Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

URLScan

urlscan

https://mega.nz/fold...

windows10-2004-x64

10

Resubmissions

08/08/2024, 07:46

240808-jmc2davdnf 10

08/08/2024, 06:50

240808-hlwxes1bjl 10

Analysis

  • max time kernel
    1800s
  • max time network
    1799s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/08/2024, 06:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://mega.nz/folder/o7onBAqb#lPnM6du1_ZsHQgf5SIaC4Q

Score
10/10
agentteslaxwormagilenetdefense_evasiondiscoveryexecutionkeyloggerpersistenceratspywarestealertrojanupx

Malware Config

Extracted

Family

xworm

Version

3.1

C2

society-painted.at.ply.gg:17251

Attributes
  • Install_directory

    %Public%

  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot5817418329:AAGYtFww9eAGl3ZTuqrCmSNxu_TJJiAWkzA/sendMessage?chat_id=1860651440

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7000

Mutex

oRS7BxRwxp3BS0Q4

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

xworm

C2

127.0.0.1:7000

Attributes
  • install_file

    USB.exe

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect Xworm Payload 6 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • AgentTesla payload 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 45 IoCs
  • Loads dropped DLL 2 IoCs
  • Obfuscated with Agile.Net obfuscator 33 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 10 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 4 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 53 IoCs
  • Suspicious use of SendNotifyMessage 25 IoCs
  • Suspicious use of SetWindowsHookEx 44 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/folder/o7onBAqb#lPnM6du1_ZsHQgf5SIaC4Q
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1468
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd3ab646f8,0x7ffd3ab64708,0x7ffd3ab64718
      2⤵
        PID:2892
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
        2⤵
          PID:4272
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3928
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8
          2⤵
            PID:3060
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
            2⤵
              PID:3032
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
              2⤵
                PID:4988
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
                2⤵
                  PID:2300
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3268
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
                  2⤵
                    PID:3896
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
                    2⤵
                      PID:8
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5800 /prefetch:8
                      2⤵
                        PID:2804
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
                        2⤵
                          PID:4968
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
                          2⤵
                            PID:4008
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5324 /prefetch:8
                            2⤵
                              PID:3568
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
                              2⤵
                                PID:2136
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6188 /prefetch:8
                                2⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:1276
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1772 /prefetch:2
                                2⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:5740
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
                                2⤵
                                  PID:5420
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1856 /prefetch:1
                                  2⤵
                                    PID:432
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:8
                                    2⤵
                                      PID:5968
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
                                      2⤵
                                        PID:5996
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2628 /prefetch:8
                                        2⤵
                                          PID:5336
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4048 /prefetch:8
                                          2⤵
                                          • Modifies registry class
                                          • Suspicious behavior: GetForegroundWindowSpam
                                          • Suspicious use of SetWindowsHookEx
                                          PID:5748
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6692 /prefetch:8
                                          2⤵
                                          • Modifies registry class
                                          • Suspicious use of SetWindowsHookEx
                                          PID:3228
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6408 /prefetch:8
                                          2⤵
                                          • Modifies registry class
                                          • Suspicious use of SetWindowsHookEx
                                          PID:988
                                      • C:\Windows\System32\CompPkgSrv.exe
                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                        1⤵
                                          PID:4452
                                        • C:\Windows\System32\CompPkgSrv.exe
                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                          1⤵
                                            PID:1696
                                          • C:\Windows\system32\AUDIODG.EXE
                                            C:\Windows\system32\AUDIODG.EXE 0x2fc 0x51c
                                            1⤵
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:228
                                          • C:\Windows\System32\rundll32.exe
                                            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                            1⤵
                                              PID:4552
                                            • C:\Windows\system32\NOTEPAD.EXE
                                              "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Pass to use.txt
                                              1⤵
                                                PID:5204
                                              • C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe
                                                "C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe"
                                                1⤵
                                                  PID:5316
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe'
                                                    2⤵
                                                    • Command and Scripting Interpreter: PowerShell
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:5428
                                                  • C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe"
                                                    2⤵
                                                    • Executes dropped EXE
                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                    • System Location Discovery: System Language Discovery
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:5628
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WinRAR.exe'
                                                    2⤵
                                                    • Command and Scripting Interpreter: PowerShell
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:5652
                                                  • C:\Users\Admin\AppData\Local\Temp\WinRAR.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"
                                                    2⤵
                                                    • Checks computer location settings
                                                    • Drops startup file
                                                    • Executes dropped EXE
                                                    • Adds Run key to start application
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:5928
                                                    • C:\Windows\System32\schtasks.exe
                                                      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WinRAR" /tr "C:\Users\Public\WinRAR.exe"
                                                      3⤵
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:6080
                                                • C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe
                                                  "C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe"
                                                  1⤵
                                                    PID:5132
                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe'
                                                      2⤵
                                                      • Command and Scripting Interpreter: PowerShell
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:5260
                                                    • C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe"
                                                      2⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                      • System Location Discovery: System Language Discovery
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:4144
                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WinRAR.exe'
                                                      2⤵
                                                      • Command and Scripting Interpreter: PowerShell
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:5340
                                                    • C:\Users\Admin\AppData\Local\Temp\WinRAR.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"
                                                      2⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:5680
                                                  • C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe
                                                    "C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe"
                                                    1⤵
                                                      PID:5804
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe'
                                                        2⤵
                                                        • Command and Scripting Interpreter: PowerShell
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:5900
                                                      • C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe"
                                                        2⤵
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • Loads dropped DLL
                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                        • System Location Discovery: System Language Discovery
                                                        • Modifies registry class
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious behavior: GetForegroundWindowSpam
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        • Suspicious use of FindShellTrayWindow
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:2312
                                                        • C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\ILMerge.exe
                                                          "C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\ILMerge.exe"
                                                          3⤵
                                                            PID:1496
                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 3828
                                                            3⤵
                                                            • Program crash
                                                            PID:1500
                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WinRAR.exe'
                                                          2⤵
                                                          • Command and Scripting Interpreter: PowerShell
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:372
                                                        • C:\Users\Admin\AppData\Local\Temp\WinRAR.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"
                                                          2⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:3788
                                                      • C:\Users\Public\WinRAR.exe
                                                        C:\Users\Public\WinRAR.exe
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2192
                                                      • C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe
                                                        "C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe"
                                                        1⤵
                                                          PID:5872
                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe'
                                                            2⤵
                                                            • Command and Scripting Interpreter: PowerShell
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:5388
                                                          • C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe"
                                                            2⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:5608
                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WinRAR.exe'
                                                            2⤵
                                                            • Command and Scripting Interpreter: PowerShell
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:5768
                                                          • C:\Users\Admin\AppData\Local\Temp\WinRAR.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"
                                                            2⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:5696
                                                        • C:\Users\Public\WinRAR.exe
                                                          C:\Users\Public\WinRAR.exe
                                                          1⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:4976
                                                        • C:\Users\Public\WinRAR.exe
                                                          C:\Users\Public\WinRAR.exe
                                                          1⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:5852
                                                        • C:\Users\Public\WinRAR.exe
                                                          C:\Users\Public\WinRAR.exe
                                                          1⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:5688
                                                        • C:\Users\Public\WinRAR.exe
                                                          C:\Users\Public\WinRAR.exe
                                                          1⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:1704
                                                        • C:\Users\Public\WinRAR.exe
                                                          C:\Users\Public\WinRAR.exe
                                                          1⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2472
                                                        • C:\Users\Admin\Downloads\XWorm_V5.3\XWorm_V5.3\XWorm V5.3.exe
                                                          "C:\Users\Admin\Downloads\XWorm_V5.3\XWorm_V5.3\XWorm V5.3.exe"
                                                          1⤵
                                                          • Drops file in Windows directory
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:1280
                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAdQB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYgByACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAdABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAZgBsACMAPgA="
                                                            2⤵
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:5388
                                                          • C:\Windows\Progman.exe
                                                            "C:\Windows\Progman.exe"
                                                            2⤵
                                                            • Executes dropped EXE
                                                            PID:2304
                                                          • C:\Users\Admin\Downloads\XWorm_V5.3\XWorm_V5.3\XWorm.exe
                                                            "C:\Users\Admin\Downloads\XWorm_V5.3\XWorm_V5.3\XWorm.exe"
                                                            2⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                            • Enumerates system info in registry
                                                            • Modifies Internet Explorer settings
                                                            • Modifies registry class
                                                            • Suspicious behavior: GetForegroundWindowSpam
                                                            • Suspicious use of FindShellTrayWindow
                                                            • Suspicious use of SendNotifyMessage
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:444
                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
                                                              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kkjqoena\kkjqoena.cmdline"
                                                              3⤵
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:4776
                                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD71.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc381C51ECC54B42DAA0C641C297BFFDB.TMP"
                                                                4⤵
                                                                  PID:2696
                                                          • C:\Windows\system32\wbem\WmiApSrv.exe
                                                            C:\Windows\system32\wbem\WmiApSrv.exe
                                                            1⤵
                                                              PID:4032
