asyncrat | hxxps://anonfiles[.]com/U9u1T4Wbyd/Luxury_Shield_7[.]1_rar

Analysis

max time kernel
305s
max time network
310s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
17-02-2023 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://anonfiles.com/U9u1T4Wbyd/Luxury_Shield_7.1_rar

Score

10^/10

asyncrat redline sectoprat xenarmor cheat collection discovery infostealer password persistence rat recovery spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

ekinox.myftp.biz:3081

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4908-181-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4908-181-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

XenArmor Suite
XenArmor is as suite of password recovery tools for various application.
recovery password xenarmor

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Luxury Shield 7.1.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	Luxury Shield 7.1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	svchost.exe

Drops startup file 7 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	svchost.exe

Executes dropped EXE 15 IoCs

Processes:

Luxury Shield 7.1.exesvchost.exeLuxury Shield 7.1.exesvchost.exesvchost.exesvchost.exeyygmjm.exeChromeRecovery.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exeAll-In-One.exe

pid	process
4212	Luxury Shield 7.1.exe
3468	svchost.exe
2832	Luxury Shield 7.1.exe
3484	svchost.exe
1824	svchost.exe
2604	svchost.exe
3900	yygmjm.exe
4016	ChromeRecovery.exe
1976	svchost.exe
2304	svchost.exe
1120	svchost.exe
2600	svchost.exe
180	svchost.exe
3456	svchost.exe
2648	All-In-One.exe

Loads dropped DLL 2 IoCs

Processes:

Luxury Shield 7.1.exeAll-In-One.exe

pid process

2832 Luxury Shield 7.1.exe
2648 All-In-One.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

All-In-One.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	All-In-One.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

Processes:

Luxury Shield 7.1.exe

pid	process
2832	Luxury Shield 7.1.exe
2832	Luxury Shield 7.1.exe
2832	Luxury Shield 7.1.exe
2832	Luxury Shield 7.1.exe
2832	Luxury Shield 7.1.exe
2832	Luxury Shield 7.1.exe
2832	Luxury Shield 7.1.exe
2832	Luxury Shield 7.1.exe
2832	Luxury Shield 7.1.exe
2832	Luxury Shield 7.1.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

svchost.exesvchost.exeyygmjm.exesvchost.exesvchost.exesvchost.exe

description	pid	process	target process
PID 3468 set thread context of 3484	3468	svchost.exe	svchost.exe
PID 1824 set thread context of 2604	1824	svchost.exe	svchost.exe
PID 3900 set thread context of 4908	3900	yygmjm.exe	RegAsm.exe
PID 1976 set thread context of 2304	1976	svchost.exe	svchost.exe
PID 1120 set thread context of 2600	1120	svchost.exe	svchost.exe
PID 180 set thread context of 3456	180	svchost.exe	svchost.exe

Drops file in Program Files directory 9 IoCs

Processes:

chrome.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Luxury Shield 7.1\Pass to use.txt	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1488_222374399\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1488_222374399\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1488_222374399\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Luxury Shield 7.1\Luxury Shield 7.1.exe	chrome.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1488_222374399\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1488_222374399\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1488_222374399\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1488_222374399\_metadata\verified_contents.json	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4172 schtasks.exe

pid	process
4172	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeLuxury Shield 7.1.exechrome.exeRegAsm.exeAll-In-One.exe

