Analysis
-
max time kernel
305s -
max time network
310s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
17-02-2023 23:22
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://anonfiles.com/U9u1T4Wbyd/Luxury_Shield_7.1_rar
Resource
win10v2004-20221111-en
General
-
Target
https://anonfiles.com/U9u1T4Wbyd/Luxury_Shield_7.1_rar
Malware Config
Extracted
redline
cheat
ekinox.myftp.biz:3081
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4908-181-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4908-181-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Luxury Shield 7.1.exesvchost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation Luxury Shield 7.1.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation svchost.exe -
Drops startup file 7 IoCs
Processes:
svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk svchost.exe -
Executes dropped EXE 15 IoCs
Processes:
Luxury Shield 7.1.exesvchost.exeLuxury Shield 7.1.exesvchost.exesvchost.exesvchost.exeyygmjm.exeChromeRecovery.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exeAll-In-One.exepid process 4212 Luxury Shield 7.1.exe 3468 svchost.exe 2832 Luxury Shield 7.1.exe 3484 svchost.exe 1824 svchost.exe 2604 svchost.exe 3900 yygmjm.exe 4016 ChromeRecovery.exe 1976 svchost.exe 2304 svchost.exe 1120 svchost.exe 2600 svchost.exe 180 svchost.exe 3456 svchost.exe 2648 All-In-One.exe -
Loads dropped DLL 2 IoCs
Processes:
Luxury Shield 7.1.exeAll-In-One.exepid process 2832 Luxury Shield 7.1.exe 2648 All-In-One.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
All-In-One.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts All-In-One.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" svchost.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
Processes:
Luxury Shield 7.1.exepid process 2832 Luxury Shield 7.1.exe 2832 Luxury Shield 7.1.exe 2832 Luxury Shield 7.1.exe 2832 Luxury Shield 7.1.exe 2832 Luxury Shield 7.1.exe 2832 Luxury Shield 7.1.exe 2832 Luxury Shield 7.1.exe 2832 Luxury Shield 7.1.exe 2832 Luxury Shield 7.1.exe 2832 Luxury Shield 7.1.exe -
Suspicious use of SetThreadContext 6 IoCs
Processes:
svchost.exesvchost.exeyygmjm.exesvchost.exesvchost.exesvchost.exedescription pid process target process PID 3468 set thread context of 3484 3468 svchost.exe svchost.exe PID 1824 set thread context of 2604 1824 svchost.exe svchost.exe PID 3900 set thread context of 4908 3900 yygmjm.exe RegAsm.exe PID 1976 set thread context of 2304 1976 svchost.exe svchost.exe PID 1120 set thread context of 2600 1120 svchost.exe svchost.exe PID 180 set thread context of 3456 180 svchost.exe svchost.exe -
Drops file in Program Files directory 9 IoCs
Processes:
chrome.exeelevation_service.exedescription ioc process File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Luxury Shield 7.1\Pass to use.txt chrome.exe File opened for modification C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1488_222374399\ChromeRecovery.exe elevation_service.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1488_222374399\manifest.json elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1488_222374399\manifest.json elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Luxury Shield 7.1\Luxury Shield 7.1.exe chrome.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1488_222374399\ChromeRecoveryCRX.crx elevation_service.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1488_222374399\ChromeRecovery.exe elevation_service.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1488_222374399\_metadata\verified_contents.json elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1488_222374399\_metadata\verified_contents.json elevation_service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies registry class 1 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings chrome.exe -
