Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

08/08/2024, 07:46

240808-jmc2davdnf 10

08/08/2024, 06:50

240808-hlwxes1bjl 10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/08/2024, 07:46

General

  • Target

    https://mega.nz/folder/o7onBAqb#lPnM6du1_ZsHQgf5SIaC4Q

Malware Config

Extracted

Family

xworm

Version

3.1

C2

society-painted.at.ply.gg:17251

Attributes
  • Install_directory

    %Public%

  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot5817418329:AAGYtFww9eAGl3ZTuqrCmSNxu_TJJiAWkzA/sendMessage?chat_id=1860651440

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Executes dropped EXE 12 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/folder/o7onBAqb#lPnM6du1_ZsHQgf5SIaC4Q
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4940
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffebdfc46f8,0x7ffebdfc4708,0x7ffebdfc4718
      2⤵
        PID:3088
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
        2⤵
          PID:4248
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2412
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
          2⤵
            PID:464
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
            2⤵
              PID:2808
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
              2⤵
                PID:2864
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4204 /prefetch:8
                2⤵
                  PID:4956
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5732 /prefetch:8
                  2⤵
                    PID:2416
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5732 /prefetch:8
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4080
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
                    2⤵
                      PID:2064
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
                      2⤵
                        PID:876
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3648 /prefetch:8
                        2⤵
                          PID:3148
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
                          2⤵
                            PID:4728
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6012 /prefetch:8
                            2⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:2400
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:1
                            2⤵
                              PID:4700
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1
                              2⤵
                                PID:2536
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3144 /prefetch:2
                                2⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:524
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:3180
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:4080
                                • C:\Windows\system32\AUDIODG.EXE
                                  C:\Windows\system32\AUDIODG.EXE 0x51c 0x2d0
                                  1⤵
                                    PID:4436
                                  • C:\Windows\System32\rundll32.exe
                                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                    1⤵
                                      PID:2596
                                    • C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe
                                      "C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe"
                                      1⤵
                                        PID:4592
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe'
                                          2⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2684
                                        • C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe
                                          "C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe"
                                          2⤵
                                          • Executes dropped EXE
                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious use of SetWindowsHookEx
                                          PID:3912
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WinRAR.exe'
                                          2⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4012
                                        • C:\Users\Admin\AppData\Local\Temp\WinRAR.exe
                                          "C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"
                                          2⤵
                                          • Checks computer location settings
                                          • Drops startup file
                                          • Executes dropped EXE
                                          • Adds Run key to start application
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4420
                                          • C:\Windows\System32\schtasks.exe
                                            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WinRAR" /tr "C:\Users\Public\WinRAR.exe"
                                            3⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2008
                                      • C:\Users\Public\WinRAR.exe
                                        C:\Users\Public\WinRAR.exe
                                        1⤵
                                        • Executes dropped EXE
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2808
                                      • C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe
                                        "C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe"
                                        1⤵
                                          PID:3996
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe'
                                            2⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:3828
                                          • C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe
                                            "C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe"
                                            2⤵
                                            • Executes dropped EXE
                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious use of SetWindowsHookEx
                                            PID:368
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WinRAR.exe'
                                            2⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:4204
                                          • C:\Users\Admin\AppData\Local\Temp\WinRAR.exe
                                            "C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"
                                            2⤵
                                            • Executes dropped EXE
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:3404
                                        • C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\crack.exe
                                          "C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\crack.exe"
                                          1⤵
                                          • Drops startup file
                                          PID:3188
                                        • C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\crack.exe
                                          "C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\crack.exe"
                                          1⤵
                                          • Executes dropped EXE
                                          PID:3652
                                        • C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\crack.exe
                                          "C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\crack.exe"
                                          1⤵
                                          • Executes dropped EXE
                                          PID:3812
                                        • C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\crack.exe
                                          "C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\crack.exe"
                                          1⤵
                                          • Executes dropped EXE
                                          PID:748
                                        • C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\crack.exe
                                          "C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\crack.exe"
                                          1⤵
                                          • Executes dropped EXE
                                          PID:4180
                                        • C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Shield 7.1.exe
                                          "C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Shield 7.1.exe"
                                          1⤵
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious use of SetWindowsHookEx
                                          PID:5072
                                        • C:\Users\Public\WinRAR.exe
                                          C:\Users\Public\WinRAR.exe
                                          1⤵
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4000
                                        • C:\Windows\system32\NOTEPAD.EXE
                                          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Pass to use.txt
                                          1⤵
                                            PID:4784
                                          • C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe
                                            "C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe"
                                            1⤵
                                              PID:4516
                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe'
                                                2⤵
                                                • Command and Scripting Interpreter: PowerShell
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:3600
                                              • C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe
                                                "C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe"
                                                2⤵
                                                • Executes dropped EXE
                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious use of SetWindowsHookEx
                                                PID:4088
                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WinRAR.exe'
                                                2⤵
                                                • Command and Scripting Interpreter: PowerShell
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2452
                                              • C:\Users\Admin\AppData\Local\Temp\WinRAR.exe
                                                "C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"
                                                2⤵
                                                • Executes dropped EXE
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:3136

