asyncrat | hxxps://anonfiles[.]com/O3Oa38Ycy7/Luxury_Shield_7[.]1_-_Cracked_by_FSociety_1_zip

Analysis

max time kernel
148s
max time network
148s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
16/02/2023, 15:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://anonfiles.com/O3Oa38Ycy7/Luxury_Shield_7.1_-_Cracked_by_FSociety_1_zip

Score

10^/10

asyncrat agilenet persistence rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sexybannannnn.lnk	sexybannannnn.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sexybannannnn.lnk	sexybannannnn.exe

Executes dropped EXE 3 IoCs

pid	Process
1256	Luxury Shield 7.1.exe
1112	sexybannannnn.exe
3800	sexybannannnn.exe

Loads dropped DLL 1 IoCs

pid	Process
1256	Luxury Shield 7.1.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/1256-278-0x000000000BCE0000-0x000000000BF2C000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\sexybannannnn = "C:\\Users\\Public\\sexybannannnn.exe"	sexybannannnn.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
1256	Luxury Shield 7.1.exe
1256	Luxury Shield 7.1.exe
1256	Luxury Shield 7.1.exe
1256	Luxury Shield 7.1.exe
1256	Luxury Shield 7.1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
924	schtasks.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = d8bcd69a5bbed801	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 56 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31015450"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eda07bd21a06fd47a7d1d1d481ebbdca000000000200000000001066000000010000200000002819ca1f0d19535c1e36c88b8ab1edb2cb5822d951a94248f2719df8cf6b3dca000000000e8000000002000020000000050a0fdb4fddb3a994416108c13c5c5855b77539294667d2de5713dba9fedd9c20000000deb3c5e9445fd6b9c40b0808888dc7615f8cefa41b06606fc52f6daa25d2279a4000000032777a71ccf2b0614039ecc533336dcf58a2c7fb2d3312d1de307e7c81678d672ebd6e6e89226d02db34d652b1538b6fc62f3a650b3fbca88744b7599fc3d0e3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 308754621a42d901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31015450"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1632530175"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "383325847"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8BEEBACF-AE0D-11ED-9424-C61147A093BC} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31015450"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\anonfiles.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1624717039"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "383374433"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31015450"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\anonfiles.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "383342442"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\RepId\PublicId = "{81BFD4A2-0FC2-44B8-AC40-B8FAFA7E9680}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1632530175"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 605646621a42d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eda07bd21a06fd47a7d1d1d481ebbdca00000000020000000000106600000001000020000000521a4d02a5deaf43f4dcb01c43db05e2de5410961fe591106e6cf113d0ccdfcf000000000e80000000020000200000009a42adbd3df4125207bdb9b41d8888e7d6f74684c15f9f25f463048d5de4ba872000000019cd76c46de27446a7b59e86d7aedf5b37aa6501273cbca63fc2cdddb76dea28400000009df2f0654f50b0ed00bcb7e48c0d19179cd039671c950caed771adb8e5e333fdab44127499657361ec3ee436c16d6787db0d32774739b8b58af5f43c7aab26fe	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1624717039"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	iexplore.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1256	Luxury Shield 7.1.exe
1256	Luxury Shield 7.1.exe
1256	Luxury Shield 7.1.exe
1256	Luxury Shield 7.1.exe
1256	Luxury Shield 7.1.exe
1256	Luxury Shield 7.1.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3940	osk.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	4660	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4660	AUDIODG.EXE
Token: SeDebugPrivilege	1112	sexybannannnn.exe
Token: SeDebugPrivilege	1112	sexybannannnn.exe
Token: SeDebugPrivilege	3800	sexybannannnn.exe
Token: SeDebugPrivilege	1256	Luxury Shield 7.1.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1928	iexplore.exe
1928	iexplore.exe
3940	osk.exe

Suspicious use of SendNotifyMessage 56 IoCs

pid	Process
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
1928	iexplore.exe
1928	iexplore.exe
4584	IEXPLORE.EXE
4584	IEXPLORE.EXE
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
1256	Luxury Shield 7.1.exe
3940	osk.exe
2680	DllHost.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
992	DllHost.exe
3940	osk.exe
992	DllHost.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
3940	osk.exe
1256	Luxury Shield 7.1.exe
1256	Luxury Shield 7.1.exe
3940	osk.exe
4132	DllHost.exe
3940	osk.exe
4132	DllHost.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 4584	1928	iexplore.exe	66
PID 1928 wrote to memory of 4584	1928	iexplore.exe	66
PID 1928 wrote to memory of 4584	1928	iexplore.exe	66
PID 440 wrote to memory of 1256	440	Luxury Shield 7.1.exe	77
PID 440 wrote to memory of 1256	440	Luxury Shield 7.1.exe	77
PID 440 wrote to memory of 1256	440	Luxury Shield 7.1.exe	77
PID 440 wrote to memory of 1112	440	Luxury Shield 7.1.exe	78
PID 440 wrote to memory of 1112	440	Luxury Shield 7.1.exe	78
PID 1112 wrote to memory of 924	1112	sexybannannnn.exe	79
PID 1112 wrote to memory of 924	1112	sexybannannnn.exe	79