Suspicious behavior: EnumeratesProcesses 45 IoCs
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeLuxury Shield 7.1.exechrome.exeRegAsm.exeAll-In-One.exepid process 456 chrome.exe 456 chrome.exe 5064 chrome.exe 5064 chrome.exe 3388 chrome.exe 3388 chrome.exe 5056 chrome.exe 5056 chrome.exe 220 chrome.exe 220 chrome.exe 3208 chrome.exe 3208 chrome.exe 3888 chrome.exe 3888 chrome.exe 3576 chrome.exe 3576 chrome.exe 640 chrome.exe 640 chrome.exe 2832 Luxury Shield 7.1.exe 2832 Luxury Shield 7.1.exe 2832 Luxury Shield 7.1.exe 2832 Luxury Shield 7.1.exe 2832 Luxury Shield 7.1.exe 2832 Luxury Shield 7.1.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 2832 Luxury Shield 7.1.exe 2832 Luxury Shield 7.1.exe 2832 Luxury Shield 7.1.exe 2832 Luxury Shield 7.1.exe 2832 Luxury Shield 7.1.exe 2832 Luxury Shield 7.1.exe 2832 Luxury Shield 7.1.exe 2832 Luxury Shield 7.1.exe 2832 Luxury Shield 7.1.exe 2832 Luxury Shield 7.1.exe 2832 Luxury Shield 7.1.exe 2832 Luxury Shield 7.1.exe 4908 RegAsm.exe 4908 RegAsm.exe 4908 RegAsm.exe 2648 All-In-One.exe 2648 All-In-One.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid process 4012 7zFM.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
chrome.exepid process 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
7zG.exesvchost.exe7zG.exesvchost.exeLuxury Shield 7.1.exeRegAsm.exesvchost.exesvchost.exe7zG.exesvchost.exe7zFM.exesvchost.exeAll-In-One.exedescription pid process Token: SeRestorePrivilege 3484 7zG.exe Token: 35 3484 7zG.exe Token: SeSecurityPrivilege 3484 7zG.exe Token: SeSecurityPrivilege 3484 7zG.exe Token: SeDebugPrivilege 3484 svchost.exe Token: SeRestorePrivilege 4936 7zG.exe Token: 35 4936 7zG.exe Token: SeSecurityPrivilege 4936 7zG.exe Token: SeSecurityPrivilege 4936 7zG.exe Token: SeDebugPrivilege 2604 svchost.exe Token: SeDebugPrivilege 2832 Luxury Shield 7.1.exe Token: SeDebugPrivilege 4908 RegAsm.exe Token: SeBackupPrivilege 3632 svchost.exe Token: SeRestorePrivilege 3632 svchost.exe Token: SeSecurityPrivilege 3632 svchost.exe Token: SeTakeOwnershipPrivilege 3632 svchost.exe Token: 35 3632 svchost.exe Token: SeDebugPrivilege 2304 svchost.exe Token: SeRestorePrivilege 4176 7zG.exe Token: 35 4176 7zG.exe Token: SeSecurityPrivilege 4176 7zG.exe Token: SeSecurityPrivilege 4176 7zG.exe Token: SeDebugPrivilege 2600 svchost.exe Token: SeRestorePrivilege 4012 7zFM.exe Token: 35 4012 7zFM.exe Token: SeDebugPrivilege 3456 svchost.exe Token: SeDebugPrivilege 2648 All-In-One.exe -
Suspicious use of FindShellTrayWindow 50 IoCs
Processes:
chrome.exe7zG.exe7zG.exe7zG.exe7zFM.exepid process 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 3484 7zG.exe 4936 7zG.exe 4176 7zG.exe 4012 7zFM.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
chrome.exepid process 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe 5064 chrome.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
Luxury Shield 7.1.exeAll-In-One.exepid process 2832 Luxury Shield 7.1.exe 2832 Luxury Shield 7.1.exe 2832 Luxury Shield 7.1.exe 2648 All-In-One.exe 2648 All-In-One.