Analysis

  • max time kernel
    100s
  • max time network
    95s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    10-11-2024 20:41

General

  • Target

    https://www.mediafire.com/file/by9n59rwi4ek33p/Rebel.7z/file

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 1 IoCs
  • Stormkitty family
  • Executes dropped EXE 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 58 IoCs
  • Suspicious use of SendNotifyMessage 16 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.mediafire.com/file/by9n59rwi4ek33p/Rebel.7z/file
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:5348
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff994db3cb8,0x7ff994db3cc8,0x7ff994db3cd8
      2⤵
        PID:3348
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
        2⤵
          PID:4880
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:5228
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
          2⤵
            PID:1136
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
            2⤵
              PID:4796
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
              2⤵
                PID:6096
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
                2⤵
                  PID:1484
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
                  2⤵
                    PID:744
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
                    2⤵
                      PID:2944
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
                      2⤵
                        PID:2216
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
                        2⤵
                          PID:3460
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
                          2⤵
                            PID:1756
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6764 /prefetch:1
                            2⤵
                              PID:5612
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:1
                              2⤵
                                PID:5944
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
                                2⤵
                                  PID:5920
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
                                  2⤵
                                    PID:5112
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7076 /prefetch:8
                                    2⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:5600
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6592 /prefetch:1
                                    2⤵
                                      PID:5644
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7092 /prefetch:1
                                      2⤵
                                        PID:5776
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7676 /prefetch:1
                                        2⤵
                                          PID:4972
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7704 /prefetch:1
                                          2⤵
                                            PID:4188
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7956 /prefetch:8
                                            2⤵
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:2600
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,7050656901799938559,1399462147086710746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7332 /prefetch:8
                                            2⤵
                                            • NTFS ADS
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:5244
                                        • C:\Windows\System32\CompPkgSrv.exe
                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                          1⤵
                                            PID:5004
                                          • C:\Windows\System32\CompPkgSrv.exe
                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                            1⤵
                                              PID:740
                                            • C:\Windows\System32\rundll32.exe
                                              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                              1⤵
                                                PID:984
                                              • C:\Program Files\7-Zip\7zG.exe
                                                "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\New folder\" -an -ai#7zMap7807:88:7zEvent15688
                                                1⤵
                                                • Suspicious behavior: GetForegroundWindowSpam
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of FindShellTrayWindow
                                                PID:1332
                                              • C:\Windows\system32\OpenWith.exe
                                                C:\Windows\system32\OpenWith.exe -Embedding
                                                1⤵
                                                • Modifies registry class
                                                • Suspicious use of SetWindowsHookEx
                                                PID:5600
                                              • C:\Windows\system32\OpenWith.exe
                                                C:\Windows\system32\OpenWith.exe -Embedding
                                                1⤵
                                                • Modifies registry class
                                                • Suspicious use of SetWindowsHookEx
                                                PID:2256
                                              • C:\Program Files\7-Zip\7zG.exe
                                                "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\New folder\" -an -ai#7zMap22173:88:7zEvent11728
                                                1⤵
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of FindShellTrayWindow
                                                PID:5676
                                              • C:\Program Files\7-Zip\7zG.exe
                                                "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\New folder\" -an -ai#7zMap32258:88:7zEvent6846
                                                1⤵
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of FindShellTrayWindow
                                                PID:2260
                                              • C:\Users\Admin\Desktop\New folder\Rebel\RebelCracked.exe
                                                "C:\Users\Admin\Desktop\New folder\Rebel\RebelCracked.exe"
                                                1⤵
                                                • Executes dropped EXE
                                                PID:3252
                                                • C:\Users\Admin\AppData\Local\RuntimeBroker.exe
                                                  "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
                                                  2⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of SetThreadContext
                                                  • System Location Discovery: System Language Discovery
                                                  PID:4892
                                                  • C:\Users\Admin\AppData\Local\RuntimeBroker.exe
                                                    "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
                                                    3⤵
                                                    • Executes dropped EXE
                                                    • System Location Discovery: System Language Discovery
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2396
                                                • C:\Users\Admin\Desktop\New folder\Rebel\RebelCracked.exe
                                                  "C:\Users\Admin\Desktop\New folder\Rebel\RebelCracked.exe"
                                                  2⤵
                                                  • Executes dropped EXE
                                                  PID:4404

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RebelCracked.exe.log

                                                Filesize

                                                654B

                                                MD5

                                                2cbbb74b7da1f720b48ed31085cbd5b8

                                                SHA1

                                                79caa9a3ea8abe1b9c4326c3633da64a5f724964

                                                SHA256

                                                e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

                                                SHA512

                                                ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RuntimeBroker.exe.log

                                                Filesize

                                                706B

                                                MD5

                                                1356da7590c7343415dc5977d32b17c8

                                                SHA1

                                                6b2d7cb07839255395f6b24391fe5fec5201e359

                                                SHA256

                                                2126fa4651af160534e852712f55be80e16308e9cad3fed7b0bd3ac6ce528702

                                                SHA512

                                                6f1cff058fd47eb299d81dcb53d6c8138d433c8f2d44fc281639ed72f88bfcaa56e100367a77f856a8e06a490a932bc0ae53d6ed10e78fcfbebb97be9d8cb97c

