redline | 201f9fbaaa715f934e0f89d07aba1fa080fe17839ea64b776e1e69ce11451783

Analysis

max time kernel
132s
max time network
135s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
12/01/2025, 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Luxury Shield 12.8.9.zip
Size

9.6MB
MD5

8067ac7cd02c1a3bb18b2a6a56597c3a
SHA1

1df850e23a06480dcd3a1af122a2e14382a4578f
SHA256

201f9fbaaa715f934e0f89d07aba1fa080fe17839ea64b776e1e69ce11451783
SHA512

1286bfab21376c45317c870c266ad65a64ddba4d949c2f96541ace359210a76c2957ba6d5a2b888ec3e63aad919b4c8ee5e06f606e83aa0b41bd4f306131b779
SSDEEP

196608:AxMKs19qZm4Lvx8fMF6J8zD6sL+oPI6vkCsu90NQ1VL9rm0AbBwbtr6LHYVjHnA:A7GEm4Lv2fM8wD5+H6DuK1VI0Al4A

Score

10^/10

redline xworm discovery execution infostealer persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

according-psp.at.ply.gg:38979

Attributes

Install_directory
%ProgramData%
install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/3764-67-0x0000000000400000-0x0000000000418000-memory.dmp	family_xworm

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/memory/1504-37-0x00000000006D0000-0x0000000000726000-memory.dmp	family_redline
behavioral1/memory/4104-181-0x0000000000D30000-0x0000000000D86000-memory.dmp	family_redline

Redline family
redline
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2372	powershell.exe
1784	powershell.exe
3840	powershell.exe

Checks computer location settings 2 TTPs 23 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation	Luxury Shield.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation	Safe Mode.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation	Luxury Shield.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation	Luxury Shield.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation	Luxury Shield.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation	Luxury Shield.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation	Luxury Shield.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation	Luxury Shield.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation	Luxury Shield.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation	Luxury Shield.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation	Luxury Shield.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation	Luxury Shield.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation	Luxury Shield.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation	Luxury Shield.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation	Luxury Shield.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation	Luxury Shield.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation	Luxury Shield.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation	Luxury Shield.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation	Luxury Shield.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation	Luxury Shield.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation	Luxury Shield.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation	Luxury Shield.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation	Luxury Shield.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Safe Mode.lnk	Safe Mode.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Safe Mode.lnk	Safe Mode.exe

Executes dropped EXE 64 IoCs

pid	Process
1656	Luxury Shield.exe
1504	build.exe
4628	Luxury Shield.exe
1552	Luxury Shield.exe
4516	Safe Mode.exe
3764	Safe Mode.exe
236	Luxury Shield.exe
3080	Safe Mode.exe
1344	Safe Mode.exe
1684	Luxury Shield.exe
4652	Safe Mode.exe
3684	Safe Mode.exe
3712	Luxury Shield.exe
4104	Safe Mode.exe
2388	Safe Mode.exe
2924	ILMerge.exe
4636	Luxury Shield.exe
2432	Safe Mode.exe
5000	Safe Mode.exe
3824	Luxury Shield.exe
2792	Safe Mode.exe
2544	Safe Mode.exe
4104	crack.exe
904	Luxury Shield.exe
3756	Safe Mode.exe
436	Safe Mode.exe
456	Luxury Shield.exe
4332	Safe Mode.exe
3336	Safe Mode.exe
628	Luxury Shield.exe
3456	Luxury Shield.exe
660	Safe Mode.exe
2016	Safe Mode.exe
3844	Safe Mode.exe
4736	Safe Mode.exe
4628	Luxury Shield.exe
2584	Safe Mode.exe
2372	Safe Mode.exe
4124	Luxury Shield.exe
2816	Safe Mode.exe
1180	Safe Mode.exe
1632	Luxury Shield.exe
1460	Safe Mode.exe
4844	Safe Mode.exe
3612	Safe Mode.exe
4352	Luxury Shield.exe
4360	Safe Mode.exe
3888	Safe Mode.exe
456	Luxury Shield.exe
1364	Safe Mode.exe
5088	Safe Mode.exe
2328	Luxury Shield.exe
3052	Safe Mode.exe
4560	Safe Mode.exe
3100	Luxury Shield.exe
2076	Safe Mode.exe
3996	Safe Mode.exe
1096	Luxury Shield.exe
3604	Safe Mode.exe
2924	Safe Mode.exe
992	Luxury Shield.exe
3888	Safe Mode.exe
2984	Safe Mode.exe
3840	Safe Mode.exe