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 5064 wrote to memory of 4992 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 4992 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1512 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 456 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 456 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1424 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1424 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1424 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1424 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1424 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1424 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1424 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1424 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1424 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1424 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1424 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1424 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1424 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1424 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1424 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1424 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1424 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1424 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1424 5064 chrome.exe chrome.exe PID 5064 wrote to memory of 1424 5064 chrome.exe chrome.exe
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://anonfiles.com/U9u1T4Wbyd/Luxury_Shield_7.1_rar1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9cf044f50,0x7ff9cf044f60,0x7ff9cf044f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1700 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2028 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2324 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3044 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4656 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5184 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5112 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5404 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5196 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5016 /prefetch:82⤵
- Drops file in Program Files directory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5872 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5928 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4448 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=812 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4776 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4920 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4652 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4776 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=212 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5644 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4816 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4816 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4504 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6048 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4448 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,13496584689709520936,6158520045705116652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4552 /prefetch:82⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Luxury Shield 7.1\" -spe -an -ai#7zMap3998:96:7zEvent290971⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Luxury Shield 7.1\Pass to use.txt1⤵
-
C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1.exe"C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\yygmjm.exe"C:\Users\Admin\AppData\Local\Temp\yygmjm.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c Cd %temp% && All-In-One.exe OutPut.json4⤵
-
C:\Users\Admin\AppData\Local\Temp\All-In-One.exeAll-In-One.exe OutPut.json5⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Luxury Shield 7.1.exe"C:\Users\Admin\AppData\Roaming\Luxury Shield 7.1.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Luxury Shield 7.1\Pass to use.txt1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\" -spe -an -ai#7zMap17061:132:7zEvent44081⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"1⤵