                                                            • C:\Users\Public\WinRAR.exe
                                                              C:\Users\Public\WinRAR.exe
                                                              1⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:3896
                                                            • C:\Users\Public\WinRAR.exe
                                                              C:\Users\Public\WinRAR.exe
                                                              1⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:4656
                                                            • C:\Users\Public\WinRAR.exe
                                                              C:\Users\Public\WinRAR.exe
                                                              1⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:1820
                                                            • C:\Users\Public\WinRAR.exe
                                                              C:\Users\Public\WinRAR.exe
                                                              1⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:800
                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2312 -ip 2312
                                                              1⤵
                                                                PID:1464
                                                              • C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe
                                                                "C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe"
                                                                1⤵
                                                                  PID:2944
                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe'
                                                                    2⤵
                                                                    • Command and Scripting Interpreter: PowerShell
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:1804
                                                                  • C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe"
                                                                    2⤵
                                                                    • Checks computer location settings
                                                                    • Executes dropped EXE
                                                                    • Loads dropped DLL
                                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                    • System Location Discovery: System Language Discovery
                                                                    • Modifies registry class
                                                                    • Suspicious behavior: GetForegroundWindowSpam
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    • Suspicious use of SetWindowsHookEx
                                                                    PID:4536
                                                                    • C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\ILMerge.exe
                                                                      "C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\ILMerge.exe"
                                                                      3⤵
                                                                        PID:5912
                                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zld2ybby\zld2ybby.cmdline"
                                                                        3⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:5572
                                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                          C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9071.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3DB3029D260A4DEEAF138254C3A6C9CB.TMP"
                                                                          4⤵
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:3124
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        "cmd.exe" /c ILMerge /target:winexe /out:C:\Users\Admin\AppData\Local\Temp\WaJWL.exe C:\Users\Admin\AppData\Local\Temp\cDJNB C:\yWorks.dll /targetplatform:v4,C:\Windows\Microsoft.NET\Framework\v4.0.30319
                                                                        3⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:4916
                                                                        • C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\ILMerge.exe
                                                                          ILMerge /target:winexe /out:C:\Users\Admin\AppData\Local\Temp\WaJWL.exe C:\Users\Admin\AppData\Local\Temp\cDJNB C:\yWorks.dll /targetplatform:v4,C:\Windows\Microsoft.NET\Framework\v4.0.30319
                                                                          4⤵
                                                                            PID:2184
                                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ng5ahxen\ng5ahxen.cmdline"
                                                                          3⤵
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:3752
                                                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                            C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEBFB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3E4AC9F2F2C41CD939B208A8BEA7966.TMP"
                                                                            4⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:5332
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          "cmd.exe" /c ILMerge /target:winexe /out:C:\Users\Admin\AppData\Local\Temp\WaJWL.exe C:\Users\Admin\AppData\Local\Temp\cDJNB C:\yWorks.dll /targetplatform:v4,C:\Windows\Microsoft.NET\Framework\v4.0.30319
                                                                          3⤵
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:4080
                                                                          • C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\ILMerge.exe
                                                                            ILMerge /target:winexe /out:C:\Users\Admin\AppData\Local\Temp\WaJWL.exe C:\Users\Admin\AppData\Local\Temp\cDJNB C:\yWorks.dll /targetplatform:v4,C:\Windows\Microsoft.NET\Framework\v4.0.30319
                                                                            4⤵
                                                                              PID:4392
                                                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0prb1rln\0prb1rln.cmdline"
                                                                            3⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:4504
                                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                              C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE0B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6CC61FE7FEC240FB9074F2B886A2F9F1.TMP"
                                                                              4⤵
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:4976
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            "cmd.exe" /c ILMerge /target:winexe /out:C:\Users\Admin\AppData\Local\Temp\WaJWL.exe C:\Users\Admin\AppData\Local\Temp\cDJNB C:\yWorks.dll /targetplatform:v4,C:\Windows\Microsoft.NET\Framework\v4.0.30319
                                                                            3⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:3940
                                                                            • C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\ILMerge.exe
                                                                              ILMerge /target:winexe /out:C:\Users\Admin\AppData\Local\Temp\WaJWL.exe C:\Users\Admin\AppData\Local\Temp\cDJNB C:\yWorks.dll /targetplatform:v4,C:\Windows\Microsoft.NET\Framework\v4.0.30319
                                                                              4⤵
                                                                                PID:2084
                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WinRAR.exe'
                                                                            2⤵
                                                                            • Command and Scripting Interpreter: PowerShell
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:68
                                                                          • C:\Users\Admin\AppData\Local\Temp\WinRAR.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"
                                                                            2⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:5272
                                                                        • C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe
                                                                          "C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe"
                                                                          1⤵
                                                                            PID:2612
                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe'
                                                                              2⤵
                                                                              • Command and Scripting Interpreter: PowerShell
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2376
                                                                            • C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe"
                                                                              2⤵
                                                                              • Executes dropped EXE
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:5068
                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WinRAR.exe'
                                                                              2⤵
                                                                              • Command and Scripting Interpreter: PowerShell
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:5536
                                                                            • C:\Users\Admin\AppData\Local\Temp\WinRAR.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"
                                                                              2⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:5032
                                                                          • C:\Users\Public\WinRAR.exe
                                                                            C:\Users\Public\WinRAR.exe
                                                                            1⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:3468
                                                                          • C:\Users\Public\WinRAR.exe
                                                                            C:\Users\Public\WinRAR.exe
                                                                            1⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:5856
                                                                          • C:\Windows\SysWOW64\DllHost.exe
                                                                            C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                                                            1⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:4188
                                                                          • C:\Users\Public\WinRAR.exe
                                                                            C:\Users\Public\WinRAR.exe
                                                                            1⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:3500
                                                                          • C:\Windows\SysWOW64\DllHost.exe
                                                                            C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                                                            1⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:1532
                                                                          • C:\Users\Public\WinRAR.exe
                                                                            C:\Users\Public\WinRAR.exe
                                                                            1⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:2332
                                                                          • C:\Users\Public\WinRAR.exe
                                                                            C:\Users\Public\WinRAR.exe
                                                                            1⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:4856
                                                                          • C:\Users\Public\WinRAR.exe
                                                                            C:\Users\Public\WinRAR.exe
                                                                            1⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:1920
                                                                          • C:\Users\Public\WinRAR.exe
                                                                            C:\Users\Public\WinRAR.exe
                                                                            1⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:4740
                                                                          • C:\Users\Public\WinRAR.exe
                                                                            C:\Users\Public\WinRAR.exe
                                                                            1⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:1792
                                                                          • C:\Users\Public\WinRAR.exe
                                                                            C:\Users\Public\WinRAR.exe
                                                                            1⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:4648
                                                                          • C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\nexusv2.exe
                                                                            "C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\nexusv2.exe"
                                                                            1⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of SetThreadContext
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:3136
                                                                            • C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\nexusv2.exe
                                                                              "C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\nexusv2.exe"
                                                                              2⤵
                                                                              • Executes dropped EXE
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Checks processor information in registry
                                                                              • Enumerates system info in registry
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:1448
                                                                          • C:\Users\Public\WinRAR.exe
                                                                            C:\Users\Public\WinRAR.exe
                                                                            1⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:3396
                                                                          • C:\Users\Public\WinRAR.exe
                                                                            C:\Users\Public\WinRAR.exe
                                                                            1⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:2324
                                                                          • C:\Users\Public\WinRAR.exe
                                                                            C:\Users\Public\WinRAR.exe
                                                                            1⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:3204
                                                                          • C:\Users\Public\WinRAR.exe
                                                                            C:\Users\Public\WinRAR.exe
                                                                            1⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:5132
                                                                          • C:\Users\Public\WinRAR.exe
                                                                            C:\Users\Public\WinRAR.exe
                                                                            1⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:5908
                                                                          • C:\Users\Public\WinRAR.exe
                                                                            C:\Users\Public\WinRAR.exe
                                                                            1⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:5572
                                                                          • C:\Users\Public\WinRAR.exe
                                                                            C:\Users\Public\WinRAR.exe
                                                                            1⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:6040
                                                                          • C:\Users\Public\WinRAR.exe
                                                                            C:\Users\Public\WinRAR.exe
                                                                            1⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:5572
                                                                          • C:\Users\Public\WinRAR.exe
                                                                            C:\Users\Public\WinRAR.exe
                                                                            1⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:2656
                                                                          • C:\Users\Public\WinRAR.exe
                                                                            C:\Users\Public\WinRAR.exe
                                                                            1⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:3468