Adds Run key to start application 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Safe Mode = "C:\\ProgramData\\Safe Mode.exe"	Luxury Shield.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Safe Mode = "C:\\ProgramData\\Safe Mode.exe"	Luxury Shield.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Safe Mode = "C:\\ProgramData\\Safe Mode.exe"	Luxury Shield.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Safe Mode = "C:\\ProgramData\\Safe Mode.exe"	Luxury Shield.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Safe Mode = "C:\\ProgramData\\Safe Mode.exe"	Luxury Shield.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Safe Mode = "C:\\ProgramData\\Safe Mode.exe"	Luxury Shield.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Safe Mode = "C:\\ProgramData\\Safe Mode.exe"	Luxury Shield.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Safe Mode = "C:\\ProgramData\\Safe Mode.exe"	Luxury Shield.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Safe Mode = "C:\\ProgramData\\Safe Mode.exe"	Luxury Shield.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Safe Mode = "C:\\ProgramData\\Safe Mode.exe"	Luxury Shield.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Safe Mode = "C:\\ProgramData\\Safe Mode.exe"	Luxury Shield.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Safe Mode = "C:\\ProgramData\\Safe Mode.exe"	Luxury Shield.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Safe Mode = "C:\\ProgramData\\Safe Mode.exe"	Luxury Shield.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Safe Mode = "C:\\ProgramData\\Safe Mode.exe"	Luxury Shield.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Safe Mode = "C:\\ProgramData\\Safe Mode.exe"	Luxury Shield.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Safe Mode = "C:\\ProgramData\\Safe Mode.exe"	Luxury Shield.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Safe Mode = "C:\\ProgramData\\Safe Mode.exe"	Luxury Shield.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Safe Mode = "C:\\ProgramData\\Safe Mode.exe"	Luxury Shield.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Safe Mode = "C:\\ProgramData\\Safe Mode.exe"	Safe Mode.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Safe Mode = "C:\\ProgramData\\Safe Mode.exe"	Luxury Shield.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Safe Mode = "C:\\ProgramData\\Safe Mode.exe"	Luxury Shield.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Safe Mode = "C:\\ProgramData\\Safe Mode.exe"	Luxury Shield.exe

Suspicious use of SetThreadContext 21 IoCs

description	pid	Process	procid_target
PID 4516 set thread context of 3764	4516	Safe Mode.exe	104
PID 3080 set thread context of 1344	3080	Safe Mode.exe	107
PID 4652 set thread context of 3684	4652	Safe Mode.exe	112
PID 4104 set thread context of 2388	4104	Safe Mode.exe	115
PID 2432 set thread context of 5000	2432	Safe Mode.exe	123
PID 2792 set thread context of 2544	2792	Safe Mode.exe	130
PID 3756 set thread context of 436	3756	Safe Mode.exe	135
PID 4332 set thread context of 3336	4332	Safe Mode.exe	138
PID 660 set thread context of 4736	660	Safe Mode.exe	144
PID 2584 set thread context of 2372	2584	Safe Mode.exe	148
PID 2816 set thread context of 1180	2816	Safe Mode.exe	151
PID 1460 set thread context of 3612	1460	Safe Mode.exe	155
PID 4360 set thread context of 3888	4360	Safe Mode.exe	158
PID 1364 set thread context of 5088	1364	Safe Mode.exe	161
PID 3052 set thread context of 4560	3052	Safe Mode.exe	165
PID 2076 set thread context of 3996	2076	Safe Mode.exe	168
PID 3604 set thread context of 2924	3604	Safe Mode.exe	171
PID 3888 set thread context of 3840	3888	Safe Mode.exe	175
PID 3052 set thread context of 4636	3052	Safe Mode.exe	179
PID 2696 set thread context of 2600	2696	Safe Mode.exe	183
PID 2312 set thread context of 1296	2312	Safe Mode.exe	186