- Drops file in Program Files directory
-
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1488_222374399\ChromeRecovery.exe"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1488_222374399\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={45240538-beaa-4f32-be36-89ff48774f7f} --system2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Luxury Shield 7.1\" -an -ai#7zMap32278:132:7zEvent138461⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\.rsrc\version.txt1⤵
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Luxury Shield 7.1\Pass to use.txt1⤵
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1488_222374399\ChromeRecovery.exeFilesize
253KB
MD549ac3c96d270702a27b4895e4ce1f42a
SHA155b90405f1e1b72143c64113e8bc65608dd3fd76
SHA25682aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f
SHA512b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\CookiesFilesize
20KB
MD5dcaa8d3d344a2d7743e0ce292fc1ee4b
SHA1bb988681e0a1842dc6b83b1dd91927af2aa679d4
SHA256a4a808cfd5a918fff9d224e44fcd279e6bbc58c0661bb07149a8c9049972bbff
SHA51257715b1f2ae90e97fee9659669d61367b08732357e03b18c99da1c33659d8d823994bc21a6767946007d2d2839add9fad184634d48b0a6098f77c6cb559e5d31
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
114KB
MD5fc93f6160ffed8193dca473a247adfaa
SHA16b54a42756474207aded89a117e0f8efb59c0bbc
SHA25653581298310af778ce66666148a2ce5c1f166c5d64a87c4b07e4350cc67462c7
SHA51274e6453ae6eb5915b6f732aab3adc77dddcac065ad1008644c2e3f804b2f7012196728f627030c0d92f2cdaebf71fe1266020ac2ed4b14ba463a6d13367af40f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3Filesize
141KB
MD5ea1c1ffd3ea54d1fb117bfdbb3569c60
SHA110958b0f690ae8f5240e1528b1ccffff28a33272
SHA2567c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d
SHA5126c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.logFilesize
617B
MD599e770c0d4043aa84ef3d3cbc7723c25
SHA119829c5c413fccba750a3357f938dfa94486acad
SHA25633c7dd4c852dae6462c701337f8e0a8647602847ccaee656fa6f1149cccfb5d5
SHA512ba521e2f57d7e1db19445201948caa7af6d953e1c1340228934888f8ec05b8984ad492122d0bf0550b5e679614d8a713ecf68f91916ffa6e5d8f75bf003aae39
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\CachesMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\53b4dde3-ceef-4149-b63d-4b67cc36c3e9\GunaDotNetRT.dllFilesize
136KB
MD59af5eb006bb0bab7f226272d82c896c7
SHA1c2a5bb42a5f08f4dc821be374b700652262308f0
SHA25677dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db
SHA5127badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a
-
C:\Users\Admin\AppData\Local\Temp\yygmjm.exeFilesize
2.8MB
MD52f882939851c958a2c80b867374d0ae2
SHA1aa23fb1c9a5dcd29527504c0b4981dcd55315e60
SHA2565f9ec6ecb549370a6f55a69590d47755e01e805f691e8273e9d5008822b482cf
SHA5121f22f2769c8eba0d6c32e84eb3aab9619972b83aa971b219031cf934d23a6e7527ea85e340e4d4d87c266b938af568fbd1a404b09d8056ffd10205b8dc5655cd
-
C:\Users\Admin\AppData\Local\Temp\yygmjm.exeFilesize
2.8MB
MD52f882939851c958a2c80b867374d0ae2
SHA1aa23fb1c9a5dcd29527504c0b4981dcd55315e60
SHA2565f9ec6ecb549370a6f55a69590d47755e01e805f691e8273e9d5008822b482cf
SHA5121f22f2769c8eba0d6c32e84eb3aab9619972b83aa971b219031cf934d23a6e7527ea85e340e4d4d87c266b938af568fbd1a404b09d8056ffd10205b8dc5655cd
-
C:\Users\Admin\AppData\Roaming\Luxury Shield 7.1.exeFilesize
7.5MB
MD59502776952e6900ae1f98934004b4293
SHA13905f80a539d37c648a5da1cc6dace16d3516c2c
SHA256d8ca879cf734c21b84e3983a9245c4da2b38cfe23b1691e4ca265286c3782b1f