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                Filesize

                                                152B

                                                MD5

                                                003b92b33b2eb97e6c1a0929121829b8

                                                SHA1

                                                6f18e96c7a2e07fb5a80acb3c9916748fd48827a

                                                SHA256

                                                8001f251d5932a62bfe17b0ba3686ce255ecf9adb95a06ecb954faa096be3e54

                                                SHA512

                                                18005c6c07475e6dd1ec310fe511353381cf0f15d086cf20dc6ed8825c872944185c767f80306e56fec9380804933aa37a8f12c720398b4b3b42cb216b41cf77

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                Filesize

                                                152B

                                                MD5

                                                051a939f60dced99602add88b5b71f58

                                                SHA1

                                                a71acd61be911ff6ff7e5a9e5965597c8c7c0765

                                                SHA256

                                                2cff121889a0a77f49cdc4564bdd1320cf588c9dcd36012dbc3669cf73015d10

                                                SHA512

                                                a9c72ed43b895089a9e036aba6da96213fedd2f05f0a69ae8d1fa07851ac8263e58af86c7103ce4b4f9cfe92f9c9d0a46085c066a54ce825ef53505fdb988d1f

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\226dbf78-f8cb-4254-95cc-1dd07f005925.tmp

                                                Filesize

                                                10KB

                                                MD5

                                                59e35b5eb8a5bc19b923b300b728965f

                                                SHA1

                                                0e583a06993239e63a4ec2d33e72b78f12ffac7e

                                                SHA256

                                                017d1483211fccac8663f9d169563765633a9cd8e675d45e9ec0368614dcde27

                                                SHA512

                                                7fbd4ee8003aa3f6890ed0c7cecf22a16cf5d861896a2fe64a8b51f100128095e4e6aaa00420cfef425ade5da468c0999a35edbc8f3a62f5d0d7e0dcaad4d2ae

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                Filesize

                                                1KB

                                                MD5

                                                fccd0915042e17d17f42a8e9bdf569a0

                                                SHA1

                                                a535eb70a75164b26ce6319a49b184dbae715701

                                                SHA256

                                                e66d9b769f428df82d1193ee334db3657f878884ee13d7d933a8354a23da1924

                                                SHA512

                                                0c0507661cd35389b0bbe3c0eaee7acaa646fc5d132509050580b99402f0044c4223433231580e6789f2cb943c84906db53658560fcdfd127ca5f70676e15daf

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                Filesize

                                                9KB

                                                MD5

                                                2beaf2ec87aa0204769631c690ff5c58

                                                SHA1

                                                91796501f570c89ee503a0de696945dcaa779c86

                                                SHA256

                                                4f2429f56f8640bf3b73284f4447ed2b201fa27ba6e7ddce7c66258051377ff3

                                                SHA512

                                                6e956261bf7b78ccb57d6124ae9debafd09c23fa5fa37d45447d52be496901da24a310f5139bc5453c1642386140b3b197930d156c805f589662c04b980bd560

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                Filesize

                                                5KB

                                                MD5

                                                1665ab878f90d1a56dd3454e3f0dde18

                                                SHA1

                                                63494d365428bf653f8446630ee7b639d08e85f3

                                                SHA256

                                                21a36d2336e5d3f0f196a6ecc549d07182e98ee87693eb08096b86014276efa2

                                                SHA512

                                                4baf015f210d47226b279d03629ef0bc8c463b2e91bb29454833f2550e9a26492c4ccc7bd74003a0c0448eaa721f205b729a9c8b224c4b96937ee6ac5187c50c

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                Filesize

                                                10KB

                                                MD5

                                                79267b0982f10d319faa41ba07c42ece

                                                SHA1

                                                671abec5d5d76303cddde0f8c506ead0fc36a761

                                                SHA256

                                                b9d2349378a1ab8a85713d7a398571b6e5ff0222b6eb643be0fbef1cea2c71b8

                                                SHA512

                                                c40d685b5362d61d12c7f8a5241ede8c39a46285b5f4b2ce284937f213c88db521e53b169068539eab3d74eec301b5605fa842fabf3370b96808aafaa9bfda19

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                Filesize

                                                2KB

                                                MD5

                                                550d0e6c12cb2065f5b31f23dfc84959

                                                SHA1

                                                5a75735841a618081700ded3d01e59842a1bf71c

                                                SHA256

                                                7d8c2c39e079f0f41253a37e44a2a7d4e033442d8cf8c449c30099245cb250bc

                                                SHA512

                                                7982130aebf1a32350d9d4c17021b6b639ff26675a55431d07bc917aab642d9811b6ea0f27d4d47ba851c0480635817b4eeca5ed17b5f817d90b9b258b09363b