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Safe Mode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Luxury Shield.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Modifies registry class 7 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	taskmgr.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4724	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3764	Safe Mode.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
1784	powershell.exe
1784	powershell.exe
3840	powershell.exe
3840	powershell.exe
2372	powershell.exe
2372	powershell.exe
3764	Safe Mode.exe
660	Safe Mode.exe
660	Safe Mode.exe
660	Safe Mode.exe
660	Safe Mode.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
1460	Safe Mode.exe
1460	Safe Mode.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
3888	Safe Mode.exe
3888	Safe Mode.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
3052	Safe Mode.exe
3052	Safe Mode.exe
2696	Safe Mode.exe
2696	Safe Mode.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4908	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4908	7zFM.exe
Token: 35	4908	7zFM.exe
Token: SeSecurityPrivilege	4908	7zFM.exe
Token: SeSecurityPrivilege	4908	7zFM.exe
Token: SeDebugPrivilege	3764	Safe Mode.exe
Token: SeDebugPrivilege	1344	Safe Mode.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	3684	Safe Mode.exe
Token: SeIncreaseQuotaPrivilege	1784	powershell.exe
Token: SeSecurityPrivilege	1784	powershell.exe
Token: SeTakeOwnershipPrivilege	1784	powershell.exe
Token: SeLoadDriverPrivilege	1784	powershell.exe
Token: SeSystemProfilePrivilege	1784	powershell.exe
Token: SeSystemtimePrivilege	1784	powershell.exe
Token: SeProfSingleProcessPrivilege	1784	powershell.exe
Token: SeIncBasePriorityPrivilege	1784	powershell.exe
Token: SeCreatePagefilePrivilege	1784	powershell.exe
Token: SeBackupPrivilege	1784	powershell.exe
Token: SeRestorePrivilege	1784	powershell.exe
Token: SeShutdownPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeSystemEnvironmentPrivilege	1784	powershell.exe
Token: SeRemoteShutdownPrivilege	1784	powershell.exe
Token: SeUndockPrivilege	1784	powershell.exe
Token: SeManageVolumePrivilege	1784	powershell.exe
Token: 33	1784	powershell.exe
Token: 34	1784	powershell.exe
Token: 35	1784	powershell.exe
Token: 36	1784	powershell.exe
Token: SeDebugPrivilege	2388	Safe Mode.exe
Token: SeDebugPrivilege	3840	powershell.exe
Token: SeIncreaseQuotaPrivilege	3840	powershell.exe
Token: SeSecurityPrivilege	3840	powershell.exe
Token: SeTakeOwnershipPrivilege	3840	powershell.exe
Token: SeLoadDriverPrivilege	3840	powershell.exe
Token: SeSystemProfilePrivilege	3840	powershell.exe
Token: SeSystemtimePrivilege	3840	powershell.exe
Token: SeProfSingleProcessPrivilege	3840	powershell.exe
Token: SeIncBasePriorityPrivilege	3840	powershell.exe
Token: SeCreatePagefilePrivilege	3840	powershell.exe
Token: SeBackupPrivilege	3840	powershell.exe
Token: SeRestorePrivilege	3840	powershell.exe
Token: SeShutdownPrivilege	3840	powershell.exe
Token: SeDebugPrivilege	3840	powershell.exe
Token: SeSystemEnvironmentPrivilege	3840	powershell.exe
Token: SeRemoteShutdownPrivilege	3840	powershell.exe
Token: SeUndockPrivilege	3840	powershell.exe
Token: SeManageVolumePrivilege	3840	powershell.exe
Token: 33	3840	powershell.exe
Token: 34	3840	powershell.exe
Token: 35	3840	powershell.exe
Token: 36	3840	powershell.exe
Token: SeDebugPrivilege	5000	Safe Mode.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeIncreaseQuotaPrivilege	2372	powershell.exe
Token: SeSecurityPrivilege	2372	powershell.exe
Token: SeTakeOwnershipPrivilege	2372	powershell.exe
Token: SeLoadDriverPrivilege	2372	powershell.exe
Token: SeSystemProfilePrivilege	2372	powershell.exe
Token: SeSystemtimePrivilege	2372	powershell.exe
Token: SeProfSingleProcessPrivilege	2372	powershell.exe
Token: SeIncBasePriorityPrivilege	2372	powershell.exe
Token: SeCreatePagefilePrivilege	2372	powershell.exe
Token: SeBackupPrivilege	2372	powershell.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
4908	7zFM.exe
4908	7zFM.exe
4908	7zFM.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe

Suspicious use of SendNotifyMessage 55 IoCs

pid	Process
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3764	Safe Mode.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 1504	1656	Luxury Shield.exe	99
PID 1656 wrote to memory of 1504	1656	Luxury Shield.exe	99
PID 1656 wrote to memory of 1504	1656	Luxury Shield.exe	99
PID 1656 wrote to memory of 4628	1656	Luxury Shield.exe	101
PID 1656 wrote to memory of 4628	1656	Luxury Shield.exe	101
PID 4628 wrote to memory of 1552	4628	Luxury Shield.exe	102
PID 4628 wrote to memory of 1552	4628	Luxury Shield.exe	102
PID 4628 wrote to memory of 4516	4628	Luxury Shield.exe	103
PID 4628 wrote to memory of 4516	4628	Luxury Shield.exe	103
PID 4628 wrote to memory of 4516	4628	Luxury Shield.exe	103
PID 4516 wrote to memory of 3764	4516	Safe Mode.exe	104
PID 4516 wrote to memory of 3764	4516	Safe Mode.exe	104
PID 4516 wrote to memory of 3764	4516	Safe Mode.exe	104
PID 4516 wrote to memory of 3764	4516	Safe Mode.exe	104
PID 4516 wrote to memory of 3764	4516	Safe Mode.exe	104
PID 4516 wrote to memory of 3764	4516	Safe Mode.exe	104
PID 4516 wrote to memory of 3764	4516	Safe Mode.exe	104
PID 4516 wrote to memory of 3764	4516	Safe Mode.exe	104
PID 1552 wrote to memory of 236	1552	Luxury Shield.exe	105
PID 1552 wrote to memory of 236	1552	Luxury Shield.exe	105
PID 1552 wrote to memory of 3080	1552	Luxury Shield.exe	106
PID 1552 wrote to memory of 3080	1552	Luxury Shield.exe	106
PID 1552 wrote to memory of 3080	1552	Luxury Shield.exe	106
PID 3080 wrote to memory of 1344	3080	Safe Mode.exe	107
PID 3080 wrote to memory of 1344	3080	Safe Mode.exe	107
PID 3080 wrote to memory of 1344	3080	Safe Mode.exe	107
PID 3080 wrote to memory of 1344	3080	Safe Mode.exe	107
PID 3080 wrote to memory of 1344	3080	Safe Mode.exe	107
PID 3080 wrote to memory of 1344	3080	Safe Mode.exe	107
PID 3080 wrote to memory of 1344	3080	Safe Mode.exe	107
PID 3080 wrote to memory of 1344	3080	Safe Mode.exe	107
PID 3764 wrote to memory of 1784	3764	Safe Mode.exe	108
PID 3764 wrote to memory of 1784	3764	Safe Mode.exe	108
PID 3764 wrote to memory of 1784	3764	Safe Mode.exe	108
PID 236 wrote to memory of 1684	236	Luxury Shield.exe	110
PID 236 wrote to memory of 1684	236	Luxury Shield.exe	110
PID 236 wrote to memory of 4652	236	Luxury Shield.exe	111
PID 236 wrote to memory of 4652	236	Luxury Shield.exe	111
PID 236 wrote to memory of 4652	236	Luxury Shield.exe	111
PID 4652 wrote to memory of 3684	4652	Safe Mode.exe	112
PID 4652 wrote to memory of 3684	4652	Safe Mode.exe	112
PID 4652 wrote to memory of 3684	4652	Safe Mode.exe	112
PID 4652 wrote to memory of 3684	4652	Safe Mode.exe	112
PID 4652 wrote to memory of 3684	4652	Safe Mode.exe	112
PID 4652 wrote to memory of 3684	4652	Safe Mode.exe	112
PID 4652 wrote to memory of 3684	4652	Safe Mode.exe	112
PID 4652 wrote to memory of 3684	4652	Safe Mode.exe	112
PID 1684 wrote to memory of 3712	1684	Luxury Shield.exe	113
PID 1684 wrote to memory of 3712	1684	Luxury Shield.exe	113
PID 1684 wrote to memory of 4104	1684	Luxury Shield.exe	131
PID 1684 wrote to memory of 4104	1684	Luxury Shield.exe	131
PID 1684 wrote to memory of 4104	1684	Luxury Shield.exe	131
PID 4104 wrote to memory of 2388	4104	Safe Mode.exe	115
PID 4104 wrote to memory of 2388	4104	Safe Mode.exe	115
PID 4104 wrote to memory of 2388	4104	Safe Mode.exe	115
PID 4104 wrote to memory of 2388	4104	Safe Mode.exe	115
PID 4104 wrote to memory of 2388	4104	Safe Mode.exe	115
PID 4104 wrote to memory of 2388	4104	Safe Mode.exe	115
PID 4104 wrote to memory of 2388	4104	Safe Mode.exe	115
PID 4104 wrote to memory of 2388	4104	Safe Mode.exe	115
PID 3764 wrote to memory of 3840	3764	Safe Mode.exe	117
PID 3764 wrote to memory of 3840	3764	Safe Mode.exe	117
PID 3764 wrote to memory of 3840	3764	Safe Mode.exe	117
PID 3712 wrote to memory of 4636	3712	Luxury Shield.exe	121

