xworm | hxxps://mega[.]nz/folder/o7onBAqb#lPnM6du1_ZsHQgf5SIaC4Q

Resubmissions

08/08/2024, 07:46

240808-jmc2davdnf 10

08/08/2024, 06:50

240808-hlwxes1bjl 10

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2024, 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/folder/o7onBAqb#lPnM6du1_ZsHQgf5SIaC4Q

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

society-painted.at.ply.gg:17251

Attributes

Install_directory
%Public%
install_file
USB.exe
telegram
https://api.telegram.org/bot5817418329:AAGYtFww9eAGl3ZTuqrCmSNxu_TJJiAWkzA/sendMessage?chat_id=1860651440

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000023527-256.dat	family_xworm
behavioral1/memory/4420-264-0x0000000000130000-0x000000000016E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4012	powershell.exe
3828	powershell.exe
4204	powershell.exe
3600	powershell.exe
2452	powershell.exe
2684	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WinRAR.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Update.exe	crack.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.lnk	WinRAR.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.lnk	WinRAR.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Update.exe	crack.exe

Executes dropped EXE 12 IoCs

pid	Process
3912	Luxury Shield 7.1.exe
4420	WinRAR.exe
2808	WinRAR.exe
368	Luxury Shield 7.1.exe
3404	WinRAR.exe
3652	crack.exe
3812	crack.exe
748	crack.exe
4180	crack.exe
4000	WinRAR.exe
4088	Luxury Shield 7.1.exe
3136	WinRAR.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Users\\Public\\WinRAR.exe"	WinRAR.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
3912	Luxury Shield 7.1.exe
368	Luxury Shield 7.1.exe
4088	Luxury Shield 7.1.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Luxury Shield 7.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Luxury Shield 7.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Luxury Shield 7.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Luxury Shield 7.1.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2008	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2412	msedge.exe
2412	msedge.exe
4940	msedge.exe
4940	msedge.exe
4080	identity_helper.exe
4080	identity_helper.exe
2400	msedge.exe
2400	msedge.exe
2684	powershell.exe
2684	powershell.exe
2684	powershell.exe
4012	powershell.exe
4012	powershell.exe
4012	powershell.exe
3828	powershell.exe
3828	powershell.exe
3828	powershell.exe
4204	powershell.exe
4204	powershell.exe
4204	powershell.exe
524	msedge.exe
524	msedge.exe
524	msedge.exe
524	msedge.exe
3600	powershell.exe
3600	powershell.exe
3600	powershell.exe
2452	powershell.exe
2452	powershell.exe
2452	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	4012	powershell.exe
Token: SeDebugPrivilege	4420	WinRAR.exe
Token: SeDebugPrivilege	2808	WinRAR.exe
Token: SeDebugPrivilege	3828	powershell.exe
Token: SeDebugPrivilege	4204	powershell.exe
Token: SeDebugPrivilege	3404	WinRAR.exe
Token: SeDebugPrivilege	4000	WinRAR.exe
Token: SeDebugPrivilege	3600	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	3136	WinRAR.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3912	Luxury Shield 7.1.exe
368	Luxury Shield 7.1.exe
5072	Luxury Shield 7.1.exe
5072	Luxury Shield 7.1.exe
4088	Luxury Shield 7.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 3088	4940	msedge.exe	85
PID 4940 wrote to memory of 3088	4940	msedge.exe	85
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 4248	4940	msedge.exe	86
PID 4940 wrote to memory of 2412	4940	msedge.exe	87
PID 4940 wrote to memory of 2412	4940	msedge.exe	87
PID 4940 wrote to memory of 464	4940	msedge.exe	88
PID 4940 wrote to memory of 464	4940	msedge.exe	88
PID 4940 wrote to memory of 464	4940	msedge.exe	88
PID 4940 wrote to memory of 464	4940	msedge.exe	88
PID 4940 wrote to memory of 464	4940	msedge.exe	88
PID 4940 wrote to memory of 464	4940	msedge.exe	88
PID 4940 wrote to memory of 464	4940	msedge.exe	88
PID 4940 wrote to memory of 464	4940	msedge.exe	88
PID 4940 wrote to memory of 464	4940	msedge.exe	88
PID 4940 wrote to memory of 464	4940	msedge.exe	88
PID 4940 wrote to memory of 464	4940	msedge.exe	88
PID 4940 wrote to memory of 464	4940	msedge.exe	88
PID 4940 wrote to memory of 464	4940	msedge.exe	88
PID 4940 wrote to memory of 464	4940	msedge.exe	88
PID 4940 wrote to memory of 464	4940	msedge.exe	88
PID 4940 wrote to memory of 464	4940	msedge.exe	88
PID 4940 wrote to memory of 464	4940	msedge.exe	88
PID 4940 wrote to memory of 464	4940	msedge.exe	88
PID 4940 wrote to memory of 464	4940	msedge.exe	88
PID 4940 wrote to memory of 464	4940	msedge.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/folder/o7onBAqb#lPnM6du1_ZsHQgf5SIaC4Q
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffebdfc46f8,0x7ffebdfc4708,0x7ffebdfc4718
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:2808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:2864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4204 /prefetch:8
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5732 /prefetch:8
  2⤵
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5732 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3648 /prefetch:8
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6012 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1
  2⤵
  PID:2536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3144 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:524