pid	process
456	chrome.exe
456	chrome.exe
5064	chrome.exe
5064	chrome.exe
3388	chrome.exe
3388	chrome.exe
5056	chrome.exe
5056	chrome.exe
220	chrome.exe
220	chrome.exe
3208	chrome.exe
3208	chrome.exe
3888	chrome.exe
3888	chrome.exe
3576	chrome.exe
3576	chrome.exe
640	chrome.exe
640	chrome.exe
2832	Luxury Shield 7.1.exe
2832	Luxury Shield 7.1.exe
2832	Luxury Shield 7.1.exe
2832	Luxury Shield 7.1.exe
2832	Luxury Shield 7.1.exe
2832	Luxury Shield 7.1.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2832	Luxury Shield 7.1.exe
2832	Luxury Shield 7.1.exe
2832	Luxury Shield 7.1.exe
2832	Luxury Shield 7.1.exe
2832	Luxury Shield 7.1.exe
2832	Luxury Shield 7.1.exe
2832	Luxury Shield 7.1.exe
2832	Luxury Shield 7.1.exe
2832	Luxury Shield 7.1.exe
2832	Luxury Shield 7.1.exe
2832	Luxury Shield 7.1.exe
2832	Luxury Shield 7.1.exe
4908	RegAsm.exe
4908	RegAsm.exe
4908	RegAsm.exe
2648	All-In-One.exe
2648	All-In-One.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

4012 7zFM.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid process

5064 chrome.exe
5064 chrome.exe
5064 chrome.exe
5064 chrome.exe
5064 chrome.exe
5064 chrome.exe

pid	process
4012	7zFM.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

7zG.exesvchost.exe7zG.exesvchost.exeLuxury Shield 7.1.exeRegAsm.exesvchost.exesvchost.exe7zG.exesvchost.exe7zFM.exesvchost.exeAll-In-One.exe

description	pid	process
Token: SeRestorePrivilege	3484	7zG.exe
Token: 35	3484	7zG.exe
Token: SeSecurityPrivilege	3484	7zG.exe
Token: SeSecurityPrivilege	3484	7zG.exe
Token: SeDebugPrivilege	3484	svchost.exe
Token: SeRestorePrivilege	4936	7zG.exe
Token: 35	4936	7zG.exe
Token: SeSecurityPrivilege	4936	7zG.exe
Token: SeSecurityPrivilege	4936	7zG.exe
Token: SeDebugPrivilege	2604	svchost.exe
Token: SeDebugPrivilege	2832	Luxury Shield 7.1.exe
Token: SeDebugPrivilege	4908	RegAsm.exe
Token: SeBackupPrivilege	3632	svchost.exe
Token: SeRestorePrivilege	3632	svchost.exe
Token: SeSecurityPrivilege	3632	svchost.exe
Token: SeTakeOwnershipPrivilege	3632	svchost.exe
Token: 35	3632	svchost.exe
Token: SeDebugPrivilege	2304	svchost.exe
Token: SeRestorePrivilege	4176	7zG.exe
Token: 35	4176	7zG.exe
Token: SeSecurityPrivilege	4176	7zG.exe
Token: SeSecurityPrivilege	4176	7zG.exe
Token: SeDebugPrivilege	2600	svchost.exe
Token: SeRestorePrivilege	4012	7zFM.exe
Token: 35	4012	7zFM.exe
Token: SeDebugPrivilege	3456	svchost.exe
Token: SeDebugPrivilege	2648	All-In-One.exe

Suspicious use of FindShellTrayWindow 50 IoCs

Processes:

chrome.exe7zG.exe7zG.exe7zG.exe7zFM.exe

pid	process
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
3484	7zG.exe
4936	7zG.exe
4176	7zG.exe
4012	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