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57cc78.TMP

                                                Filesize

                                                2KB

                                                MD5

                                                eebe3d7b2f640fa01d16338a192a08a7

                                                SHA1

                                                2caaeb2667888876978795efcd1522b62d058271

                                                SHA256

                                                b1b2a019a352599ded870f2830b7bf3b03c3ee068557e9bd6343a8a8de17e98e

                                                SHA512

                                                38f55a1bdba7b362232b57675b976a43af8fecf9660301a7af8ac5b59104dfe3b60f97e31a382925c148d6675d7ebbd82954ffddfe55f6c3f1077feb2fc91d4d

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                Filesize

                                                16B

                                                MD5

                                                46295cac801e5d4857d09837238a6394

                                                SHA1

                                                44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                SHA256

                                                0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                SHA512

                                                8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                Filesize

                                                16B

                                                MD5

                                                206702161f94c5cd39fadd03f4014d98

                                                SHA1

                                                bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                SHA256

                                                1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                SHA512

                                                0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                Filesize

                                                10KB

                                                MD5

                                                ade2d318cd5c6dc64b1c2ba8abb109bf

                                                SHA1

                                                3146b5e65cecd57d6ca74bd516791f8b2e1b19af

                                                SHA256

                                                be24dfdc5e054f0c962bf139737362671e3f82a783e6d1688f6b335aef8b5e99

                                                SHA512

                                                c474eee35883c5e724754691e5dc066e88f98ff32cd6b00d91ef89b84e0340dcd110beace519c2eea3941e43de24ba2bd418efe912015f11f2cf5b4e597b821d

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                Filesize

                                                10KB

                                                MD5

                                                088cf21400fb766fb64b0df4c64ae123

                                                SHA1

                                                b493176295bf7806b05e68c9c966245812b487c1

                                                SHA256

                                                c5b6ddc61dc50c0e1758ba38306718c9ef1ec88f47e31ea767a7175235901dc1

                                                SHA512

                                                f463e54dc9da1d47621a60546f901af550d3b73ff8527a4d9f5b0ddcf7b4ce89482cbc7079d3f33d3e8d6220b03662e6774bf0f8034bfaf04b95e311f55e0f81

                                              • C:\Users\Admin\AppData\Local\RuntimeBroker.exe

                                                Filesize

                                                330KB

                                                MD5

                                                75e456775c0a52b6bbe724739fa3b4a7

                                                SHA1

                                                1f4c575e98d48775f239ceae474e03a3058099ea

                                                SHA256

                                                e8d52d0d352317b3da0be6673099d32e10e7b0e44d23a0c1a6a5277d37b95cf3

                                                SHA512

                                                b376146c6fa91f741d69acf7b02a57442d2ea059be37b9bdb06af6cc01272f4ded1a82e4e21b9c803d0e91e22fc12f70391f5e8c8704d51b2435afc9624e8471

                                              • C:\Users\Admin\Desktop\New folder\Rebel\RebelCracked.exe

                                                Filesize

                                                344KB

                                                MD5

                                                a84fd0fc75b9c761e9b7923a08da41c7

                                                SHA1

                                                2597048612041cd7a8c95002c73e9c2818bb2097

                                                SHA256

                                                9d9a79f4ae9bf7a992945f6c06c5bec642c05e4e828217c50255dabfa3677006

                                                SHA512

                                                a17f1144a0e3ce07c7ed6891987c5b969f291e9991442c33750028d35e2194794e8a649c397e8afc9f8ce19d485c453600c75cab4fcead09e38414d85819251a

                                              • C:\Users\Admin\Downloads\Rebel.7z:Zone.Identifier

                                                Filesize

                                                26B

                                                MD5

                                                fbccf14d504b7b2dbcb5a5bda75bd93b

                                                SHA1

                                                d59fc84cdd5217c6cf74785703655f78da6b582b

                                                SHA256

                                                eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

                                                SHA512

                                                aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

                                              • memory/2396-448-0x0000000000400000-0x0000000000432000-memory.dmp

                                                Filesize

                                                200KB

                                              • memory/3252-426-0x00000000007B0000-0x000000000080C000-memory.dmp

                                                Filesize

                                                368KB

                                              • memory/3252-439-0x000000001BC00000-0x000000001BDB3000-memory.dmp

                                                Filesize

                                                1.7MB

                                              • memory/4892-443-0x0000000005FB0000-0x0000000006556000-memory.dmp

                                                Filesize

                                                5.6MB

                                              • memory/4892-444-0x0000000005A00000-0x0000000005A92000-memory.dmp

                                                Filesize

                                                584KB

                                              • memory/4892-445-0x0000000005AA0000-0x0000000005AEA000-memory.dmp

                                                Filesize

                                                296KB

                                              • memory/4892-446-0x0000000005B90000-0x0000000005C2C000-memory.dmp

                                                Filesize

                                                624KB

                                              • memory/4892-447-0x0000000005AF0000-0x0000000005AFA000-memory.dmp

                                                Filesize

                                                40KB

                                              • memory/4892-442-0x00000000007A0000-0x00000000007F8000-memory.dmp

                                                Filesize

                                                352KB