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Luxury Shield 12.8.9.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4908

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3848

C:\Users\Admin\AppData\Local\Temp\Luxury Shield 12.8.9\Luxury Shield.exe
"C:\Users\Admin\AppData\Local\Temp\Luxury Shield 12.8.9\Luxury Shield.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Users\Admin\AppData\Local\Temp\build.exe
  "C:\Users\Admin\AppData\Local\Temp\build.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1504
- C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe
  "C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe
    "C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1552
  - - C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe
      "C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:236
    - - C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1684
      - C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe"
        21⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe"
        22⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe"
        23⤵
        
        PID:1668
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        23⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:1296
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        22⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2696
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        23⤵
        
        PID:4568
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        21⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3052
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        22⤵
        
        PID:4404
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:4636
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3888
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        21⤵
        Executes dropped EXE
        
        PID:2984
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3840
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3604
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3996
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3888
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1460
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        15⤵
        Executes dropped EXE
        
        PID:4844
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3612
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1180
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:660
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        12⤵
        Executes dropped EXE
        
        PID:2016
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        12⤵
        Executes dropped EXE
        
        PID:3844
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3336
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:436
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5000
      - C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
    - - C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4652
      - C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3684
  - - C:\ProgramData\Safe Mode.exe
      "C:\ProgramData\Safe Mode.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3080
    - - C:\ProgramData\Safe Mode.exe
        
        "C:\ProgramData\Safe Mode.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1344
- - C:\ProgramData\Safe Mode.exe
    "C:\ProgramData\Safe Mode.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4516
  - - C:\ProgramData\Safe Mode.exe
      "C:\ProgramData\Safe Mode.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3764
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Safe Mode.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Safe Mode.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3840
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Safe Mode.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Safe Mode" /tr "C:\ProgramData\Safe Mode.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4724