SHA512cbef89e577c883283ce3e9bb48e2ba9eda010e40e6cb1a383d99e32b728a9553cdb83e0831c0bff961fd271cee4eab921f53c97d9412e87bec4d0498400b5fbb
-
C:\Users\Admin\AppData\Roaming\Luxury Shield 7.1.exeFilesize
7.5MB
MD59502776952e6900ae1f98934004b4293
SHA13905f80a539d37c648a5da1cc6dace16d3516c2c
SHA256d8ca879cf734c21b84e3983a9245c4da2b38cfe23b1691e4ca265286c3782b1f
SHA512cbef89e577c883283ce3e9bb48e2ba9eda010e40e6cb1a383d99e32b728a9553cdb83e0831c0bff961fd271cee4eab921f53c97d9412e87bec4d0498400b5fbb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnkFilesize
1KB
MD5e35afe0d233cd1c128fa0ac43b2ad4ae
SHA1be3d586fb86f268b00b97b0a53304aec38d230df
SHA2567f291f36933a5a1beb23bbe79d4b6e00d4b3a6c05d2515fc26e84fad88a24d6d
SHA512b9f0667ee4beb2f8618b463e4b31c32d983c00f9639b49060d3cb24191f588992a1c52df103a38518208b1e82022729a1459dfa068dbdbab9b15469904f5bbb0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnkFilesize
1KB
MD5e35afe0d233cd1c128fa0ac43b2ad4ae
SHA1be3d586fb86f268b00b97b0a53304aec38d230df
SHA2567f291f36933a5a1beb23bbe79d4b6e00d4b3a6c05d2515fc26e84fad88a24d6d
SHA512b9f0667ee4beb2f8618b463e4b31c32d983c00f9639b49060d3cb24191f588992a1c52df103a38518208b1e82022729a1459dfa068dbdbab9b15469904f5bbb0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnkFilesize
1KB
MD5e35afe0d233cd1c128fa0ac43b2ad4ae
SHA1be3d586fb86f268b00b97b0a53304aec38d230df
SHA2567f291f36933a5a1beb23bbe79d4b6e00d4b3a6c05d2515fc26e84fad88a24d6d
SHA512b9f0667ee4beb2f8618b463e4b31c32d983c00f9639b49060d3cb24191f588992a1c52df103a38518208b1e82022729a1459dfa068dbdbab9b15469904f5bbb0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnkFilesize
1KB
MD5e35afe0d233cd1c128fa0ac43b2ad4ae
SHA1be3d586fb86f268b00b97b0a53304aec38d230df
SHA2567f291f36933a5a1beb23bbe79d4b6e00d4b3a6c05d2515fc26e84fad88a24d6d
SHA512b9f0667ee4beb2f8618b463e4b31c32d983c00f9639b49060d3cb24191f588992a1c52df103a38518208b1e82022729a1459dfa068dbdbab9b15469904f5bbb0
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
2.6MB
MD54c385cea78fa5903f1c71616a851de7e
SHA1aeb9d75b994d4e06293d8ea4d6e60ee10a0a0efd
SHA256b7fecc6beac5453e91f3fa8f3f5a2f99c62b31bfdb88d6b6615667b86dcb3765
SHA512e9fd3f9ad360b1253d64a782e5d725b0f95eefb806ac9e54d6d3946441ad8c2d6395241dc73d92b0be18fc316423ebf8d456fdb9d3685fb35cdf114c9b01ec26
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
2.6MB
MD54c385cea78fa5903f1c71616a851de7e
SHA1aeb9d75b994d4e06293d8ea4d6e60ee10a0a0efd
SHA256b7fecc6beac5453e91f3fa8f3f5a2f99c62b31bfdb88d6b6615667b86dcb3765
SHA512e9fd3f9ad360b1253d64a782e5d725b0f95eefb806ac9e54d6d3946441ad8c2d6395241dc73d92b0be18fc316423ebf8d456fdb9d3685fb35cdf114c9b01ec26
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
2.6MB
MD54c385cea78fa5903f1c71616a851de7e
SHA1aeb9d75b994d4e06293d8ea4d6e60ee10a0a0efd
SHA256b7fecc6beac5453e91f3fa8f3f5a2f99c62b31bfdb88d6b6615667b86dcb3765
SHA512e9fd3f9ad360b1253d64a782e5d725b0f95eefb806ac9e54d6d3946441ad8c2d6395241dc73d92b0be18fc316423ebf8d456fdb9d3685fb35cdf114c9b01ec26
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
2.6MB
MD54c385cea78fa5903f1c71616a851de7e
SHA1aeb9d75b994d4e06293d8ea4d6e60ee10a0a0efd
SHA256b7fecc6beac5453e91f3fa8f3f5a2f99c62b31bfdb88d6b6615667b86dcb3765
SHA512e9fd3f9ad360b1253d64a782e5d725b0f95eefb806ac9e54d6d3946441ad8c2d6395241dc73d92b0be18fc316423ebf8d456fdb9d3685fb35cdf114c9b01ec26
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
2.6MB
MD54c385cea78fa5903f1c71616a851de7e
SHA1aeb9d75b994d4e06293d8ea4d6e60ee10a0a0efd
SHA256b7fecc6beac5453e91f3fa8f3f5a2f99c62b31bfdb88d6b6615667b86dcb3765
SHA512e9fd3f9ad360b1253d64a782e5d725b0f95eefb806ac9e54d6d3946441ad8c2d6395241dc73d92b0be18fc316423ebf8d456fdb9d3685fb35cdf114c9b01ec26