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Luxury Sheild v7.1.exe.log

                                              Filesize

                                              654B

                                              MD5

                                              2ff39f6c7249774be85fd60a8f9a245e

                                              SHA1

                                              684ff36b31aedc1e587c8496c02722c6698c1c4e

                                              SHA256

                                              e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

                                              SHA512

                                              1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\crack.exe.log

                                              Filesize

                                              42B

                                              MD5

                                              84cfdb4b995b1dbf543b26b86c863adc

                                              SHA1

                                              d2f47764908bf30036cf8248b9ff5541e2711fa2

                                              SHA256

                                              d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

                                              SHA512

                                              485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                              Filesize

                                              2KB

                                              MD5

                                              a43e653ffb5ab07940f4bdd9cc8fade4

                                              SHA1

                                              af43d04e3427f111b22dc891c5c7ee8a10ac4123

                                              SHA256

                                              c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

                                              SHA512

                                              62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                              Filesize

                                              152B

                                              MD5

                                              9e3fc58a8fb86c93d19e1500b873ef6f

                                              SHA1

                                              c6aae5f4e26f5570db5e14bba8d5061867a33b56

                                              SHA256

                                              828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

                                              SHA512

                                              e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                              Filesize

                                              152B

                                              MD5

                                              27304926d60324abe74d7a4b571c35ea

                                              SHA1

                                              78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

                                              SHA256

                                              7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

                                              SHA512

                                              f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024

                                              Filesize

                                              17KB

                                              MD5

                                              950eca48e414acbe2c3b5d046dcb8521

                                              SHA1

                                              1731f264e979f18cdf08c405c7b7d32789a6fb59

                                              SHA256

                                              c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2

                                              SHA512

                                              27e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                              Filesize

                                              72B

                                              MD5

                                              85e8d507d1888f1006993f9802b4ad50

                                              SHA1

                                              2de1a156f5f97e4dcfb108efcfc81f8a57777ffe

                                              SHA256

                                              a45d5cae10272c5c7f55b7d40cbba3cb2d5ee61d1ba6ad2a5069a49e622c92c0

                                              SHA512

                                              34c62c575dcdd5a38190601ef9de2303336bf513db4287815e693f46c0f2c03975fe3a1377bb4e4c2733376184e772cdb0c2f62defd02f67fa1037a2d2ad74ef

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\CURRENT

                                              Filesize

                                              16B

                                              MD5

                                              46295cac801e5d4857d09837238a6394

                                              SHA1

                                              44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                              SHA256

                                              0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                              SHA512

                                              8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                              Filesize

                                              188B

                                              MD5

                                              008114e1a1a614b35e8a7515da0f3783

                                              SHA1

                                              3c390d38126c7328a8d7e4a72d5848ac9f96549b

                                              SHA256

                                              7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

                                              SHA512

                                              a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                              Filesize

                                              6KB

                                              MD5

                                              9c6f8d643780274b351af6c02d0a9b91

                                              SHA1

                                              32b8db5f0c08d1ecdc821a4d99ca45ce6a6b1ac6

                                              SHA256

                                              1640392373eb59bd395fa5352f8498b2a678cb3337155263ff6b5630d371f849

                                              SHA512

                                              14e53ae0532507056c1aa0f753f1cb588098b6dec69e59038ab61d785d1bbc352750a04ba9650dc69317b45d87ba14107a8ecd01235d93ae1fbced548ad5fb99

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                              Filesize

                                              6KB

                                              MD5

                                              d8e63429ba7d30ea63d6c1c4b1380517

                                              SHA1

                                              bdb00f44863d7b640f89e0843790652382e4ce1e

                                              SHA256

                                              0602f0778d81a47ae520602276723e0345ef9802b5ee7f482079041036b02940

                                              SHA512

                                              5b61f74fa867ad11fed9366e3f7e642519919cd406e7bed4c909d2d51e5965b3ba85457ea2b9e4feb4f7e0ce9936eb4d8e1f8f5b0bb2893e20a2b1a2681a3659

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                              Filesize

                                              6KB

                                              MD5

                                              de70addc0f1dfe0cca77192550636188

                                              SHA1

                                              a5f1e323e246ea88d02c9146dfc31348d7f1a0d4

                                              SHA256

                                              f0b669ad5859597ebfd442da56d759d4293e4021bcce63e9f8c8585b9b858ea5

                                              SHA512

                                              7a1079b96503e5d42af60da18defb8fb0581d40da0d032e372d9cbb2b2b0c745dd4143befc7060d17bd4c6d679421e957503ed8e1e33681e2b6e6f7631c1ecee