C:\Users\Admin\AppData\Local\Temp\Luxury Shield 12.8.9\ILMerge.exe
"C:\Users\Admin\AppData\Local\Temp\Luxury Shield 12.8.9\ILMerge.exe"
1⤵
- Executes dropped EXE
PID:2924

C:\Users\Admin\AppData\Local\Temp\Luxury Shield 12.8.9\crack.exe
"C:\Users\Admin\AppData\Local\Temp\Luxury Shield 12.8.9\crack.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4104

C:\Users\Admin\AppData\Local\Temp\Luxury Shield 12.8.9\Luxury Shield.exe
"C:\Users\Admin\AppData\Local\Temp\Luxury Shield 12.8.9\Luxury Shield.exe"
1⤵
- Executes dropped EXE
PID:628

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Safe Mode.exe

Filesize
344KB

MD5
7f1d18abc9cb29cea2a58984130219ee

SHA1
acae2b67948f6788a0bc437b45b31e98bad62bd8

SHA256
d8589a65b5ac7a916e559d88baee20af9debdf69d211c7902d584d407c62a63c

SHA512
0ae46e0a44eb25426befeb3d9af5aaa2e359e4cab2507d167ac193d3cba6375d7c6cfe75402ef7c999c9e83c458afc20064f08cb82ee57f23ebe41b496b43f6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Luxury Shield.exe.log

Filesize
654B

MD5
11c6e74f0561678d2cf7fc075a6cc00c

SHA1
535ee79ba978554abcb98c566235805e7ea18490

SHA256
d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

SHA512
32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Safe Mode.exe.log

Filesize
321B

MD5
37b6461a5da2584ecce397b94e471597

SHA1
3cca08ac93f8176ca2bea0169bf6e8f8c202840e

SHA256
3ba942b35984b7ab4390cd8b3d7ea584dc6d0a98b76d9093cb33da263f368fcf

SHA512
5d8cd5d368a40c0f35687b07112ca4ab3114a7a46b3551751ee63711046668b52dfa4bd2b8f9112ac353e630d1fa85be39f62a1bca882562360974137eb1b7cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
f811272c20ff6decbbd16ff364334427

SHA1
cb31be66c972daa61d45920fa2fa824c1dfb194d

SHA256
730aff8c9e430a9f9e5e44f1c376e57f42fa5adc744824df2f69855009473592

SHA512
5c68bf3a41c3607cad5abe94f2bb3816f3e69426fa7d43bf7c9787c4e9ce6660b1843a2e505a22a93d7008b76fc564078513fe9ef47051e5b6fc344ab9d0a528

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
2bec30423c6b5155a10caa2167feaa80

SHA1
61f0c94d7df8d67c636cbd0c8be5a9ecdec3b71c

SHA256
3eff96e89e234afb5a073f8d0074e43c98b11b2f62510c58e07d71bc01910f0a

SHA512
5e5f591a84b6a765f7e22b70f6890ea668965895eee0cc9675900c0e0921c545e6f45916dd060498b9cc48ec83c82aa568d2b1126db7d028eb766c31c7e12a9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
81658445dc2138e157565242fccbfc37

SHA1
79765e5a5b1f1e4d29c39f60fb22789b9565a876

SHA256
e9305733c076307288d6b441504851087fb03990ddfb7ac9359179bf716f7733

SHA512
fdf2e059035a6db8fb2659d6b9ae80431dfe9e606345df8de0184a5d1e5deb1361a7353142764681567ec3e7cad04bf8e548f5522fe94810de8d74ca1e2cb680

Download Submit
C:\Users\Admin\AppData\Local\Temp\Luxury Shield 12.8.9\ILMerge.exe

Filesize
668KB

MD5
2bb6322885e6ca0986206de174e842c9

SHA1
c5ea70169106d32bc513d28ea76ae8ea1e49380b

SHA256
8110d740b485bcb06ff406b17001714c3a146fe6517098c9dc90d812b83389fd

SHA512
9750180c54a5bd8f0e1fa8a8f529364430f2ef444efbf8ac51e8d2a0aaa4e3d21fe553865ba8567c7c19e4ae84d04b20464f391743e88c52c00cac0bf20fc2a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Luxury Shield 12.8.9\Luxury Shield.exe