Luxury Shield 7.1.exeAll-In-One.exe

pid process

2832 Luxury Shield 7.1.exe
2832 Luxury Shield 7.1.exe
2832 Luxury Shield 7.1.exe
2648 All-In-One.exe
2648 All-In-One.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 5064 wrote to memory of 4992	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 4992	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1512	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 456	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 456	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1424	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1424	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1424	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1424	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1424	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1424	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1424	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1424	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1424	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1424	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1424	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1424	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1424	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1424	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1424	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1424	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1424	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1424	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1424	5064	chrome.exe	chrome.exe
PID 5064 wrote to memory of 1424	5064	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://anonfiles.com/U9u1T4Wbyd/Luxury_Shield_7.1_rar
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9cf044f50,0x7ff9cf044f60,0x7ff9cf044f70
2⤵
PID:4992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1700 /prefetch:2
2⤵
PID:1512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2028 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2324 /prefetch:8
2⤵
PID:1424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3044 /prefetch:1
2⤵
PID:204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:1
2⤵
PID:116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4656 /prefetch:8
2⤵
PID:4948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
2⤵
PID:1488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5184 /prefetch:8
2⤵
PID:1840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5112 /prefetch:8
2⤵
PID:1236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5404 /prefetch:8
2⤵
PID:3548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5196 /prefetch:8
2⤵
PID:1820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
2⤵
PID:2920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
2⤵
PID:3896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5016 /prefetch:8
2⤵
- Drops file in Program Files directory
PID:4768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
2⤵
PID:2444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5872 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5928 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4448 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=812 /prefetch:8
2⤵
PID:2820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4776 /prefetch:8
2⤵
PID:3944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4920 /prefetch:8
2⤵
PID:5032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
2⤵
PID:2376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4652 /prefetch:8
2⤵
PID:3980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4776 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=212 /prefetch:8
2⤵
PID:4520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5644 /prefetch:8
2⤵
PID:2628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4816 /prefetch:8
2⤵
PID:1164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4816 /prefetch:8
2⤵
PID:3156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4504 /prefetch:8
2⤵
PID:3548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6048 /prefetch:8
2⤵
PID:2380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4448 /prefetch:8
2⤵
PID:4968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4552 /prefetch:8
2⤵
PID:768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2044

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:480

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Luxury Shield 7.1\" -spe -an -ai#7zMap3998:96:7zEvent29097
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3484

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Luxury Shield 7.1\Pass to use.txt
1⤵
PID:5008

C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1.exe
"C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4212

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3468

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3484

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
4⤵
- Creates scheduled task(s)
PID:4172

C:\Users\Admin\AppData\Local\Temp\yygmjm.exe
"C:\Users\Admin\AppData\Local\Temp\yygmjm.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c Cd %temp% && All-In-One.exe OutPut.json
4⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\All-In-One.exe
All-In-One.exe OutPut.json
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2648

C:\Users\Admin\AppData\Roaming\Luxury Shield 7.1.exe
"C:\Users\Admin\AppData\Roaming\Luxury Shield 7.1.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2832

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Luxury Shield 7.1\Pass to use.txt
1⤵
PID:4664

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\" -spe -an -ai#7zMap17061:132:7zEvent4408
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4936

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1824

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:1488

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1488_222374399\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1488_222374399\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={45240538-beaa-4f32-be36-89ff48774f7f} --system
2⤵
- Executes dropped EXE
PID:4016

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1976

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Luxury Shield 7.1\" -an -ai#7zMap32278:132:7zEvent13846
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4176

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\.rsrc\version.txt
1⤵
PID:3444

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1120

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Luxury Shield 7.1\Pass to use.txt
1⤵
PID:1232

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4012

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:180

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1488_222374399\ChromeRecovery.exe
Filesize
253KB

MD5
49ac3c96d270702a27b4895e4ce1f42a

SHA1
55b90405f1e1b72143c64113e8bc65608dd3fd76

SHA256
82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

SHA512
b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies
Filesize
20KB

MD5
dcaa8d3d344a2d7743e0ce292fc1ee4b

SHA1
bb988681e0a1842dc6b83b1dd91927af2aa679d4

SHA256
a4a808cfd5a918fff9d224e44fcd279e6bbc58c0661bb07149a8c9049972bbff

SHA512
57715b1f2ae90e97fee9659669d61367b08732357e03b18c99da1c33659d8d823994bc21a6767946007d2d2839add9fad184634d48b0a6098f77c6cb559e5d31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
114KB