                                                                          Network

                                                                          MITRE ATT&CK Enterprise v15

                                                                          Reconnaissance

                                                                          Resource Development

                                                                          Initial Access

                                                                          Execution

                                                                          Command and Scripting Interpreter

                                                                          1
                                                                          T1059

                                                                          PowerShell

                                                                          1
                                                                          T1059.001

                                                                          Scheduled Task/Job

                                                                          1
                                                                          T1053

                                                                          Scheduled Task

                                                                          1
                                                                          T1053.005

                                                                          Scripting

                                                                          1
                                                                          T1064

                                                                          Persistence

                                                                          Boot or Logon Autostart Execution

                                                                          1
                                                                          T1547

                                                                          Registry Run Keys / Startup Folder

                                                                          1
                                                                          T1547.001

                                                                          Scheduled Task/Job

                                                                          1
                                                                          T1053

                                                                          Scheduled Task

                                                                          1
                                                                          T1053.005

                                                                          Privilege Escalation

                                                                          Boot or Logon Autostart Execution

                                                                          1
                                                                          T1547

                                                                          Registry Run Keys / Startup Folder

                                                                          1
                                                                          T1547.001

                                                                          Scheduled Task/Job

                                                                          1
                                                                          T1053

                                                                          Scheduled Task

                                                                          1
                                                                          T1053.005

                                                                          Defense Evasion

                                                                          Modify Registry

                                                                          2
                                                                          T1112

                                                                          Obfuscated Files or Information

                                                                          1
                                                                          T1027

                                                                          Command Obfuscation

                                                                          1
                                                                          T1027.010

                                                                          Scripting

                                                                          1
                                                                          T1064

                                                                          Credential Access

                                                                          Discovery

                                                                          Browser Information Discovery

                                                                          1
                                                                          T1217

                                                                          Query Registry

                                                                          4
                                                                          T1012

                                                                          System Information Discovery

                                                                          4
                                                                          T1082

                                                                          System Location Discovery

                                                                          1
                                                                          T1614

                                                                          System Language Discovery

                                                                          1
                                                                          T1614.001

                                                                          Lateral Movement

                                                                          Collection

                                                                          Command and Control

                                                                          Exfiltration

                                                                          Impact

                                                                          Replay Monitor

                                                                          Loading Replay Monitor...

                                                                          Downloads

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Luxury Sheild v7.1.exe.log
                                                                            Filesize

                                                                            654B

                                                                            MD5

                                                                            2ff39f6c7249774be85fd60a8f9a245e

                                                                            SHA1

                                                                            684ff36b31aedc1e587c8496c02722c6698c1c4e

                                                                            SHA256

                                                                            e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

                                                                            SHA512

                                                                            1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                            Filesize

                                                                            2KB

                                                                            MD5

                                                                            09c38bf09493920e93b25f37f1ae4efe

                                                                            SHA1

                                                                            42e5d800056f08481870c4ca2d0d48181ca8edc8

                                                                            SHA256

                                                                            37874b332a80efcccee52825b3d71d1faaae3820e09b47c3f161628bf35cc255

                                                                            SHA512

                                                                            91eacaafc2cd9f80338302d6b3cc3a1aa957752f63a449fb2c1ebcac2bcc59fd8624d4e042c488b5fbe73b881da86c9de819d500de8c7eb6bc0d3951a2bf9123

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                            Filesize

                                                                            152B

                                                                            MD5

                                                                            111c361619c017b5d09a13a56938bd54

                                                                            SHA1

                                                                            e02b363a8ceb95751623f25025a9299a2c931e07

                                                                            SHA256

                                                                            d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

                                                                            SHA512

                                                                            fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                            Filesize

                                                                            152B

                                                                            MD5

                                                                            983cbc1f706a155d63496ebc4d66515e

                                                                            SHA1

                                                                            223d0071718b80cad9239e58c5e8e64df6e2a2fe

                                                                            SHA256

                                                                            cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

                                                                            SHA512

                                                                            d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021
                                                                            Filesize

                                                                            21KB

                                                                            MD5

                                                                            b1dfa46eee24480e9211c9ef246bbb93

                                                                            SHA1

                                                                            80437c519fac962873a5768f958c1c350766da15

                                                                            SHA256

                                                                            fc79a40b2172a04a5c2fe0d5111ebeb401b9a84ce80c6e9e5b96c9c73c9b0398

                                                                            SHA512

                                                                            44aefedf8a4c0c8cbc43c1260dc2bbc4605f83a189b6ef50e99058f54a58b61eb88af3f08164671bad4bd9c5e3b97b755f2fa433490bef56aa15cdf37fb412b6

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023
                                                                            Filesize

                                                                            36KB

                                                                            MD5

                                                                            f90ac636cd679507433ab8e543c25de5

                                                                            SHA1

                                                                            3a8fe361c68f13c01b09453b8b359722df659b84

                                                                            SHA256

                                                                            5b4c63b2790a8f63c12368f11215a4ffec30c142371a819a81180a32baeb2bce

                                                                            SHA512

                                                                            7641a3610ad6516c9ecd0d5f4e5fa1893c7c60ca3ba8ae2e1b3b0cc3a72f7f9bef4c776a1f2fc52f366bd28a419ae3594a6576e886e79a20ebd98b55b2acc967

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024
                                                                            Filesize

                                                                            17KB

                                                                            MD5

                                                                            950eca48e414acbe2c3b5d046dcb8521

                                                                            SHA1

                                                                            1731f264e979f18cdf08c405c7b7d32789a6fb59

                                                                            SHA256

                                                                            c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2

                                                                            SHA512

                                                                            27e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                                            Filesize