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://anonfiles.com/O3Oa38Ycy7/Luxury_Shield_7.1_-_Cracked_by_FSociety_1_zip
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1928 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4584

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4516

C:\Windows\system32\osk.exe
"C:\Windows\system32\osk.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3940

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4660

C:\Users\Admin\Desktop\Luxury Shield 7.1 - Cracked by FSociety (1)\Luxury Shield 7.1.exe
"C:\Users\Admin\Desktop\Luxury Shield 7.1 - Cracked by FSociety (1)\Luxury Shield 7.1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:440
- C:\Users\Admin\AppData\Local\Luxury Shield 7.1.exe
  "C:\Users\Admin\AppData\Local\Luxury Shield 7.1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1256
- C:\Users\Admin\AppData\Local\sexybannannnn.exe
  "C:\Users\Admin\AppData\Local\sexybannannnn.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "sexybannannnn" /tr "C:\Users\Public\sexybannannnn.exe"
    3⤵
    - Creates scheduled task(s)
    PID:924

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}
1⤵
- Suspicious use of SetWindowsHookEx
PID:2680

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Luxury Shield 7.1 - Cracked by FSociety (1)\Pass to use.txt
1⤵
PID:3460

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}
1⤵
- Suspicious use of SetWindowsHookEx
PID:992

C:\Users\Public\sexybannannnn.exe
C:\Users\Public\sexybannannnn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3800

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}
1⤵
- Suspicious use of SetWindowsHookEx
PID:4132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
9597f3dce8d1b570f78a65ba29110c19

SHA1
ea96f130f2db9598f8785742dd6980e87c0b842b

SHA256
6385202cebf552cb037b90b20ca921f8b481b3154fb6460be44e2686252768d2

SHA512
b97c6755a29fcb84540e32f60e46d1b39183b9e972af5bd8edb6fb4659ea2b7f01ab1bf1ce4fe50fa311b6cceb715d128feeb7dde17c6db3d7b2f43931934d6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\83C70E8C88F4EDFCC5A1D8BB501E4F5F

Filesize
503B

MD5
f7a2d09e1108aaf2b021e2b64dd7ab04

SHA1
e510673f85575bb467afd30a2ea776bc6ce41c5a

SHA256
81ef934b6afbf8b15ff7287a51acc1263ded076e6c6543f343d407aad24ead64

SHA512
4ae3f9266ca65f84341e12fa262503b6d958f4d2e33c6fc1e01a9a5196a7a7498f1713e9a1dc77dee6f5bd16b0796f2a840a8cd394bc450c99bf9540be7fef03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
285bd87e89f358fa78ab7d15defe69a3

SHA1
fd55bc2e903635372a0051ecd94376103b3dd97f

SHA256
b0e46c2c8135a6e53361148061b7b24de94c1cfefabbc71d459dff72e9cbdb30

SHA512
feace423521436af68cccb8ffbaf42e140072da67cf34a09000c7cec645c3ab33189b2f688c04c52bd111081f9f5a20d9a2d00ee122a4943b3a4f50cb4515108

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
5efe0cc575e5299bc58db364a5ecaec2

SHA1
04c7096410fe3bc444004fd199b34c2586f896eb

SHA256
c7646db50e534eeb4a609e400468844e8e0a0db0e9ba274527ca75241f8787b4

SHA512
33b4361c6841b229ab1aee37ebb3aa2ae8e378a475881d7620a3a4986f62c6f2380fc0a4633fa3faeaf4216f403fb3973aa3d558436845d16d52240bf7f192d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\83C70E8C88F4EDFCC5A1D8BB501E4F5F

Filesize
548B

MD5
50e0ef166a7cb9c461a16d789c5d016a

SHA1
c5d4867e200d5c4cef34308640d5c7de1d933bfd

SHA256
08866b62ef6cfc4d8597e44a423ef62936d64629f4d46e4376c9b043efc5c963

SHA512
72f8a765538788fdf5fc1734e94e9a611854a10f0c0991aa765d7617074528ab8749c7446d867b4bb18885938ef764f503510d992d29472e22aa1e8cf9005ee2