MD5
fc93f6160ffed8193dca473a247adfaa

SHA1
6b54a42756474207aded89a117e0f8efb59c0bbc

SHA256
53581298310af778ce66666148a2ce5c1f166c5d64a87c4b07e4350cc67462c7

SHA512
74e6453ae6eb5915b6f732aab3adc77dddcac065ad1008644c2e3f804b2f7012196728f627030c0d92f2cdaebf71fe1266020ac2ed4b14ba463a6d13367af40f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3
Filesize
141KB

MD5
ea1c1ffd3ea54d1fb117bfdbb3569c60

SHA1
10958b0f690ae8f5240e1528b1ccffff28a33272

SHA256
7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

SHA512
6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log
Filesize
617B

MD5
99e770c0d4043aa84ef3d3cbc7723c25

SHA1
19829c5c413fccba750a3357f938dfa94486acad

SHA256
33c7dd4c852dae6462c701337f8e0a8647602847ccaee656fa6f1149cccfb5d5

SHA512
ba521e2f57d7e1db19445201948caa7af6d953e1c1340228934888f8ec05b8984ad492122d0bf0550b5e679614d8a713ecf68f91916ffa6e5d8f75bf003aae39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\53b4dde3-ceef-4149-b63d-4b67cc36c3e9\GunaDotNetRT.dll
Filesize
136KB

MD5
9af5eb006bb0bab7f226272d82c896c7

SHA1
c2a5bb42a5f08f4dc821be374b700652262308f0

SHA256
77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db

SHA512
7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yygmjm.exe
Filesize
2.8MB

MD5
2f882939851c958a2c80b867374d0ae2

SHA1
aa23fb1c9a5dcd29527504c0b4981dcd55315e60

SHA256
5f9ec6ecb549370a6f55a69590d47755e01e805f691e8273e9d5008822b482cf

SHA512
1f22f2769c8eba0d6c32e84eb3aab9619972b83aa971b219031cf934d23a6e7527ea85e340e4d4d87c266b938af568fbd1a404b09d8056ffd10205b8dc5655cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\yygmjm.exe
Filesize
2.8MB

MD5
2f882939851c958a2c80b867374d0ae2

SHA1
aa23fb1c9a5dcd29527504c0b4981dcd55315e60

SHA256
5f9ec6ecb549370a6f55a69590d47755e01e805f691e8273e9d5008822b482cf

SHA512
1f22f2769c8eba0d6c32e84eb3aab9619972b83aa971b219031cf934d23a6e7527ea85e340e4d4d87c266b938af568fbd1a404b09d8056ffd10205b8dc5655cd

Download Submit
C:\Users\Admin\AppData\Roaming\Luxury Shield 7.1.exe
Filesize
7.5MB

MD5
9502776952e6900ae1f98934004b4293

SHA1
3905f80a539d37c648a5da1cc6dace16d3516c2c

SHA256
d8ca879cf734c21b84e3983a9245c4da2b38cfe23b1691e4ca265286c3782b1f

SHA512
cbef89e577c883283ce3e9bb48e2ba9eda010e40e6cb1a383d99e32b728a9553cdb83e0831c0bff961fd271cee4eab921f53c97d9412e87bec4d0498400b5fbb

Download Submit
C:\Users\Admin\AppData\Roaming\Luxury Shield 7.1.exe
Filesize
7.5MB

MD5
9502776952e6900ae1f98934004b4293

SHA1
3905f80a539d37c648a5da1cc6dace16d3516c2c

SHA256
d8ca879cf734c21b84e3983a9245c4da2b38cfe23b1691e4ca265286c3782b1f

SHA512
cbef89e577c883283ce3e9bb48e2ba9eda010e40e6cb1a383d99e32b728a9553cdb83e0831c0bff961fd271cee4eab921f53c97d9412e87bec4d0498400b5fbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk
Filesize
1KB