                                                                            72B

                                                                            MD5

                                                                            c7571ae7bc190d17efdb25a2062fcdb4

                                                                            SHA1

                                                                            f3b0d42f1b04a466cafb20e2f35dd92f4c052499

                                                                            SHA256

                                                                            1b2b170f1885771b2fa3120aacdf9f8b859010d408457a8c972ad72d9b3f8bc3

                                                                            SHA512

                                                                            40e2cd7d5bdb3790a73117225742f8b0f8f95ec81d410a9aee2d215c705be522690cd87d7edafb3736e7e92a9a5f6e28a379321b9f6791979f74252565a3bac2

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                                            Filesize

                                                                            96B

                                                                            MD5

                                                                            232c5ca1f12eadd6509c48d8c3842178

                                                                            SHA1

                                                                            8010ec5d1a5cd5337b175955df5cd058cef25890

                                                                            SHA256

                                                                            e80478842cbbf87966ffc3def2a0188e835086197396182e5d3e924369011f8b

                                                                            SHA512

                                                                            4b3175afb6994a45ff7731964ee89745abaa01d21e53ea5edd42eb4d25335cbb9be8b28637c6167d396386c1dfacea40a3da2f9cb6c8046972264de204b16157

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\CURRENT
                                                                            Filesize

                                                                            16B

                                                                            MD5

                                                                            46295cac801e5d4857d09837238a6394

                                                                            SHA1

                                                                            44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                                            SHA256

                                                                            0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                                            SHA512

                                                                            8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                            Filesize

                                                                            188B

                                                                            MD5

                                                                            008114e1a1a614b35e8a7515da0f3783

                                                                            SHA1

                                                                            3c390d38126c7328a8d7e4a72d5848ac9f96549b

                                                                            SHA256

                                                                            7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

                                                                            SHA512

                                                                            a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                            Filesize

                                                                            253B

                                                                            MD5

                                                                            127b3c46e3890840df822dc3b26100bb

                                                                            SHA1

                                                                            e464ff6058a76e026ff2de7479696577ca75f77b

                                                                            SHA256

                                                                            5f1d290bd383b9c79340119ae62ad69073b2f609b86322bf632c69ada9fbaede

                                                                            SHA512

                                                                            4dc15b915538bda317d9a6751945a1ad6b2ef390d65f93b3e07a51b776dfe0cb18abaedfdbc838f10fab4741a4730abbd97cb8d43e3206be164fee5f6e17ec78

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                            Filesize

                                                                            6KB

                                                                            MD5

                                                                            7b0833aa6908a8b4431aa66c8352f970

                                                                            SHA1

                                                                            c6a0e0e8dfebafc76b282c9020716922875f249e

                                                                            SHA256

                                                                            5d47c6189d875b7ae17839a77467fed2ad0a8e409bcbbcf2c675000d154c3441

                                                                            SHA512

                                                                            c8415ac469f7cd331b12827ab16a59d100e13da466528358bd33a565b1d42934fece76ccd0f993d01befd2b8c6b24930210f00734b028fd0251389b5bf23947e

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                            Filesize

                                                                            6KB

                                                                            MD5

                                                                            9cd96e46679db75da26bb8ecbdd4516d

                                                                            SHA1

                                                                            cbd5ca83c57719347a55a6ea2fa7d2431352579b

                                                                            SHA256

                                                                            fd8bf9565e83ca953390e8c9a2d33c7c84605bd5a81938db681ca31d7402cc40

                                                                            SHA512

                                                                            de52c423ddf4bab79f3adaf86c63f205c45d35b67b9bacc250decf4af11368c39dc2f57478b9fc295e294d7e911aecedefc381a68b8594443e91c461aa82c771

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                            Filesize

                                                                            6KB

                                                                            MD5

                                                                            0e4e15c3046bb14aa60b991e44c26a16

                                                                            SHA1

                                                                            e931d259b23ebdfe5434ff82fe8fe3efa82f1705

                                                                            SHA256

                                                                            6b71998a3ea77ded067ae90be05de0764b74e2e410e62e1b380fa6a9e58d1eba

                                                                            SHA512

                                                                            a81e5e02940eda2b9253a5a2457db7ef3e9e0f33ee69788f27c282099f9e3fdb2015f8ebb807f93bd51fa3604fb31aaf09f412a86a278dbb3f2107df109a2080

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
                                                                            Filesize

                                                                            41B

                                                                            MD5

                                                                            5af87dfd673ba2115e2fcf5cfdb727ab

                                                                            SHA1

                                                                            d5b5bbf396dc291274584ef71f444f420b6056f1

                                                                            SHA256

                                                                            f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                                                                            SHA512

                                                                            de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
                                                                            Filesize

                                                                            72B

                                                                            MD5

                                                                            e20b6a37b42853c1674372fda378bdb5

                                                                            SHA1

                                                                            5a36d574abca829715a57286c9c5732f1920cd5c

                                                                            SHA256

                                                                            684023debc3bc3092489543c4520a8a6998106c9bfe618d423bcc01ae0677220

                                                                            SHA512

                                                                            b2a40a1d0389c4a7cb3e4888676685ac5b05fd6b58d7130b7ea292b933d89100b67c97d053c06a1b2d7cafbecb8490d9f24f7d043db3f31c764aa9601c5cb17a

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5820c2.TMP
                                                                            Filesize

                                                                            48B

                                                                            MD5

                                                                            0ab06e8bb15a4075184d644438c02bf1

                                                                            SHA1

                                                                            4d91b93099b16496c4a1570984f77423e40dac75

                                                                            SHA256

                                                                            e2e77bac22988950967f86e388340d5d61bda3624eb5d2d5acf96896ade682df

                                                                            SHA512

                                                                            71cb0b029780cbad589bd97ce573f313bced5236273674b22b237f966f0d4977fc63ddb142da0d174ab19e272257f5da18f4d7dbfb47214845f51d4e96e30f95

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                            Filesize

                                                                            16B

                                                                            MD5

                                                                            6752a1d65b201c13b62ea44016eb221f

                                                                            SHA1

                                                                            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                            SHA256

                                                                            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                            SHA512

                                                                            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                            Filesize

                                                                            11KB

                                                                            MD5

                                                                            781d4f5c0525dd08e6b08c1622fc4b72

                                                                            SHA1

                                                                            57fa6f9bb39bead1c01e90f7ead8a48a2779399b

                                                                            SHA256

                                                                            c45af565b59af0311218596263e2533859c0383e1f9685dd46e00e0e0b449545

                                                                            SHA512

                                                                            194754a5a0abd198187328aea31811d9c34f3045a99766ebc7cd728faaad45b9137fe169a4f9170647a323596ed64f39be8731c902b5cfa0fae261af6b6ffa99

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                            Filesize

                                                                            11KB

                                                                            MD5

                                                                            97a7200ea9a2d3bcb5ccdc2cd3601f79

                                                                            SHA1

                                                                            d5fef2073c52fad50e0f08a210b330218c8a1e5d

                                                                            SHA256

                                                                            5222c7eccc5a520ddefebef521667fad2c986d8a0729c7eae8b13e03910a79cb

                                                                            SHA512

                                                                            f777101c5a7444c4626e71f34a14cffe580fffedec917dedcd6274498d52475475b6fbeea614227cac56488e8091e851630d930581a590482fa80a0533ac2717

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                            Filesize

                                                                            11KB

                                                                            MD5

                                                                            7a13826ff34c16e460eca31d9561b394

                                                                            SHA1

                                                                            2130576ab9d96e47e7567b97e246de24bacf71dc

                                                                            SHA256

                                                                            5f6d79f1edcafe43a9821f885f951453a4af26fda101588f388ddbd2558363c2

                                                                            SHA512

                                                                            3191105a254b31135d7922aea2a9bfd1d9a5823eb2a15c0aec6d938f0e2462610ccda363f6c1768045a41845f633558942e449e1b6ea3e99f0dcf2ba3806605b

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                            Filesize