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4080

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x51c 0x2d0
1⤵
PID:4436

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2596

C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe
"C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe"
1⤵
PID:4592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe
  "C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WinRAR.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4012
- C:\Users\Admin\AppData\Local\Temp\WinRAR.exe
  "C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:4420
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WinRAR" /tr "C:\Users\Public\WinRAR.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2008

C:\Users\Public\WinRAR.exe
C:\Users\Public\WinRAR.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe
"C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe"
1⤵
PID:3996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3828
- C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe
  "C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WinRAR.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4204
- C:\Users\Admin\AppData\Local\Temp\WinRAR.exe
  "C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3404

C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\crack.exe
"C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\crack.exe"
1⤵
- Drops startup file
PID:3188

C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\crack.exe
"C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\crack.exe"
1⤵
- Executes dropped EXE
PID:3652

C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\crack.exe
"C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\crack.exe"
1⤵
- Executes dropped EXE
PID:3812

C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\crack.exe
"C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\crack.exe"
1⤵
- Executes dropped EXE
PID:748

C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\crack.exe
"C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\crack.exe"
1⤵
- Executes dropped EXE
PID:4180

C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Shield 7.1.exe
"C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Shield 7.1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5072

C:\Users\Public\WinRAR.exe
C:\Users\Public\WinRAR.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Pass to use.txt
1⤵
PID:4784

C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe
"C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe"
1⤵
PID:4516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3600
- C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe
  "C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WinRAR.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2452
- C:\Users\Admin\AppData\Local\Temp\WinRAR.exe
  "C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Luxury Sheild v7.1.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\crack.exe.log

Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a43e653ffb5ab07940f4bdd9cc8fade4

SHA1
af43d04e3427f111b22dc891c5c7ee8a10ac4123

SHA256
c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

SHA512
62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024

Filesize
17KB

MD5
950eca48e414acbe2c3b5d046dcb8521

SHA1
1731f264e979f18cdf08c405c7b7d32789a6fb59

SHA256
c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2

SHA512
27e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
85e8d507d1888f1006993f9802b4ad50

SHA1
2de1a156f5f97e4dcfb108efcfc81f8a57777ffe

SHA256
a45d5cae10272c5c7f55b7d40cbba3cb2d5ee61d1ba6ad2a5069a49e622c92c0

SHA512
34c62c575dcdd5a38190601ef9de2303336bf513db4287815e693f46c0f2c03975fe3a1377bb4e4c2733376184e772cdb0c2f62defd02f67fa1037a2d2ad74ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9c6f8d643780274b351af6c02d0a9b91

SHA1
32b8db5f0c08d1ecdc821a4d99ca45ce6a6b1ac6

SHA256
1640392373eb59bd395fa5352f8498b2a678cb3337155263ff6b5630d371f849

SHA512
14e53ae0532507056c1aa0f753f1cb588098b6dec69e59038ab61d785d1bbc352750a04ba9650dc69317b45d87ba14107a8ecd01235d93ae1fbced548ad5fb99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d8e63429ba7d30ea63d6c1c4b1380517