MD5
e35afe0d233cd1c128fa0ac43b2ad4ae

SHA1
be3d586fb86f268b00b97b0a53304aec38d230df

SHA256
7f291f36933a5a1beb23bbe79d4b6e00d4b3a6c05d2515fc26e84fad88a24d6d

SHA512
b9f0667ee4beb2f8618b463e4b31c32d983c00f9639b49060d3cb24191f588992a1c52df103a38518208b1e82022729a1459dfa068dbdbab9b15469904f5bbb0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk
Filesize
1KB

MD5
e35afe0d233cd1c128fa0ac43b2ad4ae

SHA1
be3d586fb86f268b00b97b0a53304aec38d230df

SHA256
7f291f36933a5a1beb23bbe79d4b6e00d4b3a6c05d2515fc26e84fad88a24d6d

SHA512
b9f0667ee4beb2f8618b463e4b31c32d983c00f9639b49060d3cb24191f588992a1c52df103a38518208b1e82022729a1459dfa068dbdbab9b15469904f5bbb0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk
Filesize
1KB

MD5
e35afe0d233cd1c128fa0ac43b2ad4ae

SHA1
be3d586fb86f268b00b97b0a53304aec38d230df

SHA256
7f291f36933a5a1beb23bbe79d4b6e00d4b3a6c05d2515fc26e84fad88a24d6d

SHA512
b9f0667ee4beb2f8618b463e4b31c32d983c00f9639b49060d3cb24191f588992a1c52df103a38518208b1e82022729a1459dfa068dbdbab9b15469904f5bbb0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk
Filesize
1KB

MD5
e35afe0d233cd1c128fa0ac43b2ad4ae

SHA1
be3d586fb86f268b00b97b0a53304aec38d230df

SHA256
7f291f36933a5a1beb23bbe79d4b6e00d4b3a6c05d2515fc26e84fad88a24d6d

SHA512
b9f0667ee4beb2f8618b463e4b31c32d983c00f9639b49060d3cb24191f588992a1c52df103a38518208b1e82022729a1459dfa068dbdbab9b15469904f5bbb0

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
2.6MB

MD5
4c385cea78fa5903f1c71616a851de7e

SHA1
aeb9d75b994d4e06293d8ea4d6e60ee10a0a0efd

SHA256
b7fecc6beac5453e91f3fa8f3f5a2f99c62b31bfdb88d6b6615667b86dcb3765

SHA512
e9fd3f9ad360b1253d64a782e5d725b0f95eefb806ac9e54d6d3946441ad8c2d6395241dc73d92b0be18fc316423ebf8d456fdb9d3685fb35cdf114c9b01ec26

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
2.6MB

MD5
4c385cea78fa5903f1c71616a851de7e

SHA1
aeb9d75b994d4e06293d8ea4d6e60ee10a0a0efd

SHA256
b7fecc6beac5453e91f3fa8f3f5a2f99c62b31bfdb88d6b6615667b86dcb3765

SHA512
e9fd3f9ad360b1253d64a782e5d725b0f95eefb806ac9e54d6d3946441ad8c2d6395241dc73d92b0be18fc316423ebf8d456fdb9d3685fb35cdf114c9b01ec26

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
2.6MB

MD5
4c385cea78fa5903f1c71616a851de7e

SHA1
aeb9d75b994d4e06293d8ea4d6e60ee10a0a0efd

SHA256
b7fecc6beac5453e91f3fa8f3f5a2f99c62b31bfdb88d6b6615667b86dcb3765

SHA512
e9fd3f9ad360b1253d64a782e5d725b0f95eefb806ac9e54d6d3946441ad8c2d6395241dc73d92b0be18fc316423ebf8d456fdb9d3685fb35cdf114c9b01ec26

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
2.6MB

MD5
4c385cea78fa5903f1c71616a851de7e

SHA1
aeb9d75b994d4e06293d8ea4d6e60ee10a0a0efd

SHA256
b7fecc6beac5453e91f3fa8f3f5a2f99c62b31bfdb88d6b6615667b86dcb3765

SHA512
e9fd3f9ad360b1253d64a782e5d725b0f95eefb806ac9e54d6d3946441ad8c2d6395241dc73d92b0be18fc316423ebf8d456fdb9d3685fb35cdf114c9b01ec26