                                                                            11KB

                                                                            MD5

                                                                            b87f8c59a7581e104bb32d2e766c70e6

                                                                            SHA1

                                                                            6eb168a3863daf4adf71f372615d8b8bb0ebbb5b

                                                                            SHA256

                                                                            6242d6d53c6a0c1a25369efaca92785a2d8f88933899a906ca157975c0226c5c

                                                                            SHA512

                                                                            4b65f5059beaac758d17a9ade3cbde4ffff09bb78f622e2c2ede31ac6be09b2c06e4a712e85dd540053171a29249bc2d6d5a5d2f3a2e7a2b63569f7b28bc1cd9

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                            Filesize

                                                                            11KB

                                                                            MD5

                                                                            241964a517ec17daba4c2659ebf5e414

                                                                            SHA1

                                                                            c33af186f946e290d7ecb245862aa620e73843dd

                                                                            SHA256

                                                                            5c20a719d3098b37fdd3bc2ae586e1fbb543682150d047902101c16109004e2e

                                                                            SHA512

                                                                            f12ca74f04c4417c100294f578a04851ca2722ead72b7b921468849dc72c0b0f8cb1f5eda0731d63a7ea89575d48469b12b119a8d63483d3b67f690db377d6de

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                            Filesize

                                                                            11KB

                                                                            MD5

                                                                            9432163aebe2ccf458e0a476eea8aee9

                                                                            SHA1

                                                                            68c2980616ba97aa09601f10297e303bb7a75dbd

                                                                            SHA256

                                                                            f853a4cb3c925059d8c9275bad2eaa56468abc7220d9bda09786620c8c884f81

                                                                            SHA512

                                                                            2051b9659de8296ecdf9f1c179dca2b49cca25bbe4a6af756e785ed4d92196e258850172bb98e181820dad412dc823545abc2e2074d3a30107ff99b910c535a5

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                            Filesize

                                                                            11KB

                                                                            MD5

                                                                            1114320b85ed90ee720f29e7ae7de2c5

                                                                            SHA1

                                                                            5cb5ddda6ce9659550f1969c0cd972c2deae4397

                                                                            SHA256

                                                                            137bbc499ddda336586b1ddc79496fd7e8efcd1d5f6aed457141f81d2111f525

                                                                            SHA512

                                                                            ff8b5cab02537ee7354088ad96c9515efbd7bec3e2b50cfb62e1699d67e8e190b4cc41652f05298a54d7010f43d25bd79cbb2f867170f4e3930c94fad981d7e4

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
                                                                            Filesize

                                                                            56KB

                                                                            MD5

                                                                            c90d4b46d49e8a0fb932ae975f91ed8d

                                                                            SHA1

                                                                            4e2699690d5089cd54292b5d43127756e8d12044

                                                                            SHA256

                                                                            ba5397b45627bac740965b5e817372f9dbf9a125075e78f392c91fd3c9605bc9

                                                                            SHA512

                                                                            ec797541191faa5892f2d491b121190f4e9208db4ab8ab3f8b7ec282944dc969995552cdbc7cb39256f9cfddd9a07bc6502aa781d1dc8d633cd68ad360b881b2

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                            Filesize

                                                                            944B

                                                                            MD5

                                                                            56f370e9a7e751763f5e2171eb33e023

                                                                            SHA1

                                                                            0bef8043da317e07f5649a8afb5f58965f18c7d8

                                                                            SHA256

                                                                            70a498503d663007d0380f7872980f2b03398c6ebcbc99c9500373261cf6a9f2

                                                                            SHA512

                                                                            dc053850571b3bfcfac7d79c4d5109732fb538e4063066b32a75c85b5cd97c23db7f5c9d3fd5e5c6fade1a72d038129ced089c3080d82465095dd35be01509a0

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                            Filesize

                                                                            944B

                                                                            MD5

                                                                            22310ad6749d8cc38284aa616efcd100

                                                                            SHA1

                                                                            440ef4a0a53bfa7c83fe84326a1dff4326dcb515

                                                                            SHA256

                                                                            55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

                                                                            SHA512

                                                                            2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                            Filesize

                                                                            944B

                                                                            MD5

                                                                            34f595487e6bfd1d11c7de88ee50356a

                                                                            SHA1

                                                                            4caad088c15766cc0fa1f42009260e9a02f953bb

                                                                            SHA256

                                                                            0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

                                                                            SHA512

                                                                            10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                            Filesize

                                                                            944B

                                                                            MD5

                                                                            6061d687ccb00e1adcfcb33f453127fc

                                                                            SHA1

                                                                            94ecb9312ecda6dd1ec0c6636a423b71f853e306

                                                                            SHA256

                                                                            0a6a81e946d59a6c8303f983bdad90eced6e0037642b077917c287807b6ebabf

                                                                            SHA512

                                                                            cea12a826d81f46c3532e91a2a2b65d379014052a403af547700ceaf2ff625ed016a648d83dabe8d753b25dcc9371acfdd708fe268c6bd2c13ce260287e1235e

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                            Filesize

                                                                            944B

                                                                            MD5

                                                                            9bc110200117a3752313ca2acaf8a9e1

                                                                            SHA1

                                                                            fda6b7da2e7b0175b391475ca78d1b4cf2147cd3

                                                                            SHA256

                                                                            c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb

                                                                            SHA512

                                                                            1f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                            Filesize

                                                                            944B

                                                                            MD5

                                                                            b1a1d8b05525b7b0c5babfd80488c1f2

                                                                            SHA1

                                                                            c85bbd6b7d0143676916c20fd52720499c2bb5c6

                                                                            SHA256

                                                                            adad192fc86c2f939fd3f70cb9ad323139a4e100f7c90b4454e2c53bdbc9b705

                                                                            SHA512

                                                                            346c6513c1373bab58439e37d3f75de1c5c587d7eb27076cf696e885a027b3b38d70b585839d1a2e7f2270cdcf0dac8c1fdff799f3b1158242ae9e3364c2a06e

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                            Filesize

                                                                            944B

                                                                            MD5

                                                                            d8cb3e9459807e35f02130fad3f9860d

                                                                            SHA1

                                                                            5af7f32cb8a30e850892b15e9164030a041f4bd6

                                                                            SHA256

                                                                            2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

                                                                            SHA512

                                                                            045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                            Filesize

                                                                            944B

                                                                            MD5

                                                                            b3c3db201c6e1fc54f0e17762fe03246

                                                                            SHA1

                                                                            249bfcef33cdd2d6c13a7cc7c9c1d73905fb51d6

                                                                            SHA256

                                                                            6771a83a83da5d6ce23e9cfa5567eb70084dffd51a7c07130ba3379cff78a59f

                                                                            SHA512

                                                                            2945c6f4e05b86e161b9753fca74cc9daf76e8ef535cdff0e9d83cca706eabd6e1ca3aba55005b2d16c2023f6604ee6886837336a63f421fa25f73120cfc00a1

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\53b4dde3-ceef-4149-b63d-4b67cc36c3e9\GunaDotNetRT.dll
                                                                            Filesize

                                                                            136KB

                                                                            MD5

                                                                            9af5eb006bb0bab7f226272d82c896c7

                                                                            SHA1

                                                                            c2a5bb42a5f08f4dc821be374b700652262308f0

                                                                            SHA256

                                                                            77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db

                                                                            SHA512

                                                                            7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\CSC6CC61FE7FEC240FB9074F2B886A2F9F1.TMP
                                                                            Filesize

                                                                            1KB

                                                                            MD5

                                                                            c096e38d2363c17afb73c096489862a2

                                                                            SHA1

                                                                            cd59d10ce16af53bedda04bf1ac11b95f91d72c7

                                                                            SHA256

                                                                            e4d6ba4173ee7ba9e59a0d820e076ff8c754c70822ea7fe23dc2efe9a49d2750

                                                                            SHA512

                                                                            66766ce54267594fab74d105f44375b83961aac30cfa0d682f292d6c821f6099246aed31f6172f8ceb5fc6f91f928c1dc9d49bbc41f11493a23a93425791a0e9