SHA1
bdb00f44863d7b640f89e0843790652382e4ce1e

SHA256
0602f0778d81a47ae520602276723e0345ef9802b5ee7f482079041036b02940

SHA512
5b61f74fa867ad11fed9366e3f7e642519919cd406e7bed4c909d2d51e5965b3ba85457ea2b9e4feb4f7e0ce9936eb4d8e1f8f5b0bb2893e20a2b1a2681a3659

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
de70addc0f1dfe0cca77192550636188

SHA1
a5f1e323e246ea88d02c9146dfc31348d7f1a0d4

SHA256
f0b669ad5859597ebfd442da56d759d4293e4021bcce63e9f8c8585b9b858ea5

SHA512
7a1079b96503e5d42af60da18defb8fb0581d40da0d032e372d9cbb2b2b0c745dd4143befc7060d17bd4c6d679421e957503ed8e1e33681e2b6e6f7631c1ecee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
5309bd54a0bb601ffc878af79d4c2793

SHA1
ed2a7e06399c09142cbb3dec2062dfad63c09fd2

SHA256
4fecec3b3c9bc623436aa38d91500982bd44e2c044d8af71caf39abf541c433e

SHA512
ffbe51137974aada858f137211dde871a6afff7d12ee92ed33d0838c91cc437c8c2bc2a859c7d0889616f23a9b957b110b897860d4fedad7f9b540e2910e2e92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe580105.TMP

Filesize
48B

MD5
bf7f582b016a010bf7ef7f90f4a1a321

SHA1
ed1fcaf3d85a0d01e19840f8b59a6ff45d665bbb

SHA256
0e62f31161b2c88672722e551b2269179a9997a715d88207c46b3f91f0d2ff41

SHA512
618043f0d97d09a6a2195f23865a258c276b66f5dd8a69c9462c7b6f8c736454d98ca0480744adde8355cbace59290db8a743a58c6e88e29d12e22bacc92af38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
41c5e810cc20e5bcbf9217ff8b8cb9b4

SHA1
11624a668508a08df7bd3dcb2813b24233a543f3

SHA256
ce6faad693527bedd7770af8da6a0a2a1739b6103fe2389e3df3e0e9431bcbd3

SHA512
09a306611be501a90ad2540eb000d9fe58cf55dc9982a89683f862272c100a525ba5a8dc635ca9683d978f1849bcea3942d036789fed3c849c57e32aff638324

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1a6d47189d415a50c79abd24fe6c4161

SHA1
c02d8d560c2d6351763019bf294447182515466f

SHA256
506fa4433ea56160f03c76f598a1fdf69b2dd22505c654821c85611f15ef4a13

SHA512
dfb43d009233ce32912ddc000bc171ef409883dbe72789531d1b2463bc6dd770b5d48e1334bce2bbeefddebecb77f8553b19379824c34d4340223ec15a8a5d78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7eb4e058795aaf02e9e161eb5d5e3689

SHA1
aeaedbcadbc7b39f0016113bc252fe2faa5ed7b7

SHA256
e63490ad7aadfe933139b4ed59694ee60928fc9c2ca56e89f05218d99d8e2ce8

SHA512
d226dd70a46ff7e93cee23efcdbd4665b631af6bff1db253538a672248ea853fc3065e06b623f55eceba46fc4f6421fe076a2f1b003cd4007e2f1e23b5475fa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e60eb305a7b2d9907488068b7065abd3

SHA1
1643dd7f915ac50c75bc01c53d68c5dafb9ce28d

SHA256
ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135

SHA512
95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3b444d3f0ddea49d84cc7b3972abe0e6

SHA1
0a896b3808e68d5d72c2655621f43b0b2c65ae02

SHA256
ab075b491d20c6f66c7bd40b57538c1cfdaab5aac4715bfe3bbc7f4745860a74

SHA512
eb0ab5d68472ec42de4c9b6d84306d7bca3874be1d0ac572030a070f21a698432418068e1a6006ff88480be8c8f54c769dee74b2def403f734109dba7261f36b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dbb22d95851b93abf2afe8fb96a8e544

SHA1
920ec5fdb323537bcf78f7e29a4fc274e657f7a4

SHA256
e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465

SHA512
16031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cc19bcff372d20459d3651ba8aef50e7