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
2.6MB

MD5
4c385cea78fa5903f1c71616a851de7e

SHA1
aeb9d75b994d4e06293d8ea4d6e60ee10a0a0efd

SHA256
b7fecc6beac5453e91f3fa8f3f5a2f99c62b31bfdb88d6b6615667b86dcb3765

SHA512
e9fd3f9ad360b1253d64a782e5d725b0f95eefb806ac9e54d6d3946441ad8c2d6395241dc73d92b0be18fc316423ebf8d456fdb9d3685fb35cdf114c9b01ec26

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
2.6MB

MD5
4c385cea78fa5903f1c71616a851de7e

SHA1
aeb9d75b994d4e06293d8ea4d6e60ee10a0a0efd

SHA256
b7fecc6beac5453e91f3fa8f3f5a2f99c62b31bfdb88d6b6615667b86dcb3765

SHA512
e9fd3f9ad360b1253d64a782e5d725b0f95eefb806ac9e54d6d3946441ad8c2d6395241dc73d92b0be18fc316423ebf8d456fdb9d3685fb35cdf114c9b01ec26

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
2.6MB

MD5
4c385cea78fa5903f1c71616a851de7e

SHA1
aeb9d75b994d4e06293d8ea4d6e60ee10a0a0efd

SHA256
b7fecc6beac5453e91f3fa8f3f5a2f99c62b31bfdb88d6b6615667b86dcb3765

SHA512
e9fd3f9ad360b1253d64a782e5d725b0f95eefb806ac9e54d6d3946441ad8c2d6395241dc73d92b0be18fc316423ebf8d456fdb9d3685fb35cdf114c9b01ec26

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
2.6MB

MD5
4c385cea78fa5903f1c71616a851de7e

SHA1
aeb9d75b994d4e06293d8ea4d6e60ee10a0a0efd

SHA256
b7fecc6beac5453e91f3fa8f3f5a2f99c62b31bfdb88d6b6615667b86dcb3765

SHA512
e9fd3f9ad360b1253d64a782e5d725b0f95eefb806ac9e54d6d3946441ad8c2d6395241dc73d92b0be18fc316423ebf8d456fdb9d3685fb35cdf114c9b01ec26

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
2.6MB

MD5
4c385cea78fa5903f1c71616a851de7e

SHA1
aeb9d75b994d4e06293d8ea4d6e60ee10a0a0efd

SHA256
b7fecc6beac5453e91f3fa8f3f5a2f99c62b31bfdb88d6b6615667b86dcb3765

SHA512
e9fd3f9ad360b1253d64a782e5d725b0f95eefb806ac9e54d6d3946441ad8c2d6395241dc73d92b0be18fc316423ebf8d456fdb9d3685fb35cdf114c9b01ec26

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
2.6MB

MD5
4c385cea78fa5903f1c71616a851de7e

SHA1
aeb9d75b994d4e06293d8ea4d6e60ee10a0a0efd

SHA256
b7fecc6beac5453e91f3fa8f3f5a2f99c62b31bfdb88d6b6615667b86dcb3765

SHA512
e9fd3f9ad360b1253d64a782e5d725b0f95eefb806ac9e54d6d3946441ad8c2d6395241dc73d92b0be18fc316423ebf8d456fdb9d3685fb35cdf114c9b01ec26

Download Submit
C:\Users\Admin\Downloads\Luxury Shield 7.1.rar
Filesize
9.7MB

MD5
ea4577de360be1f44ea2eeffb836b7fa

SHA1
9935f2b17275dbf6e4ceedc6919ebbd060471e30

SHA256
74ace658fbbd8b8d9a602e1a191d230c8c9039684d16e9b1183868c173d0de52

SHA512
6ec4ded5b24934e69de62de86048d3d02fccf04a912dd6503f10cf2c9f86bfd7be1ae98f04540b47c27f4dd30e1b973680fca9197828dbc376e4986bee89726e