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

                                              Filesize

                                              41B

                                              MD5

                                              5af87dfd673ba2115e2fcf5cfdb727ab

                                              SHA1

                                              d5b5bbf396dc291274584ef71f444f420b6056f1

                                              SHA256

                                              f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                                              SHA512

                                              de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

                                              Filesize

                                              72B

                                              MD5

                                              5309bd54a0bb601ffc878af79d4c2793

                                              SHA1

                                              ed2a7e06399c09142cbb3dec2062dfad63c09fd2

                                              SHA256

                                              4fecec3b3c9bc623436aa38d91500982bd44e2c044d8af71caf39abf541c433e

                                              SHA512

                                              ffbe51137974aada858f137211dde871a6afff7d12ee92ed33d0838c91cc437c8c2bc2a859c7d0889616f23a9b957b110b897860d4fedad7f9b540e2910e2e92

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe580105.TMP

                                              Filesize

                                              48B

                                              MD5

                                              bf7f582b016a010bf7ef7f90f4a1a321

                                              SHA1

                                              ed1fcaf3d85a0d01e19840f8b59a6ff45d665bbb

                                              SHA256

                                              0e62f31161b2c88672722e551b2269179a9997a715d88207c46b3f91f0d2ff41

                                              SHA512

                                              618043f0d97d09a6a2195f23865a258c276b66f5dd8a69c9462c7b6f8c736454d98ca0480744adde8355cbace59290db8a743a58c6e88e29d12e22bacc92af38

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                              Filesize

                                              16B

                                              MD5

                                              6752a1d65b201c13b62ea44016eb221f

                                              SHA1

                                              58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                              SHA256

                                              0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                              SHA512

                                              9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                              Filesize

                                              11KB

                                              MD5

                                              41c5e810cc20e5bcbf9217ff8b8cb9b4

                                              SHA1

                                              11624a668508a08df7bd3dcb2813b24233a543f3

                                              SHA256

                                              ce6faad693527bedd7770af8da6a0a2a1739b6103fe2389e3df3e0e9431bcbd3

                                              SHA512

                                              09a306611be501a90ad2540eb000d9fe58cf55dc9982a89683f862272c100a525ba5a8dc635ca9683d978f1849bcea3942d036789fed3c849c57e32aff638324

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                              Filesize

                                              11KB

                                              MD5

                                              1a6d47189d415a50c79abd24fe6c4161

                                              SHA1

                                              c02d8d560c2d6351763019bf294447182515466f

                                              SHA256

                                              506fa4433ea56160f03c76f598a1fdf69b2dd22505c654821c85611f15ef4a13

                                              SHA512

                                              dfb43d009233ce32912ddc000bc171ef409883dbe72789531d1b2463bc6dd770b5d48e1334bce2bbeefddebecb77f8553b19379824c34d4340223ec15a8a5d78

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              944B

                                              MD5

                                              7eb4e058795aaf02e9e161eb5d5e3689

                                              SHA1

                                              aeaedbcadbc7b39f0016113bc252fe2faa5ed7b7

                                              SHA256

                                              e63490ad7aadfe933139b4ed59694ee60928fc9c2ca56e89f05218d99d8e2ce8

                                              SHA512

                                              d226dd70a46ff7e93cee23efcdbd4665b631af6bff1db253538a672248ea853fc3065e06b623f55eceba46fc4f6421fe076a2f1b003cd4007e2f1e23b5475fa9

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              944B

                                              MD5

                                              e60eb305a7b2d9907488068b7065abd3

                                              SHA1

                                              1643dd7f915ac50c75bc01c53d68c5dafb9ce28d

                                              SHA256

                                              ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135

                                              SHA512

                                              95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              944B

                                              MD5

                                              3b444d3f0ddea49d84cc7b3972abe0e6

                                              SHA1

                                              0a896b3808e68d5d72c2655621f43b0b2c65ae02

                                              SHA256

                                              ab075b491d20c6f66c7bd40b57538c1cfdaab5aac4715bfe3bbc7f4745860a74

                                              SHA512

                                              eb0ab5d68472ec42de4c9b6d84306d7bca3874be1d0ac572030a070f21a698432418068e1a6006ff88480be8c8f54c769dee74b2def403f734109dba7261f36b