SHA1
3c6f1d4cdd647864fb97a16b1aefba67fcee11f7

SHA256
366473e774d8976c7fd4dc582220666fb61a4feb3f7c95e69b2a68ad9e446ec9

SHA512
a0e360ca4b6e874fd44612bf4b17f3722c0619da4f6bade12a62efadae88c2d33460114eaafa2bc3fb1cef5bea07e745b8bee24f15d0cacaff5f4a521b225080

Download Submit
C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe

Filesize
7.5MB

MD5
9502776952e6900ae1f98934004b4293

SHA1
3905f80a539d37c648a5da1cc6dace16d3516c2c

SHA256
d8ca879cf734c21b84e3983a9245c4da2b38cfe23b1691e4ca265286c3782b1f

SHA512
cbef89e577c883283ce3e9bb48e2ba9eda010e40e6cb1a383d99e32b728a9553cdb83e0831c0bff961fd271cee4eab921f53c97d9412e87bec4d0498400b5fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinRAR.exe

Filesize
226KB

MD5
60219035e32ad00d4c691a1bdc6455fb

SHA1
5f3740fcf89a95437ce184cfe22f23ed8b5b9254

SHA256
e005f5c2e4fdd277ced1ae42272b864e47de334e0d2a1043f24c21253da18ae5

SHA512
b98eb125f7812ac5d2243bd0d6ee07e918af5d0a46d86a6b242a7d8f91dbaaa48fabb562c316abbbf93db0c5ffc3a16184233000b379bafcdb3104c470055fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lgncnka4.fls.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Luxury Shield 7.1.zip

Filesize
16.4MB

MD5
6a777757bb51c01bac95b3648b7cfc76

SHA1
0047ce451ce9f63c1e2537b0b69405c243a9685a

SHA256
29b29eaa1b33d92f8b7536ca0513887e26f232acb8ca438beb89555d4ce8136a

SHA512
12e366d5e2560862670774d021fb6a7fdd8f7583b21e52887141788a58bf1dd3f6bda47e4c9a9282aee2e59a412163c236a1c6d497912a1becc1d0f74d3dcaac

Download Submit
C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\crack.exe

Filesize
9KB

MD5
34ef4aa10e7411cca216d92994bcce20

SHA1
13338054d516019e6100ecc76e7157f0ee5ed87d

SHA256
7ea2aab51d2e6abdaf6d182b0657a6503c1dee86fc42f40b4dd9895b31e4d8c0

SHA512
08c726b105bdd94c74b65ed8a1968f234bc4ffd4dca8b49c98f4da9a7ac0b0fb92c14476ae0ff323d3e6d7b7bdba6b8732459601f807037bf5757f5f4efb06f4

Download Submit
memory/368-329-0x0000000000620000-0x0000000001980000-memory.dmp

Filesize
19.4MB

Download
memory/368-343-0x0000000000620000-0x0000000001980000-memory.dmp

Filesize
19.4MB

Download
memory/368-345-0x0000000000620000-0x0000000001980000-memory.dmp

Filesize
19.4MB

Download
memory/2684-225-0x000001E92FB30000-0x000001E92FB52000-memory.dmp

Filesize
136KB

Download
memory/3188-346-0x0000024B4B7C0000-0x0000024B4B7C8000-memory.dmp

Filesize
32KB

Download
memory/3912-300-0x0000000000D00000-0x0000000002060000-memory.dmp

Filesize
19.4MB

Download
memory/3912-277-0x0000000000D00000-0x0000000002060000-memory.dmp

Filesize
19.4MB

Download
memory/3912-239-0x0000000000D00000-0x0000000002060000-memory.dmp

Filesize
19.4MB

Download
memory/4088-381-0x0000000000C70000-0x0000000001FD0000-memory.dmp

Filesize
19.4MB

Download
memory/4088-405-0x0000000000C70000-0x0000000001FD0000-memory.dmp

Filesize
19.4MB

Download
memory/4420-264-0x0000000000130000-0x000000000016E000-memory.dmp

Filesize
248KB

Download
memory/4592-215-0x0000000000860000-0x0000000001006000-memory.dmp

Filesize
7.6MB

Download