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe
                                                                            Filesize

                                                                            7.5MB

                                                                            MD5

                                                                            9502776952e6900ae1f98934004b4293

                                                                            SHA1

                                                                            3905f80a539d37c648a5da1cc6dace16d3516c2c

                                                                            SHA256

                                                                            d8ca879cf734c21b84e3983a9245c4da2b38cfe23b1691e4ca265286c3782b1f

                                                                            SHA512

                                                                            cbef89e577c883283ce3e9bb48e2ba9eda010e40e6cb1a383d99e32b728a9553cdb83e0831c0bff961fd271cee4eab921f53c97d9412e87bec4d0498400b5fbb

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\RESD71.tmp
                                                                            Filesize

                                                                            1KB

                                                                            MD5

                                                                            6024e8f90e5bc894c380024d4f793317

                                                                            SHA1

                                                                            c5e805435449ab9a7913c9a40c2206fc11fc0e88

                                                                            SHA256

                                                                            ba801706ce0a5dfd3d884af9ae0b506401a3d4b5954d690ce25d3a94690d15b3

                                                                            SHA512

                                                                            478788ebe658665917a6e97a5a3de181c6ca4bc58a6f5de0fcd6c71c239966c426272914fd7dfba97362310447e53772e9852660b64e9f60cab38b0753f621c9

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\WinRAR.exe
                                                                            Filesize

                                                                            226KB

                                                                            MD5

                                                                            60219035e32ad00d4c691a1bdc6455fb

                                                                            SHA1

                                                                            5f3740fcf89a95437ce184cfe22f23ed8b5b9254

                                                                            SHA256

                                                                            e005f5c2e4fdd277ced1ae42272b864e47de334e0d2a1043f24c21253da18ae5

                                                                            SHA512

                                                                            b98eb125f7812ac5d2243bd0d6ee07e918af5d0a46d86a6b242a7d8f91dbaaa48fabb562c316abbbf93db0c5ffc3a16184233000b379bafcdb3104c470055fc7

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yspknjii.ci3.ps1
                                                                            Filesize

                                                                            60B

                                                                            MD5

                                                                            d17fe0a3f47be24a6453e9ef58c94641

                                                                            SHA1

                                                                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                            SHA256

                                                                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                            SHA512

                                                                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\kkjqoena\kkjqoena.0.vb
                                                                            Filesize

                                                                            78KB

                                                                            MD5

                                                                            18d0f1e4364a74224a013cee1755a112

                                                                            SHA1

                                                                            c7d937ec810fd9be91367b39703409cad7e68b85

                                                                            SHA256

                                                                            2f3605df6f41b5565ffc235562a3f13db89ea7559bfe05f000cc42fea33201a9

                                                                            SHA512

                                                                            8f136da4bc60d2ff57ed19ce97f2ea17cdd3df8b571743bd2aeab00acd019b83318879ff1e6f8fdfe4a68340d14828859ec8f317484a1cf379f28a4e1472c2a9

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\kkjqoena\kkjqoena.cmdline
                                                                            Filesize

                                                                            326B

                                                                            MD5

                                                                            6055632f0913732ee22002556829deed

                                                                            SHA1

                                                                            9264cbf528a7ecc8d655ea7f64356861e2ba9653

                                                                            SHA256

                                                                            2fb324b2566ad169773735861d1937b5c5b4aeca9e5935cafded62c3b76901ce

                                                                            SHA512

                                                                            bf2cfd9be7446d8928a8759363a356069ab00b381871ab184a32a79782ba3b4735442fff649799d10cabfd479c6374d39c1a1cfa3a0776918537179b251659a4

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\vbc381C51ECC54B42DAA0C641C297BFFDB.TMP
                                                                            Filesize

                                                                            1KB

                                                                            MD5

                                                                            7b5d238e934b0b1670719c9da5a9e5e1

                                                                            SHA1

                                                                            d4ebde756618e44f9d3d5fbb57aeb7572e09d056

                                                                            SHA256

                                                                            60ab96bebbe71c28c6f9a58478da14413848e74d86d5760899e80d43b90b6a33

                                                                            SHA512

                                                                            b2f6558b6d5ef8c90f0f6e9a600734db10090fac2bc1ad180cac601a8f44c2003d4895baa26410867dae9f570f402f3cb1d0b1d9ef106961b66bd73004e234fc

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Luxury_Shield\Luxury Shield\7.1.0.0\Luxury\Luxury.dll
                                                                            Filesize

                                                                            206KB

                                                                            MD5

                                                                            41cb800c41eeb49a041ebf71b61eedaf

                                                                            SHA1

                                                                            4516aeb397ed2f9e8d50329c03d783982c447f59

                                                                            SHA256

                                                                            a1cc33df5af690050e7e76ca40668f68ea0801df2569ac7404762f101a065bb6

                                                                            SHA512

                                                                            245da11fd53427f2d33e3f32b3f096f166314baf06ab8fda95bfb362756fd72df544e8b706d6b6c3eff4b4874b533e007f214aa53da2774b17b789913fc8b857

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
                                                                            Filesize

                                                                            2B

                                                                            MD5

                                                                            f3b25701fe362ec84616a93a45ce9998

                                                                            SHA1

                                                                            d62636d8caec13f04e28442a0a6fa1afeb024bbb

                                                                            SHA256

                                                                            b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                                                                            SHA512

                                                                            98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                                                                            Download Submit

                                                                          • C:\Users\Admin\Downloads\Luxury Shield 7.1.zip
                                                                            Filesize

                                                                            16.4MB

                                                                            MD5

                                                                            3e035baa2cf4b3475c1d04b0e7557bf3

                                                                            SHA1

                                                                            2e1a3681a3cc9e8730d785d6b9cba12622de7e1d

                                                                            SHA256

                                                                            073114c139261a3e6ddfb3502c409d6772cb462e3a210092cf75b06bd79d5585

                                                                            SHA512

                                                                            bbb80645ab43c17b02c77264b09a0c431b1ffdd573f17a6157dbff5023e75022b03569c89d3f893fd315b4e5fc9a7320c975fc2e58e5563f410e7bc8f79b1a72

                                                                            Download Submit

                                                                          • C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\crack.exe
                                                                            Filesize

                                                                            9KB

                                                                            MD5

                                                                            34ef4aa10e7411cca216d92994bcce20

                                                                            SHA1

                                                                            13338054d516019e6100ecc76e7157f0ee5ed87d

                                                                            SHA256

                                                                            7ea2aab51d2e6abdaf6d182b0657a6503c1dee86fc42f40b4dd9895b31e4d8c0

                                                                            SHA512

                                                                            08c726b105bdd94c74b65ed8a1968f234bc4ffd4dca8b49c98f4da9a7ac0b0fb92c14476ae0ff323d3e6d7b7bdba6b8732459601f807037bf5757f5f4efb06f4

                                                                            Download Submit

                                                                          • C:\Users\Admin\Downloads\XWorm_V5.3\XWorm_V5.3\XWorm.exe
                                                                            Filesize

                                                                            25.0MB

                                                                            MD5

                                                                            c0b4c6349df031081dd6aee3f25a1c9b

                                                                            SHA1

                                                                            82f164fdff783d2a02ae6db9e6d71d4c40a8acf7

                                                                            SHA256

                                                                            f13c9eb085bec9239557753ab617404e60a035422194550fb56c2df96bf00670

                                                                            SHA512

                                                                            63a18a2d0d894946d32a97f2e2112509b0ad54b4d5e4c04123c1c278f35669a909588d0d3036a054d544eedc6aa3025b8edd1560950e45749ee9f2db2277f69b

                                                                            Download Submit

                                                                          • C:\Users\Admin\Downloads\XWorm_V5.3\XWorm_V5.3\xworm x luxury file.exe
                                                                            Filesize