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              944B

                                              MD5

                                              dbb22d95851b93abf2afe8fb96a8e544

                                              SHA1

                                              920ec5fdb323537bcf78f7e29a4fc274e657f7a4

                                              SHA256

                                              e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465

                                              SHA512

                                              16031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              944B

                                              MD5

                                              cc19bcff372d20459d3651ba8aef50e7

                                              SHA1

                                              3c6f1d4cdd647864fb97a16b1aefba67fcee11f7

                                              SHA256

                                              366473e774d8976c7fd4dc582220666fb61a4feb3f7c95e69b2a68ad9e446ec9

                                              SHA512

                                              a0e360ca4b6e874fd44612bf4b17f3722c0619da4f6bade12a62efadae88c2d33460114eaafa2bc3fb1cef5bea07e745b8bee24f15d0cacaff5f4a521b225080

                                            • C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe

                                              Filesize

                                              7.5MB

                                              MD5

                                              9502776952e6900ae1f98934004b4293

                                              SHA1

                                              3905f80a539d37c648a5da1cc6dace16d3516c2c

                                              SHA256

                                              d8ca879cf734c21b84e3983a9245c4da2b38cfe23b1691e4ca265286c3782b1f

                                              SHA512

                                              cbef89e577c883283ce3e9bb48e2ba9eda010e40e6cb1a383d99e32b728a9553cdb83e0831c0bff961fd271cee4eab921f53c97d9412e87bec4d0498400b5fbb

                                            • C:\Users\Admin\AppData\Local\Temp\WinRAR.exe

                                              Filesize

                                              226KB

                                              MD5

                                              60219035e32ad00d4c691a1bdc6455fb

                                              SHA1

                                              5f3740fcf89a95437ce184cfe22f23ed8b5b9254

                                              SHA256

                                              e005f5c2e4fdd277ced1ae42272b864e47de334e0d2a1043f24c21253da18ae5

                                              SHA512

                                              b98eb125f7812ac5d2243bd0d6ee07e918af5d0a46d86a6b242a7d8f91dbaaa48fabb562c316abbbf93db0c5ffc3a16184233000b379bafcdb3104c470055fc7

                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lgncnka4.fls.ps1

                                              Filesize

                                              60B

                                              MD5

                                              d17fe0a3f47be24a6453e9ef58c94641

                                              SHA1

                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                              SHA256

                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                              SHA512

                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                            • C:\Users\Admin\Downloads\Luxury Shield 7.1.zip

                                              Filesize

                                              16.4MB

                                              MD5

                                              6a777757bb51c01bac95b3648b7cfc76

                                              SHA1

                                              0047ce451ce9f63c1e2537b0b69405c243a9685a

                                              SHA256

                                              29b29eaa1b33d92f8b7536ca0513887e26f232acb8ca438beb89555d4ce8136a

                                              SHA512

                                              12e366d5e2560862670774d021fb6a7fdd8f7583b21e52887141788a58bf1dd3f6bda47e4c9a9282aee2e59a412163c236a1c6d497912a1becc1d0f74d3dcaac

                                            • C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\crack.exe

                                              Filesize

                                              9KB

                                              MD5

                                              34ef4aa10e7411cca216d92994bcce20

                                              SHA1

                                              13338054d516019e6100ecc76e7157f0ee5ed87d

                                              SHA256

                                              7ea2aab51d2e6abdaf6d182b0657a6503c1dee86fc42f40b4dd9895b31e4d8c0

                                              SHA512

                                              08c726b105bdd94c74b65ed8a1968f234bc4ffd4dca8b49c98f4da9a7ac0b0fb92c14476ae0ff323d3e6d7b7bdba6b8732459601f807037bf5757f5f4efb06f4

                                            • memory/368-329-0x0000000000620000-0x0000000001980000-memory.dmp

                                              Filesize

                                              19.4MB

                                            • memory/368-343-0x0000000000620000-0x0000000001980000-memory.dmp

                                              Filesize

                                              19.4MB

                                            • memory/368-345-0x0000000000620000-0x0000000001980000-memory.dmp

                                              Filesize

                                              19.4MB

                                            • memory/2684-225-0x000001E92FB30000-0x000001E92FB52000-memory.dmp

                                              Filesize

                                              136KB

                                            • memory/3188-346-0x0000024B4B7C0000-0x0000024B4B7C8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/3912-300-0x0000000000D00000-0x0000000002060000-memory.dmp

                                              Filesize

                                              19.4MB

                                            • memory/3912-277-0x0000000000D00000-0x0000000002060000-memory.dmp

                                              Filesize

                                              19.4MB

                                            • memory/3912-239-0x0000000000D00000-0x0000000002060000-memory.dmp

                                              Filesize

                                              19.4MB

                                            • memory/4088-381-0x0000000000C70000-0x0000000001FD0000-memory.dmp

                                              Filesize

                                              19.4MB

                                            • memory/4088-405-0x0000000000C70000-0x0000000001FD0000-memory.dmp

                                              Filesize

                                              19.4MB

                                            • memory/4420-264-0x0000000000130000-0x000000000016E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/4592-215-0x0000000000860000-0x0000000001006000-memory.dmp

                                              Filesize

                                              7.6MB