Download Submit
C:\Users\Admin\AppData\Local\Luxury Shield 7.1.exe

Filesize
7.5MB

MD5
9502776952e6900ae1f98934004b4293

SHA1
3905f80a539d37c648a5da1cc6dace16d3516c2c

SHA256
d8ca879cf734c21b84e3983a9245c4da2b38cfe23b1691e4ca265286c3782b1f

SHA512
cbef89e577c883283ce3e9bb48e2ba9eda010e40e6cb1a383d99e32b728a9553cdb83e0831c0bff961fd271cee4eab921f53c97d9412e87bec4d0498400b5fbb

Download Submit
C:\Users\Admin\AppData\Local\Luxury Shield 7.1.exe

Filesize
7.5MB

MD5
9502776952e6900ae1f98934004b4293

SHA1
3905f80a539d37c648a5da1cc6dace16d3516c2c

SHA256
d8ca879cf734c21b84e3983a9245c4da2b38cfe23b1691e4ca265286c3782b1f

SHA512
cbef89e577c883283ce3e9bb48e2ba9eda010e40e6cb1a383d99e32b728a9553cdb83e0831c0bff961fd271cee4eab921f53c97d9412e87bec4d0498400b5fbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\LIHQWZ50.cookie

Filesize
614B

MD5
e0f934696c7c7a67f0247ce521452a24

SHA1
34a4669b9cc71ce5cd80f0265aac169039ad976b

SHA256
ff96e04a617a14b70695529fb3704259b90965034526c26ddb0787fd58cba6c6

SHA512
b0cb8a1ff5b891166ba48dbf4397851fe6a1266cab932a4850e6c301a12197fc24da148fd05f038c98f31f042fe8f321a059f98085b19cb4dc5ea610b967cc67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\TBRBBUZV.cookie

Filesize
182B

MD5
24ea3cd1f9b2721e1c76047d8456402f

SHA1
bd2ef278041ba4f8ef219305d54f34ea47db5565

SHA256
8a99b88f10c1391d8ecb6c42be4aedf84cc117ceacbb0bacd9956db9b4d8e83e

SHA512
abc8e56a3587bf3ce3df55b552fb94ba3095dcff307b2e10ef9abf22a17afa7ad4448648baeedb8c4e8cde97bc1d76de607081efa4abd0f2f919f5b7366ae216

Download Submit
C:\Users\Admin\AppData\Local\sexybannannnn.exe

Filesize
33KB

MD5
afb0bcdcb45fd11d48c287989d0b2fdd

SHA1
1492179d71cfb28a26116b5362375a4026f20036

SHA256
47eca759dd074f7caad9def275c80ef91f8ac0710d94c132c5e9ec4b1a7e4ccc

SHA512
07daf00596208346891f1595cfa6dd28589bd9493f2ea5b080ee10d33efbf601d71f6cbdf4c22cc7fedc4ad2502119f81cc0cf6d2c95ed804410236ac29d6b15

Download Submit
C:\Users\Admin\AppData\Local\sexybannannnn.exe

Filesize
33KB

MD5
afb0bcdcb45fd11d48c287989d0b2fdd

SHA1
1492179d71cfb28a26116b5362375a4026f20036

SHA256
47eca759dd074f7caad9def275c80ef91f8ac0710d94c132c5e9ec4b1a7e4ccc

SHA512
07daf00596208346891f1595cfa6dd28589bd9493f2ea5b080ee10d33efbf601d71f6cbdf4c22cc7fedc4ad2502119f81cc0cf6d2c95ed804410236ac29d6b15

Download Submit
C:\Users\Admin\Downloads\Luxury Shield 7.1 - Cracked by FSociety (1).zip.270iqwv.partial

Filesize
7.3MB

MD5
c4473d86293c88f4c62d9c4493efd2f7

SHA1
3818b6b946e099b7e9a1ee5093e3c7ce531d161f

SHA256
d5ea822d0f8b351fb3543161b5cc175b581bc315cfaab1da9c90aee477cfa367

SHA512
66c19068865cb8c0bc3c62a7f35b045e60be88742f7c6acc0e14875cc085839874d03624666f3f5908efb57398cc7b6428d2a5380f5224c53b88574fd8ad6b8c

Download Submit
C:\Users\Public\sexybannannnn.exe

Filesize
33KB

MD5
afb0bcdcb45fd11d48c287989d0b2fdd

SHA1
1492179d71cfb28a26116b5362375a4026f20036

SHA256
47eca759dd074f7caad9def275c80ef91f8ac0710d94c132c5e9ec4b1a7e4ccc

SHA512
07daf00596208346891f1595cfa6dd28589bd9493f2ea5b080ee10d33efbf601d71f6cbdf4c22cc7fedc4ad2502119f81cc0cf6d2c95ed804410236ac29d6b15