                                                                            33KB

                                                                            MD5

                                                                            941f5d0b3a070a1b135a8e59d6a1fe2d

                                                                            SHA1

                                                                            4a878e3958a4b2a3c76d2a13d8df4655a01f26be

                                                                            SHA256

                                                                            008ce85f162493d27e42ab0e53540406483dd8b6496d57035974b19dcb8edc34

                                                                            SHA512

                                                                            7508b45baa71e675e8c4161ccb430099e49ddebddfb420f159a4bb6fe784438f81e32809ccdd6f8821788ff0e7c80bcbc54c5acbf3006df277e4a0dfcdcda691

                                                                            Download Submit

                                                                          • C:\Windows\Progman.exe
                                                                            Filesize

                                                                            6.3MB

                                                                            MD5

                                                                            8ec2fd013c3aceee5a693c588eb23aaf

                                                                            SHA1

                                                                            7a1694010b5663343b8688a2d2a875c515651b66

                                                                            SHA256

                                                                            0e09fbf7d729e95eeb76a8afccf4a7d7b92c68e8eed551b8f4f8edc39e7ba631

                                                                            SHA512

                                                                            820f1978c5f26276122c8f5063a9d5cd1ff8420ce3af85fbff22cdff5964fbb0a396cb6af2113f1bea0d82a758183252a1f3fdb0a5a9db15d1b2657138859dde

                                                                            Download Submit

                                                                          • memory/444-11408-0x000001F94D3F0000-0x000001F94D4A2000-memory.dmp

                                                                            Filesize

                                                                            712KB

                                                                            Download

                                                                          • memory/444-11410-0x000001F94E310000-0x000001F94EEFC000-memory.dmp

                                                                            Filesize

                                                                            11.9MB

                                                                            Download

                                                                          • memory/444-11402-0x000001F9345E0000-0x000001F93460C000-memory.dmp

                                                                            Filesize

                                                                            176KB

                                                                            Download

                                                                          • memory/444-11401-0x000001F94D1F0000-0x000001F94D3E4000-memory.dmp

                                                                            Filesize

                                                                            2.0MB

                                                                            Download

                                                                          • memory/444-11398-0x000001F92F7C0000-0x000001F932A38000-memory.dmp

                                                                            Filesize

                                                                            50.5MB

                                                                            Download

                                                                          • memory/444-11407-0x000001F94D560000-0x000001F94D6C8000-memory.dmp

                                                                            Filesize

                                                                            1.4MB

                                                                            Download

                                                                          • memory/444-11406-0x000001F9345C0000-0x000001F9345C8000-memory.dmp

                                                                            Filesize

                                                                            32KB

                                                                            Download

                                                                          • memory/444-11405-0x000001F94D080000-0x000001F94D0DA000-memory.dmp

                                                                            Filesize

                                                                            360KB

                                                                            Download

                                                                          • memory/444-11404-0x000001F94CFF0000-0x000001F94D072000-memory.dmp

                                                                            Filesize

                                                                            520KB

                                                                            Download

                                                                          • memory/444-11409-0x000001F94D9D0000-0x000001F94E306000-memory.dmp

                                                                            Filesize

                                                                            9.2MB

                                                                            Download

                                                                          • memory/444-11403-0x000001F94D6E0000-0x000001F94D9C2000-memory.dmp

                                                                            Filesize

                                                                            2.9MB

                                                                            Download

                                                                          • memory/1448-22236-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                            Filesize