Download Submit
C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1.exe
Filesize
10.4MB

MD5
7da08bb44a74d40e588cd8a0200c4917

SHA1
1362eec3dd846d5f99d39e1a8add8e8965447a64

SHA256
7b70dfbab96df3d99b9b5922ad0baeaa3fd6b16774a3e11d783fa67c379368e8

SHA512
d09525c8968390ddcbd81c77c41d58bed992510e14ba6ef1533795c3b4b94c14bca403dd1707b56798e10a89583c2afdc27b910a6b4ce62d0e38fd2b18cb18c7

Download Submit
C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1.exe
Filesize
10.4MB

MD5
7da08bb44a74d40e588cd8a0200c4917

SHA1
1362eec3dd846d5f99d39e1a8add8e8965447a64

SHA256
7b70dfbab96df3d99b9b5922ad0baeaa3fd6b16774a3e11d783fa67c379368e8

SHA512
d09525c8968390ddcbd81c77c41d58bed992510e14ba6ef1533795c3b4b94c14bca403dd1707b56798e10a89583c2afdc27b910a6b4ce62d0e38fd2b18cb18c7

Download Submit
C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\.rsrc\version.txt
Filesize
1KB

MD5
5b13e53649dba932f4a69924bc16c76f

SHA1
a9b1b46707f81548c055b26e69ebc89c47896aeb

SHA256
ee7918b182d6e86c4a60559525a317e91ed4cefeb58f4c3788a60db7f752879b

SHA512
0f3c5008ea3bb371fca8e63cb95b4e1fe2a32002d82102e084ecc832403304cddec0f46aa5f15bb52cbdbcdff132faff50efcdc23c8185d68bdc72409c75988e

Download Submit
C:\Users\Admin\Downloads\Luxury Shield 7.1\Pass to use.txt
Filesize
107B

MD5
f2b0d578a79ac19b492e04bc5a7050f7

SHA1
6210e3fec78230eb39649946a1cce41a980ed156

SHA256
78f53709cce69e858fbb201be13803e63d7e0aa84d7cabe1353ce4989c68eec7

SHA512
e1488c9d33160cd3f9ee112941978e746f37675b52f70956cd2c0cc8d5e6ac4657fb526dbf87ef9cbbf4d2679a2a001baa8289784ab17e10940750ca0664a624

Download Submit
\??\pipe\crashpad_5064_HPRICMNZEYEDLFFJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1224-216-0x0000000000000000-mapping.dmp