Filesize
9.9MB

MD5
7643fc25c660a6dfb42fe9a7c047159f

SHA1
079bab6472d00fa034497b52e7348acccb2ccdd3

SHA256
9e8089879ce079ffcf4fbe7882df57de0ac1218a4c3119bda16f738480eeda5b

SHA512
f98e1e3a58b8a75f45fa6ed7af6c5f076c170c902ef31d6b8f6570218300b34ff454b4127ae2a11645bd031a2b3dac873ff069a6b60a7ba3d78efc7749d4cf66

Download Submit
C:\Users\Admin\AppData\Local\Temp\Luxury Shield.exe

Filesize
9.2MB

MD5
a7c50079c7d88e96dc4abdbe00add204

SHA1
0d3a76eea76817974860cb3517664776a3bc01a7

SHA256
6420e68415e70378cd4677bfea8bfca9de5861bd15896550c78a6d2f0880889e

SHA512
554843892b21eaa8fe2160fefed249cad789ad43f4a0a1b4421f07fdd94fe4093d6d07dda406a9e7080584c4e71a21263990481e554fc36754090d2f28098d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0nifqupo.vqn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe

Filesize
506KB

MD5
e5fb57e8214483fd395bd431cb3d1c4b

SHA1
60e22fc9e0068c8156462f003760efdcac82766b

SHA256
e389fc5782f754918a10b020adcd8faa11c25658b8d6f8cbc49f9ac3a7637684

SHA512
dc2ed0421db7dd5a3afeacb6a9f5017c97fc07d0b2d1745b50ede50087a58245d31d6669077a672b32541dbfa233ef87260a37be48de3bd407d8c587fc903d89

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Safe Mode.lnk

Filesize
682B

MD5
8abec2be982b4161a2994bdf8c08c814

SHA1
e688ebcba669bdf92457a858567a3062178a861f

SHA256
d8582024cc609917d3bfe2139246e6b44f5ce76b0c7d20e92e90cdeb88688ee6

SHA512
86089899c29de87345f110efef430886a588e1394903303435b18bccba20220aebe2ecd11c0e023fab6e50f04ddcdcc95140d412bcb12372361f750110f5769b