                                                                            80KB

                                                                            Download

                                                                          • memory/1448-22242-0x0000000005A70000-0x0000000005A7C000-memory.dmp

                                                                            Filesize

                                                                            48KB

                                                                            Download

                                                                          • memory/1448-22243-0x00000000076E0000-0x0000000007C0C000-memory.dmp

                                                                            Filesize

                                                                            5.2MB

                                                                            Download

                                                                          • memory/2304-11335-0x0000000140000000-0x00000001407A1000-memory.dmp

                                                                            Filesize

                                                                            7.6MB

                                                                            Download

                                                                          • memory/2312-453-0x000000000B780000-0x000000000B9C8000-memory.dmp

                                                                            Filesize

                                                                            2.3MB

                                                                            Download

                                                                          • memory/2312-475-0x000000000B780000-0x000000000B9C8000-memory.dmp

                                                                            Filesize

                                                                            2.3MB

                                                                            Download

                                                                          • memory/2312-445-0x000000000B780000-0x000000000B9C8000-memory.dmp

                                                                            Filesize

                                                                            2.3MB

                                                                            Download

                                                                          • memory/2312-441-0x000000000B780000-0x000000000B9C8000-memory.dmp

                                                                            Filesize

                                                                            2.3MB

                                                                            Download

                                                                          • memory/2312-439-0x000000000B780000-0x000000000B9C8000-memory.dmp

                                                                            Filesize

                                                                            2.3MB

                                                                            Download

                                                                          • memory/2312-433-0x000000000B780000-0x000000000B9C8000-memory.dmp

                                                                            Filesize

                                                                            2.3MB

                                                                            Download

                                                                          • memory/2312-430-0x000000000B780000-0x000000000B9C8000-memory.dmp

                                                                            Filesize

                                                                            2.3MB

                                                                            Download

                                                                          • memory/2312-481-0x000000000B780000-0x000000000B9C8000-memory.dmp

                                                                            Filesize

                                                                            2.3MB

                                                                            Download

                                                                          • memory/2312-449-0x000000000B780000-0x000000000B9C8000-memory.dmp

                                                                            Filesize

                                                                            2.3MB

                                                                            Download

                                                                          • memory/2312-443-0x000000000B780000-0x000000000B9C8000-memory.dmp

                                                                            Filesize

                                                                            2.3MB

                                                                            Download

                                                                          • memory/2312-437-0x000000000B780000-0x000000000B9C8000-memory.dmp

                                                                            Filesize

                                                                            2.3MB

                                                                            Download

                                                                          • memory/2312-435-0x000000000B780000-0x000000000B9C8000-memory.dmp

                                                                            Filesize

                                                                            2.3MB

                                                                            Download

                                                                          • memory/2312-431-0x000000000B780000-0x000000000B9C8000-memory.dmp

                                                                            Filesize

                                                                            2.3MB

                                                                            Download

                                                                          • memory/2312-429-0x0000000072220000-0x00000000722A9000-memory.dmp

                                                                            Filesize

                                                                            548KB

                                                                            Download

                                                                          • memory/2312-11043-0x000000000E560000-0x000000000E67A000-memory.dmp

                                                                            Filesize

                                                                            1.1MB

                                                                            Download

                                                                          • memory/2312-11044-0x000000000E680000-0x000000000E6E6000-memory.dmp

                                                                            Filesize

                                                                            408KB

                                                                            Download

                                                                          • memory/2312-11045-0x000000000EDB0000-0x000000000EE12000-memory.dmp

                                                                            Filesize

                                                                            392KB

                                                                            Download

                                                                          • memory/2312-11046-0x000000000EE10000-0x000000000EE1A000-memory.dmp

                                                                            Filesize

                                                                            40KB

                                                                            Download

                                                                          • memory/2312-11047-0x000000000F6C0000-0x000000000F6E6000-memory.dmp

                                                                            Filesize

                                                                            152KB

                                                                            Download

                                                                          • memory/2312-451-0x000000000B780000-0x000000000B9C8000-memory.dmp

                                                                            Filesize

                                                                            2.3MB

                                                                            Download

                                                                          • memory/2312-11065-0x0000000010340000-0x00000000104C6000-memory.dmp

                                                                            Filesize

                                                                            1.5MB

                                                                            Download

                                                                          • memory/2312-455-0x000000000B780000-0x000000000B9C8000-memory.dmp

                                                                            Filesize

                                                                            2.3MB

                                                                            Download

                                                                          • memory/2312-11081-0x000000000E6F0000-0x000000000E756000-memory.dmp

                                                                            Filesize

                                                                            408KB

                                                                            Download

                                                                          • memory/2312-11083-0x00000000001E0000-0x0000000001540000-memory.dmp

                                                                            Filesize

                                                                            19.4MB

                                                                            Download

                                                                          • memory/2312-11085-0x0000000070650000-0x0000000070687000-memory.dmp

                                                                            Filesize

                                                                            220KB

                                                                            Download

                                                                          • memory/2312-457-0x000000000B780000-0x000000000B9C8000-memory.dmp

                                                                            Filesize

                                                                            2.3MB

                                                                            Download

                                                                          • memory/2312-459-0x000000000B780000-0x000000000B9C8000-memory.dmp

                                                                            Filesize

                                                                            2.3MB

                                                                            Download

                                                                          • memory/2312-461-0x000000000B780000-0x000000000B9C8000-memory.dmp

                                                                            Filesize

                                                                            2.3MB

                                                                            Download

                                                                          • memory/2312-463-0x000000000B780000-0x000000000B9C8000-memory.dmp

                                                                            Filesize

                                                                            2.3MB

                                                                            Download

                                                                          • memory/2312-467-0x000000000B780000-0x000000000B9C8000-memory.dmp

                                                                            Filesize

                                                                            2.3MB

                                                                            Download

                                                                          • memory/2312-469-0x000000000B780000-0x000000000B9C8000-memory.dmp

                                                                            Filesize

                                                                            2.3MB

                                                                            Download

                                                                          • memory/2312-471-0x000000000B780000-0x000000000B9C8000-memory.dmp

                                                                            Filesize

                                                                            2.3MB

                                                                            Download

                                                                          • memory/2312-473-0x000000000B780000-0x000000000B9C8000-memory.dmp

                                                                            Filesize

                                                                            2.3MB

                                                                            Download

                                                                          • memory/2312-447-0x000000000B780000-0x000000000B9C8000-memory.dmp

                                                                            Filesize

                                                                            2.3MB

                                                                            Download

                                                                          • memory/2312-479-0x000000000B780000-0x000000000B9C8000-memory.dmp

                                                                            Filesize

                                                                            2.3MB

                                                                            Download

                                                                          • memory/2312-485-0x000000000B780000-0x000000000B9C8000-memory.dmp

                                                                            Filesize

                                                                            2.3MB

                                                                            Download

                                                                          • memory/2312-487-0x000000000B780000-0x000000000B9C8000-memory.dmp

                                                                            Filesize

                                                                            2.3MB

                                                                            Download

                                                                          • memory/2312-483-0x000000000B780000-0x000000000B9C8000-memory.dmp

                                                                            Filesize

                                                                            2.3MB

                                                                            Download

                                                                          • memory/2312-477-0x000000000B780000-0x000000000B9C8000-memory.dmp

                                                                            Filesize

                                                                            2.3MB

                                                                            Download

                                                                          • memory/2312-465-0x000000000B780000-0x000000000B9C8000-memory.dmp

                                                                            Filesize

                                                                            2.3MB

                                                                            Download

                                                                          • memory/2312-428-0x0000000070650000-0x0000000070687000-memory.dmp

                                                                            Filesize

                                                                            220KB

                                                                            Download

                                                                          • memory/2312-421-0x000000000B780000-0x000000000B9CC000-memory.dmp

                                                                            Filesize

                                                                            2.3MB

                                                                            Download

                                                                          • memory/2312-420-0x000000000C040000-0x000000000C926000-memory.dmp

                                                                            Filesize

                                                                            8.9MB

                                                                            Download

                                                                          • memory/2312-419-0x000000000B380000-0x000000000B3D6000-memory.dmp

                                                                            Filesize

                                                                            344KB

                                                                            Download

                                                                          • memory/2312-418-0x0000000008E10000-0x0000000008E1A000-memory.dmp

                                                                            Filesize

                                                                            40KB

                                                                            Download

                                                                          • memory/2312-417-0x000000000B4E0000-0x000000000B572000-memory.dmp

                                                                            Filesize

                                                                            584KB

                                                                            Download

                                                                          • memory/2312-416-0x000000000BA90000-0x000000000C034000-memory.dmp

                                                                            Filesize

                                                                            5.6MB

                                                                            Download

                                                                          • memory/2312-415-0x000000000B280000-0x000000000B31C000-memory.dmp

                                                                            Filesize

                                                                            624KB

                                                                            Download

                                                                          • memory/2312-412-0x00000000001E0000-0x0000000001540000-memory.dmp

                                                                            Filesize

                                                                            19.4MB

                                                                            Download

                                                                          • memory/2312-11457-0x00000000001E0000-0x0000000001540000-memory.dmp

                                                                            Filesize

                                                                            19.4MB

                                                                            Download

                                                                          • memory/2312-398-0x00000000001E0000-0x0000000001540000-memory.dmp

                                                                            Filesize

                                                                            19.4MB

                                                                            Download

                                                                          • memory/3136-22232-0x0000000000B50000-0x0000000000E0C000-memory.dmp

                                                                            Filesize

                                                                            2.7MB

                                                                            Download

                                                                          • memory/3136-22233-0x0000000005650000-0x000000000568A000-memory.dmp

                                                                            Filesize

                                                                            232KB

                                                                            Download

                                                                          • memory/4144-374-0x0000000000D90000-0x00000000020F0000-memory.dmp

                                                                            Filesize

                                                                            19.4MB

                                                                            Download

                                                                          • memory/4144-372-0x0000000000D90000-0x00000000020F0000-memory.dmp

                                                                            Filesize

                                                                            19.4MB

                                                                            Download

                                                                          • memory/4144-358-0x0000000000D90000-0x00000000020F0000-memory.dmp

                                                                            Filesize

                                                                            19.4MB

                                                                            Download

                                                                          • memory/4536-11487-0x00000000001E0000-0x0000000001540000-memory.dmp

                                                                            Filesize

                                                                            19.4MB

                                                                            Download

                                                                          • memory/4536-11488-0x00000000001E0000-0x0000000001540000-memory.dmp

                                                                            Filesize

                                                                            19.4MB

                                                                            Download

                                                                          • memory/4536-22122-0x000000000DAD0000-0x000000000DAE4000-memory.dmp

                                                                            Filesize

                                                                            80KB

                                                                            Download

                                                                          • memory/5316-243-0x0000000000FE0000-0x0000000001786000-memory.dmp

                                                                            Filesize

                                                                            7.6MB

                                                                            Download

                                                                          • memory/5428-253-0x000001D76DB20000-0x000001D76DB42000-memory.dmp

                                                                            Filesize

                                                                            136KB

                                                                            Download

                                                                          • memory/5608-11062-0x00000000001E0000-0x0000000001540000-memory.dmp

                                                                            Filesize

                                                                            19.4MB

                                                                            Download

                                                                          • memory/5608-11080-0x00000000001E0000-0x0000000001540000-memory.dmp

                                                                            Filesize

                                                                            19.4MB

                                                                            Download

                                                                          • memory/5628-309-0x0000000000AC0000-0x0000000001E20000-memory.dmp

                                                                            Filesize

                                                                            19.4MB

                                                                            Download

                                                                          • memory/5628-268-0x0000000000AC0000-0x0000000001E20000-memory.dmp

                                                                            Filesize

                                                                            19.4MB

                                                                            Download

                                                                          • memory/5628-311-0x0000000000AC0000-0x0000000001E20000-memory.dmp

                                                                            Filesize

                                                                            19.4MB

                                                                            Download

                                                                          • memory/5928-292-0x0000000000A70000-0x0000000000AAE000-memory.dmp

                                                                            Filesize

                                                                            248KB

                                                                            Download