	7zG.exe
Token: SeSecurityPrivilege	2260	7zG.exe
Token: SeDebugPrivilege	2396	RuntimeBroker.exe

Suspicious use of FindShellTrayWindow 58 IoCs

Processes:

msedge.exe7zG.exe7zG.exe7zG.exe

pid	process
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
1332	7zG.exe
5676	7zG.exe
2260	7zG.exe

Suspicious use of SendNotifyMessage 16 IoCs

Processes:

msedge.exe

pid	process
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

OpenWith.exeOpenWith.exe

pid process

5600 OpenWith.exe
2256 OpenWith.exe

pid	process
5600	OpenWith.exe
2256	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 5348 wrote to memory of 3348	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 3348	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 4880	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 5228	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 5228	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 1136	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 1136	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 1136	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 1136	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 1136	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 1136	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 1136	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 1136	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 1136	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 1136	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 1136	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 1136	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 1136	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 1136	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 1136	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 1136	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 1136	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 1136	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 1136	5348	msedge.exe	msedge.exe
PID 5348 wrote to memory of 1136	5348	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.mediafire.com/file/by9n59rwi4ek33p/Rebel.7z/file
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff994db3cb8,0x7ff994db3cc8,0x7ff994db3cd8
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:6096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
  2⤵
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
  2⤵
  PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6764 /prefetch:1
  2⤵
  PID:5612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:1
  2⤵
  PID:5944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
  2⤵
  PID:5920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7076 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6592 /prefetch:1
  2⤵
  PID:5644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7092 /prefetch:1
  2⤵
  PID:5776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7676 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7704 /prefetch:1
  2⤵
  PID:4188
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7956 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7332 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:740

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:984

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\New folder\" -an -ai#7zMap7807:88:7zEvent15688
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1332

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5600

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2256

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\New folder\" -an -ai#7zMap22173:88:7zEvent11728
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5676

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\New folder\" -an -ai#7zMap32258:88:7zEvent6846
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2260

C:\Users\Admin\Desktop\New folder\Rebel\RebelCracked.exe
"C:\Users\Admin\Desktop\New folder\Rebel\RebelCracked.exe"
1⤵
- Executes dropped EXE
PID:3252
- C:\Users\Admin\AppData\Local\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4892
- - C:\Users\Admin\AppData\Local\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2396
- C:\Users\Admin\Desktop\New folder\Rebel\RebelCracked.exe
  "C:\Users\Admin\Desktop\New folder\Rebel\RebelCracked.exe"
  2⤵
  - Executes dropped EXE
  PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RebelCracked.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RuntimeBroker.exe.log

Filesize
706B

MD5
1356da7590c7343415dc5977d32b17c8

SHA1
6b2d7cb07839255395f6b24391fe5fec5201e359

SHA256
2126fa4651af160534e852712f55be80e16308e9cad3fed7b0bd3ac6ce528702

SHA512
6f1cff058fd47eb299d81dcb53d6c8138d433c8f2d44fc281639ed72f88bfcaa56e100367a77f856a8e06a490a932bc0ae53d6ed10e78fcfbebb97be9d8cb97c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
003b92b33b2eb97e6c1a0929121829b8

SHA1
6f18e96c7a2e07fb5a80acb3c9916748fd48827a

SHA256
8001f251d5932a62bfe17b0ba3686ce255ecf9adb95a06ecb954faa096be3e54

SHA512
18005c6c07475e6dd1ec310fe511353381cf0f15d086cf20dc6ed8825c872944185c767f80306e56fec9380804933aa37a8f12c720398b4b3b42cb216b41cf77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
051a939f60dced99602add88b5b71f58

SHA1
a71acd61be911ff6ff7e5a9e5965597c8c7c0765

SHA256
2cff121889a0a77f49cdc4564bdd1320cf588c9dcd36012dbc3669cf73015d10

SHA512
a9c72ed43b895089a9e036aba6da96213fedd2f05f0a69ae8d1fa07851ac8263e58af86c7103ce4b4f9cfe92f9c9d0a46085c066a54ce825ef53505fdb988d1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\226dbf78-f8cb-4254-95cc-1dd07f005925.tmp

Filesize
10KB

MD5
59e35b5eb8a5bc19b923b300b728965f

SHA1
0e583a06993239e63a4ec2d33e72b78f12ffac7e

SHA256
017d1483211fccac8663f9d169563765633a9cd8e675d45e9ec0368614dcde27

SHA512
7fbd4ee8003aa3f6890ed0c7cecf22a16cf5d861896a2fe64a8b51f100128095e4e6aaa00420cfef425ade5da468c0999a35edbc8f3a62f5d0d7e0dcaad4d2ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
fccd0915042e17d17f42a8e9bdf569a0

SHA1
a535eb70a75164b26ce6319a49b184dbae715701

SHA256
e66d9b769f428df82d1193ee334db3657f878884ee13d7d933a8354a23da1924

SHA512
0c0507661cd35389b0bbe3c0eaee7acaa646fc5d132509050580b99402f0044c4223433231580e6789f2cb943c84906db53658560fcdfd127ca5f70676e15daf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
2beaf2ec87aa0204769631c690ff5c58

SHA1
91796501f570c89ee503a0de696945dcaa779c86

SHA256
4f2429f56f8640bf3b73284f4447ed2b201fa27ba6e7ddce7c66258051377ff3

SHA512
6e956261bf7b78ccb57d6124ae9debafd09c23fa5fa37d45447d52be496901da24a310f5139bc5453c1642386140b3b197930d156c805f589662c04b980bd560