Download Submit
C:\Users\Public\sexybannannnn.exe

Filesize
33KB

MD5
afb0bcdcb45fd11d48c287989d0b2fdd

SHA1
1492179d71cfb28a26116b5362375a4026f20036

SHA256
47eca759dd074f7caad9def275c80ef91f8ac0710d94c132c5e9ec4b1a7e4ccc

SHA512
07daf00596208346891f1595cfa6dd28589bd9493f2ea5b080ee10d33efbf601d71f6cbdf4c22cc7fedc4ad2502119f81cc0cf6d2c95ed804410236ac29d6b15

Download Submit
\Users\Admin\AppData\Local\Temp\53b4dde3-ceef-4149-b63d-4b67cc36c3e9\GunaDotNetRT.dll

Filesize
136KB

MD5
9af5eb006bb0bab7f226272d82c896c7

SHA1
c2a5bb42a5f08f4dc821be374b700652262308f0

SHA256
77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db

SHA512
7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a

Download Submit
memory/440-131-0x00000000004E0000-0x0000000000CAC000-memory.dmp

Filesize
7.8MB

Download
memory/1112-348-0x00000000011F0000-0x00000000011FA000-memory.dmp

Filesize
40KB

Download
memory/1112-142-0x0000000000AB0000-0x0000000000ABE000-memory.dmp

Filesize
56KB

Download
memory/1256-176-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-186-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-145-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-147-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-146-0x0000000000EE0000-0x0000000002240000-memory.dmp

Filesize
19.4MB

Download
memory/1256-148-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-149-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-150-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-151-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-152-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-153-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-155-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-156-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-157-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-158-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-159-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-160-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-154-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-161-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-162-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-163-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-165-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-164-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-166-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-167-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-169-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-170-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-171-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-168-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-172-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-173-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-174-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-175-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-141-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-177-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-178-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-180-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-179-0x000000007E4F0000-0x000000007E8C1000-memory.dmp

Filesize
3.8MB

Download
memory/1256-181-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-182-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-140-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-184-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-185-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-143-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-187-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-188-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-189-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-190-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-191-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-192-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-134-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-347-0x000000000B8DA000-0x000000000B8DF000-memory.dmp

Filesize
20KB

Download
memory/1256-338-0x0000000011260000-0x00000000112C6000-memory.dmp

Filesize
408KB

Download
memory/1256-337-0x000000006ED90000-0x000000006EDC7000-memory.dmp

Filesize
220KB

Download
memory/1256-196-0x0000000000EE0000-0x0000000002240000-memory.dmp

Filesize
19.4MB

Download
memory/1256-336-0x000000000B8DA000-0x000000000B8DF000-memory.dmp

Filesize
20KB

Download
memory/1256-335-0x0000000011B30000-0x0000000011C06000-memory.dmp

Filesize
856KB

Download
memory/1256-329-0x000000000F870000-0x000000000F896000-memory.dmp

Filesize
152KB

Download
memory/1256-326-0x000000000F2E0000-0x000000000F2EA000-memory.dmp

Filesize
40KB

Download
memory/1256-321-0x000000000F980000-0x000000000F9E2000-memory.dmp

Filesize
392KB

Download
memory/1256-299-0x000000000D7C0000-0x000000000D826000-memory.dmp

Filesize
408KB

Download
memory/1256-298-0x000000000F0F0000-0x000000000F20A000-memory.dmp

Filesize
1.1MB

Download
memory/1256-284-0x000000006ED90000-0x000000006EDC7000-memory.dmp

Filesize
220KB

Download
memory/1256-136-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-137-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1256-259-0x0000000000EE0000-0x0000000002240000-memory.dmp

Filesize
19.4MB

Download
memory/1256-261-0x000000000B8E0000-0x000000000B97C000-memory.dmp

Filesize
624KB

Download
memory/1256-262-0x000000000BFE0000-0x000000000C4DE000-memory.dmp

Filesize
5.0MB

Download
memory/1256-264-0x0000000008500000-0x0000000008592000-memory.dmp

Filesize
584KB

Download
memory/1256-271-0x0000000008490000-0x000000000849A000-memory.dmp

Filesize
40KB

Download
memory/1256-272-0x00000000085A0000-0x00000000085F6000-memory.dmp

Filesize
344KB

Download
memory/1256-277-0x000000000C4E0000-0x000000000CDC6000-memory.dmp

Filesize
8.9MB

Download
memory/1256-278-0x000000000BCE0000-0x000000000BF2C000-memory.dmp

Filesize
2.3MB

Download
memory/2680-200-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/2680-206-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/2680-204-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/2680-203-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/2680-202-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/2680-201-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/2680-205-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/2680-199-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/2680-198-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/2680-197-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/2680-195-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/2680-193-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/2680-194-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download