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
2.6MB
MD54c385cea78fa5903f1c71616a851de7e
SHA1aeb9d75b994d4e06293d8ea4d6e60ee10a0a0efd
SHA256b7fecc6beac5453e91f3fa8f3f5a2f99c62b31bfdb88d6b6615667b86dcb3765
SHA512e9fd3f9ad360b1253d64a782e5d725b0f95eefb806ac9e54d6d3946441ad8c2d6395241dc73d92b0be18fc316423ebf8d456fdb9d3685fb35cdf114c9b01ec26
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
2.6MB
MD54c385cea78fa5903f1c71616a851de7e
SHA1aeb9d75b994d4e06293d8ea4d6e60ee10a0a0efd
SHA256b7fecc6beac5453e91f3fa8f3f5a2f99c62b31bfdb88d6b6615667b86dcb3765
SHA512e9fd3f9ad360b1253d64a782e5d725b0f95eefb806ac9e54d6d3946441ad8c2d6395241dc73d92b0be18fc316423ebf8d456fdb9d3685fb35cdf114c9b01ec26
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
2.6MB
MD54c385cea78fa5903f1c71616a851de7e
SHA1aeb9d75b994d4e06293d8ea4d6e60ee10a0a0efd
SHA256b7fecc6beac5453e91f3fa8f3f5a2f99c62b31bfdb88d6b6615667b86dcb3765
SHA512e9fd3f9ad360b1253d64a782e5d725b0f95eefb806ac9e54d6d3946441ad8c2d6395241dc73d92b0be18fc316423ebf8d456fdb9d3685fb35cdf114c9b01ec26
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
2.6MB
MD54c385cea78fa5903f1c71616a851de7e
SHA1aeb9d75b994d4e06293d8ea4d6e60ee10a0a0efd
SHA256b7fecc6beac5453e91f3fa8f3f5a2f99c62b31bfdb88d6b6615667b86dcb3765
SHA512e9fd3f9ad360b1253d64a782e5d725b0f95eefb806ac9e54d6d3946441ad8c2d6395241dc73d92b0be18fc316423ebf8d456fdb9d3685fb35cdf114c9b01ec26
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
2.6MB
MD54c385cea78fa5903f1c71616a851de7e
SHA1aeb9d75b994d4e06293d8ea4d6e60ee10a0a0efd
SHA256b7fecc6beac5453e91f3fa8f3f5a2f99c62b31bfdb88d6b6615667b86dcb3765
SHA512e9fd3f9ad360b1253d64a782e5d725b0f95eefb806ac9e54d6d3946441ad8c2d6395241dc73d92b0be18fc316423ebf8d456fdb9d3685fb35cdf114c9b01ec26
-
C:\Users\Admin\Downloads\Luxury Shield 7.1.rarFilesize
9.7MB
MD5ea4577de360be1f44ea2eeffb836b7fa
SHA19935f2b17275dbf6e4ceedc6919ebbd060471e30
SHA25674ace658fbbd8b8d9a602e1a191d230c8c9039684d16e9b1183868c173d0de52
SHA5126ec4ded5b24934e69de62de86048d3d02fccf04a912dd6503f10cf2c9f86bfd7be1ae98f04540b47c27f4dd30e1b973680fca9197828dbc376e4986bee89726e
-
C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1.exeFilesize
10.4MB
MD57da08bb44a74d40e588cd8a0200c4917
SHA11362eec3dd846d5f99d39e1a8add8e8965447a64
SHA2567b70dfbab96df3d99b9b5922ad0baeaa3fd6b16774a3e11d783fa67c379368e8
SHA512d09525c8968390ddcbd81c77c41d58bed992510e14ba6ef1533795c3b4b94c14bca403dd1707b56798e10a89583c2afdc27b910a6b4ce62d0e38fd2b18cb18c7
-
C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1.exeFilesize
10.4MB
MD57da08bb44a74d40e588cd8a0200c4917
SHA11362eec3dd846d5f99d39e1a8add8e8965447a64
SHA2567b70dfbab96df3d99b9b5922ad0baeaa3fd6b16774a3e11d783fa67c379368e8
SHA512d09525c8968390ddcbd81c77c41d58bed992510e14ba6ef1533795c3b4b94c14bca403dd1707b56798e10a89583c2afdc27b910a6b4ce62d0e38fd2b18cb18c7
-
C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\.rsrc\version.txtFilesize
1KB
MD55b13e53649dba932f4a69924bc16c76f
SHA1a9b1b46707f81548c055b26e69ebc89c47896aeb
SHA256ee7918b182d6e86c4a60559525a317e91ed4cefeb58f4c3788a60db7f752879b
SHA5120f3c5008ea3bb371fca8e63cb95b4e1fe2a32002d82102e084ecc832403304cddec0f46aa5f15bb52cbdbcdff132faff50efcdc23c8185d68bdc72409c75988e
-
C:\Users\Admin\Downloads\Luxury Shield 7.1\Pass to use.txtFilesize
107B
MD5f2b0d578a79ac19b492e04bc5a7050f7
SHA16210e3fec78230eb39649946a1cce41a980ed156
SHA25678f53709cce69e858fbb201be13803e63d7e0aa84d7cabe1353ce4989c68eec7
SHA512e1488c9d33160cd3f9ee112941978e746f37675b52f70956cd2c0cc8d5e6ac4657fb526dbf87ef9cbbf4d2679a2a001baa8289784ab17e10940750ca0664a624
-
\??\pipe\crashpad_5064_HPRICMNZEYEDLFFJMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1224-216-0x0000000000000000-mapping.dmp