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1665ab878f90d1a56dd3454e3f0dde18

SHA1
63494d365428bf653f8446630ee7b639d08e85f3

SHA256
21a36d2336e5d3f0f196a6ecc549d07182e98ee87693eb08096b86014276efa2

SHA512
4baf015f210d47226b279d03629ef0bc8c463b2e91bb29454833f2550e9a26492c4ccc7bd74003a0c0448eaa721f205b729a9c8b224c4b96937ee6ac5187c50c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
79267b0982f10d319faa41ba07c42ece

SHA1
671abec5d5d76303cddde0f8c506ead0fc36a761

SHA256
b9d2349378a1ab8a85713d7a398571b6e5ff0222b6eb643be0fbef1cea2c71b8

SHA512
c40d685b5362d61d12c7f8a5241ede8c39a46285b5f4b2ce284937f213c88db521e53b169068539eab3d74eec301b5605fa842fabf3370b96808aafaa9bfda19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
550d0e6c12cb2065f5b31f23dfc84959

SHA1
5a75735841a618081700ded3d01e59842a1bf71c

SHA256
7d8c2c39e079f0f41253a37e44a2a7d4e033442d8cf8c449c30099245cb250bc

SHA512
7982130aebf1a32350d9d4c17021b6b639ff26675a55431d07bc917aab642d9811b6ea0f27d4d47ba851c0480635817b4eeca5ed17b5f817d90b9b258b09363b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57cc78.TMP

Filesize
2KB

MD5
eebe3d7b2f640fa01d16338a192a08a7

SHA1
2caaeb2667888876978795efcd1522b62d058271

SHA256
b1b2a019a352599ded870f2830b7bf3b03c3ee068557e9bd6343a8a8de17e98e

SHA512
38f55a1bdba7b362232b57675b976a43af8fecf9660301a7af8ac5b59104dfe3b60f97e31a382925c148d6675d7ebbd82954ffddfe55f6c3f1077feb2fc91d4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ade2d318cd5c6dc64b1c2ba8abb109bf

SHA1
3146b5e65cecd57d6ca74bd516791f8b2e1b19af

SHA256
be24dfdc5e054f0c962bf139737362671e3f82a783e6d1688f6b335aef8b5e99

SHA512
c474eee35883c5e724754691e5dc066e88f98ff32cd6b00d91ef89b84e0340dcd110beace519c2eea3941e43de24ba2bd418efe912015f11f2cf5b4e597b821d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
088cf21400fb766fb64b0df4c64ae123

SHA1
b493176295bf7806b05e68c9c966245812b487c1

SHA256
c5b6ddc61dc50c0e1758ba38306718c9ef1ec88f47e31ea767a7175235901dc1

SHA512
f463e54dc9da1d47621a60546f901af550d3b73ff8527a4d9f5b0ddcf7b4ce89482cbc7079d3f33d3e8d6220b03662e6774bf0f8034bfaf04b95e311f55e0f81

Download Submit
C:\Users\Admin\AppData\Local\RuntimeBroker.exe

Filesize
330KB

MD5
75e456775c0a52b6bbe724739fa3b4a7

SHA1
1f4c575e98d48775f239ceae474e03a3058099ea

SHA256
e8d52d0d352317b3da0be6673099d32e10e7b0e44d23a0c1a6a5277d37b95cf3

SHA512
b376146c6fa91f741d69acf7b02a57442d2ea059be37b9bdb06af6cc01272f4ded1a82e4e21b9c803d0e91e22fc12f70391f5e8c8704d51b2435afc9624e8471

Download Submit
C:\Users\Admin\Desktop\New folder\Rebel\RebelCracked.exe

Filesize
344KB

MD5
a84fd0fc75b9c761e9b7923a08da41c7

SHA1
2597048612041cd7a8c95002c73e9c2818bb2097

SHA256
9d9a79f4ae9bf7a992945f6c06c5bec642c05e4e828217c50255dabfa3677006

SHA512
a17f1144a0e3ce07c7ed6891987c5b969f291e9991442c33750028d35e2194794e8a649c397e8afc9f8ce19d485c453600c75cab4fcead09e38414d85819251a

Download Submit
C:\Users\Admin\Downloads\Rebel.7z:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\pipe\LOCAL\crashpad_5348_SBBUPJVLJNYIXARG

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2396-448-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3252-426-0x00000000007B0000-0x000000000080C000-memory.dmp

Filesize
368KB

Download
memory/3252-439-0x000000001BC00000-0x000000001BDB3000-memory.dmp

Filesize
1.7MB

Download
memory/4892-443-0x0000000005FB0000-0x0000000006556000-memory.dmp

Filesize
5.6MB

Download
memory/4892-444-0x0000000005A00000-0x0000000005A92000-memory.dmp

Filesize
584KB

Download
memory/4892-445-0x0000000005AA0000-0x0000000005AEA000-memory.dmp

Filesize
296KB

Download
memory/4892-446-0x0000000005B90000-0x0000000005C2C000-memory.dmp

Filesize
624KB

Download
memory/4892-447-0x0000000005AF0000-0x0000000005AFA000-memory.dmp

Filesize
40KB

Download
memory/4892-442-0x00000000007A0000-0x00000000007F8000-memory.dmp

Filesize
352KB

Download