Download Submit
memory/628-194-0x0000000000400000-0x0000000000DF1000-memory.dmp

Filesize
9.9MB

Download
memory/1504-43-0x0000000004EB0000-0x0000000004FBA000-memory.dmp

Filesize
1.0MB

Download
memory/1504-37-0x00000000006D0000-0x0000000000726000-memory.dmp

Filesize
344KB

Download
memory/1504-44-0x0000000004DE0000-0x0000000004E1C000-memory.dmp

Filesize
240KB

Download
memory/1504-45-0x0000000004E30000-0x0000000004E7C000-memory.dmp

Filesize
304KB

Download
memory/1504-42-0x0000000004D60000-0x0000000004D72000-memory.dmp

Filesize
72KB

Download
memory/1504-41-0x00000000053C0000-0x00000000059D8000-memory.dmp

Filesize
6.1MB

Download
memory/1656-35-0x0000000000400000-0x0000000000DF1000-memory.dmp

Filesize
9.9MB

Download
memory/1784-80-0x0000000005570000-0x00000000055D6000-memory.dmp

Filesize
408KB

Download
memory/1784-92-0x0000000005C00000-0x0000000005C1E000-memory.dmp

Filesize
120KB

Download
memory/1784-79-0x0000000004DF0000-0x0000000004E12000-memory.dmp

Filesize
136KB

Download
memory/1784-77-0x0000000002260000-0x0000000002296000-memory.dmp

Filesize
216KB

Download
memory/1784-113-0x00000000071D0000-0x0000000007266000-memory.dmp

Filesize
600KB

Download
memory/1784-86-0x0000000005650000-0x00000000056B6000-memory.dmp

Filesize
408KB

Download
memory/1784-91-0x00000000057C0000-0x0000000005B17000-memory.dmp

Filesize
3.3MB

Download
memory/1784-78-0x0000000004EA0000-0x000000000556A000-memory.dmp

Filesize
6.8MB

Download
memory/1784-97-0x0000000006DC0000-0x0000000006DF2000-memory.dmp

Filesize
200KB

Download
memory/1784-98-0x00000000748A0000-0x00000000748EC000-memory.dmp

Filesize
304KB

Download
memory/1784-108-0x0000000006E00000-0x0000000006E1E000-memory.dmp

Filesize
120KB

Download
memory/1784-109-0x0000000006E20000-0x0000000006EC3000-memory.dmp

Filesize
652KB

Download
memory/1784-110-0x00000000075A0000-0x0000000007C1A000-memory.dmp

Filesize
6.5MB

Download
memory/1784-111-0x0000000006F60000-0x0000000006F7A000-memory.dmp

Filesize
104KB

Download
memory/1784-112-0x0000000006FC0000-0x0000000006FCA000-memory.dmp

Filesize
40KB

Download
memory/2372-159-0x0000000005AA0000-0x0000000005DF7000-memory.dmp

Filesize
3.3MB

Download
memory/2372-161-0x00000000748A0000-0x00000000748EC000-memory.dmp

Filesize
304KB

Download
memory/3764-177-0x0000000006610000-0x00000000066A2000-memory.dmp

Filesize
584KB

Download
memory/3764-67-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3764-71-0x0000000005590000-0x000000000562C000-memory.dmp

Filesize
624KB

Download
memory/3764-178-0x0000000006800000-0x000000000680A000-memory.dmp

Filesize
40KB

Download
memory/3840-130-0x0000000006480000-0x00000000067D7000-memory.dmp

Filesize
3.3MB

Download
memory/3840-134-0x00000000748A0000-0x00000000748EC000-memory.dmp

Filesize
304KB

Download
memory/4104-181-0x0000000000D30000-0x0000000000D86000-memory.dmp

Filesize
344KB

Download
memory/4516-65-0x0000000004E30000-0x0000000004E5A000-memory.dmp

Filesize
168KB

Download
memory/4516-64-0x0000000005240000-0x00000000057E6000-memory.dmp

Filesize
5.6MB

Download
memory/4516-66-0x0000000004C50000-0x0000000004C58000-memory.dmp

Filesize
32KB

Download
memory/4516-63-0x0000000000460000-0x00000000004BC000-memory.dmp

Filesize
368KB

Download
memory/4628-36-0x0000000000EC0000-0x00000000017EE000-memory.dmp

Filesize
9.2MB

Download
memory/4956-214-0x000002123A3D0000-0x000002123A3D1000-memory.dmp

Filesize
4KB

Download
memory/4956-215-0x000002123A3D0000-0x000002123A3D1000-memory.dmp

Filesize
4KB

Download
memory/4956-204-0x000002123A3D0000-0x000002123A3D1000-memory.dmp

Filesize
4KB

Download
memory/4956-213-0x000002123A3D0000-0x000002123A3D1000-memory.dmp

Filesize
4KB

Download
memory/4956-212-0x000002123A3D0000-0x000002123A3D1000-memory.dmp

Filesize
4KB

Download
memory/4956-211-0x000002123A3D0000-0x000002123A3D1000-memory.dmp

Filesize
4KB

Download
memory/4956-210-0x000002123A3D0000-0x000002123A3D1000-memory.dmp

Filesize
4KB

Download
memory/4956-209-0x000002123A3D0000-0x000002123A3D1000-memory.dmp

Filesize
4KB

Download
memory/4956-203-0x000002123A3D0000-0x000002123A3D1000-memory.dmp

Filesize
4KB

Download
memory/4956-205-0x000002123A3D0000-0x000002123A3D1000-memory.dmp

Filesize
4KB

Download