-
memory/2304-193-0x0000000000000000-mapping.dmp
-
memory/2600-202-0x0000000000000000-mapping.dmp
-
memory/2604-172-0x0000000000000000-mapping.dmp
-
memory/2648-217-0x0000000000000000-mapping.dmp
-
memory/2832-169-0x0000000012160000-0x00000000122E6000-memory.dmpFilesize
1.5MB
-
memory/2832-158-0x000000007F790000-0x000000007FB61000-memory.dmpFilesize
3.8MB
-
memory/2832-150-0x0000000000FD0000-0x0000000002330000-memory.dmpFilesize
19.4MB
-
memory/2832-159-0x0000000000FD0000-0x0000000002330000-memory.dmpFilesize
19.4MB
-
memory/2832-168-0x000000006F3B0000-0x000000006F3E7000-memory.dmpFilesize
220KB
-
memory/2832-161-0x0000000000FD0000-0x0000000000FD2000-memory.dmpFilesize
8KB
-
memory/2832-175-0x000000006F3B0000-0x000000006F3E7000-memory.dmpFilesize
220KB
-
memory/2832-162-0x0000000000FD0000-0x0000000002330000-memory.dmpFilesize
19.4MB
-
memory/2832-163-0x0000000000FD0000-0x0000000002330000-memory.dmpFilesize
19.4MB
-
memory/2832-146-0x000000007F790000-0x000000007FB61000-memory.dmpFilesize
3.8MB
-
memory/2832-164-0x000000000B7B0000-0x000000000B7BA000-memory.dmpFilesize
40KB
-
memory/2832-165-0x000000000B9F0000-0x000000000BA46000-memory.dmpFilesize
344KB
-
memory/2832-197-0x0000000000FD0000-0x0000000002330000-memory.dmpFilesize
19.4MB
-
memory/2832-182-0x000000000B80A000-0x000000000B80F000-memory.dmpFilesize
20KB
-
memory/2832-198-0x000000000B80A000-0x000000000B80F000-memory.dmpFilesize
20KB
-
memory/2832-196-0x000000007F790000-0x000000007FB61000-memory.dmpFilesize
3.8MB
-
memory/2832-167-0x0000000072BB0000-0x0000000072C39000-memory.dmpFilesize
548KB
-
memory/2832-143-0x0000000000000000-mapping.dmp
-
memory/2832-187-0x000000000B80A000-0x000000000B80F000-memory.dmpFilesize
20KB
-
memory/3456-214-0x0000000000000000-mapping.dmp
-
memory/3468-140-0x0000000000000000-mapping.dmp
-
memory/3468-149-0x0000000005A00000-0x0000000005A9C000-memory.dmpFilesize
624KB
-
memory/3468-147-0x0000000000690000-0x000000000093C000-memory.dmpFilesize
2.7MB
-
memory/3468-151-0x0000000006050000-0x00000000065F4000-memory.dmpFilesize
5.6MB
-
memory/3484-157-0x0000000006A20000-0x0000000006A86000-memory.dmpFilesize
408KB
-
memory/3484-160-0x0000000007560000-0x00000000075F2000-memory.dmpFilesize
584KB
-
memory/3484-153-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/3484-152-0x0000000000000000-mapping.dmp
-
memory/3900-176-0x0000000000000000-mapping.dmp
-
memory/3900-179-0x0000000000E80000-0x0000000001146000-memory.dmpFilesize
2.8MB
-
memory/4016-189-0x0000000000000000-mapping.dmp
-
memory/4172-156-0x0000000000000000-mapping.dmp
-
memory/4212-148-0x00007FF9CA150000-0x00007FF9CAC11000-memory.dmpFilesize
10.8MB
-
memory/4212-138-0x0000000000C50000-0x00000000016B8000-memory.dmpFilesize
10.4MB
-
memory/4212-139-0x00007FF9CA150000-0x00007FF9CAC11000-memory.dmpFilesize
10.8MB
-
memory/4908-181-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4908-207-0x00000000068C0000-0x0000000006936000-memory.dmpFilesize
472KB
-
memory/4908-208-0x0000000006A10000-0x0000000006A2E000-memory.dmpFilesize
120KB
-
memory/4908-206-0x0000000006AD0000-0x0000000006FFC000-memory.dmpFilesize
5.2MB
-
memory/4908-205-0x00000000063D0000-0x0000000006592000-memory.dmpFilesize
1.8MB
-
memory/4908-211-0x0000000007250000-0x00000000072A0000-memory.dmpFilesize
320KB
-
memory/4908-186-0x00000000052A0000-0x00000000053AA000-memory.dmpFilesize
1.0MB
-
memory/4908-185-0x0000000004FE0000-0x000000000501C000-memory.dmpFilesize
240KB
-
memory/4908-184-0x0000000004F80000-0x0000000004F92000-memory.dmpFilesize
72KB
-
memory/4908-183-0x00000000056E0000-0x0000000005CF8000-memory.dmpFilesize
6.1MB
-
memory/4908-180-0x0000000000000000-mapping.dmp