Download
memory/2304-193-0x0000000000000000-mapping.dmp

Download
memory/2600-202-0x0000000000000000-mapping.dmp

Download
memory/2604-172-0x0000000000000000-mapping.dmp

Download
memory/2648-217-0x0000000000000000-mapping.dmp

Download
memory/2832-169-0x0000000012160000-0x00000000122E6000-memory.dmp

Filesize
1.5MB

Download
memory/2832-158-0x000000007F790000-0x000000007FB61000-memory.dmp

Filesize
3.8MB

Download
memory/2832-150-0x0000000000FD0000-0x0000000002330000-memory.dmp

Filesize
19.4MB

Download
memory/2832-159-0x0000000000FD0000-0x0000000002330000-memory.dmp

Filesize
19.4MB

Download
memory/2832-168-0x000000006F3B0000-0x000000006F3E7000-memory.dmp

Filesize
220KB

Download
memory/2832-161-0x0000000000FD0000-0x0000000000FD2000-memory.dmp

Filesize
8KB

Download
memory/2832-175-0x000000006F3B0000-0x000000006F3E7000-memory.dmp

Filesize
220KB

Download
memory/2832-162-0x0000000000FD0000-0x0000000002330000-memory.dmp

Filesize
19.4MB

Download
memory/2832-163-0x0000000000FD0000-0x0000000002330000-memory.dmp

Filesize
19.4MB

Download
memory/2832-146-0x000000007F790000-0x000000007FB61000-memory.dmp

Filesize
3.8MB

Download
memory/2832-164-0x000000000B7B0000-0x000000000B7BA000-memory.dmp

Filesize
40KB

Download
memory/2832-165-0x000000000B9F0000-0x000000000BA46000-memory.dmp

Filesize
344KB

Download
memory/2832-197-0x0000000000FD0000-0x0000000002330000-memory.dmp

Filesize
19.4MB

Download
memory/2832-182-0x000000000B80A000-0x000000000B80F000-memory.dmp

Filesize
20KB

Download
memory/2832-198-0x000000000B80A000-0x000000000B80F000-memory.dmp

Filesize
20KB

Download
memory/2832-196-0x000000007F790000-0x000000007FB61000-memory.dmp

Filesize
3.8MB

Download
memory/2832-167-0x0000000072BB0000-0x0000000072C39000-memory.dmp

Filesize
548KB

Download
memory/2832-143-0x0000000000000000-mapping.dmp

Download
memory/2832-187-0x000000000B80A000-0x000000000B80F000-memory.dmp

Filesize
20KB

Download
memory/3456-214-0x0000000000000000-mapping.dmp

Download
memory/3468-140-0x0000000000000000-mapping.dmp

Download
memory/3468-149-0x0000000005A00000-0x0000000005A9C000-memory.dmp

Filesize
624KB

Download
memory/3468-147-0x0000000000690000-0x000000000093C000-memory.dmp

Filesize
2.7MB

Download
memory/3468-151-0x0000000006050000-0x00000000065F4000-memory.dmp

Filesize
5.6MB

Download
memory/3484-157-0x0000000006A20000-0x0000000006A86000-memory.dmp

Filesize
408KB

Download
memory/3484-160-0x0000000007560000-0x00000000075F2000-memory.dmp

Filesize
584KB

Download
memory/3484-153-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3484-152-0x0000000000000000-mapping.dmp

Download
memory/3900-176-0x0000000000000000-mapping.dmp

Download
memory/3900-179-0x0000000000E80000-0x0000000001146000-memory.dmp

Filesize
2.8MB

Download
memory/4016-189-0x0000000000000000-mapping.dmp

Download
memory/4172-156-0x0000000000000000-mapping.dmp

Download
memory/4212-148-0x00007FF9CA150000-0x00007FF9CAC11000-memory.dmp

Filesize
10.8MB

Download
memory/4212-138-0x0000000000C50000-0x00000000016B8000-memory.dmp

Filesize
10.4MB

Download
memory/4212-139-0x00007FF9CA150000-0x00007FF9CAC11000-memory.dmp

Filesize
10.8MB

Download
memory/4908-181-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4908-207-0x00000000068C0000-0x0000000006936000-memory.dmp

Filesize
472KB

Download
memory/4908-208-0x0000000006A10000-0x0000000006A2E000-memory.dmp

Filesize
120KB

Download
memory/4908-206-0x0000000006AD0000-0x0000000006FFC000-memory.dmp

Filesize
5.2MB

Download
memory/4908-205-0x00000000063D0000-0x0000000006592000-memory.dmp

Filesize
1.8MB

Download
memory/4908-211-0x0000000007250000-0x00000000072A0000-memory.dmp

Filesize
320KB

Download
memory/4908-186-0x00000000052A0000-0x00000000053AA000-memory.dmp

Filesize
1.0MB

Download
memory/4908-185-0x0000000004FE0000-0x000000000501C000-memory.dmp

Filesize
240KB

Download
memory/4908-184-0x0000000004F80000-0x0000000004F92000-memory.dmp

Filesize
72KB

Download
memory/4908-183-0x00000000056E0000-0x0000000005CF8000-memory.dmp

Filesize
6.1MB

Download
memory/4908-180-0x0000000000000000-mapping.dmp

Download