Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08/08/2024, 07:46
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
xworm
3.1
society-painted.at.ply.gg:17251
-
Install_directory
%Public%
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot5817418329:AAGYtFww9eAGl3ZTuqrCmSNxu_TJJiAWkzA/sendMessage?chat_id=1860651440
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x0009000000023527-256.dat family_xworm behavioral1/memory/4420-264-0x0000000000130000-0x000000000016E000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4012 powershell.exe 3828 powershell.exe 4204 powershell.exe 3600 powershell.exe 2452 powershell.exe 2684 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation WinRAR.exe -
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Update.exe crack.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.lnk WinRAR.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.lnk WinRAR.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Update.exe crack.exe -
Executes dropped EXE 12 IoCs
pid Process 3912 Luxury Shield 7.1.exe 4420 WinRAR.exe 2808 WinRAR.exe 368 Luxury Shield 7.1.exe 3404 WinRAR.exe 3652 crack.exe 3812 crack.exe 748 crack.exe 4180 crack.exe 4000 WinRAR.exe 4088 Luxury Shield 7.1.exe 3136 WinRAR.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Users\\Public\\WinRAR.exe" WinRAR.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 3912 Luxury Shield 7.1.exe 368 Luxury Shield 7.1.exe 4088 Luxury Shield 7.1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Luxury Shield 7.1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Luxury Shield 7.1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Luxury Shield 7.1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Luxury Shield 7.1.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2008 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 2412 msedge.exe 2412 msedge.exe 4940 msedge.exe 4940 msedge.exe 4080 identity_helper.exe 4080 identity_helper.exe 2400 msedge.exe 2400 msedge.exe 2684 powershell.exe 2684 powershell.exe 2684 powershell.exe 4012 powershell.exe 4012 powershell.exe 4012 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 4204 powershell.exe 4204 powershell.exe 4204 powershell.exe 524 msedge.exe 524 msedge.exe 524 msedge.exe 524 msedge.exe 3600 powershell.exe 3600 powershell.exe 3600 powershell.exe 2452 powershell.exe 2452 powershell.exe 2452 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 2684 powershell.exe Token: SeDebugPrivilege 4012 powershell.exe Token: SeDebugPrivilege 4420 WinRAR.exe Token: SeDebugPrivilege 2808 WinRAR.exe Token: SeDebugPrivilege 3828 powershell.exe Token: SeDebugPrivilege 4204 powershell.exe Token: SeDebugPrivilege 3404 WinRAR.exe Token: SeDebugPrivilege 4000 WinRAR.exe Token: SeDebugPrivilege 3600 powershell.exe Token: SeDebugPrivilege 2452 powershell.exe Token: SeDebugPrivilege 3136 WinRAR.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 3912 Luxury Shield 7.1.exe 368 Luxury Shield 7.1.exe 5072 Luxury Shield 7.1.exe 5072 Luxury Shield 7.1.exe 4088 Luxury Shield 7.1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4940 wrote to memory of 3088 4940 msedge.exe 85 PID 4940 wrote to memory of 3088 4940 msedge.exe 85 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 4248 4940 msedge.exe 86 PID 4940 wrote to memory of 2412 4940 msedge.exe 87 PID 4940 wrote to memory of 2412 4940 msedge.exe 87 PID 4940 wrote to memory of 464 4940 msedge.exe 88 PID 4940 wrote to memory of 464 4940 msedge.exe 88 PID 4940 wrote to memory of 464 4940 msedge.exe 88 PID 4940 wrote to memory of 464 4940 msedge.exe 88 PID 4940 wrote to memory of 464 4940 msedge.exe 88 PID 4940 wrote to memory of 464 4940 msedge.exe 88 PID 4940 wrote to memory of 464 4940 msedge.exe 88 PID 4940 wrote to memory of 464 4940 msedge.exe 88 PID 4940 wrote to memory of 464 4940 msedge.exe 88 PID 4940 wrote to memory of 464 4940 msedge.exe 88 PID 4940 wrote to memory of 464 4940 msedge.exe 88 PID 4940 wrote to memory of 464 4940 msedge.exe 88 PID 4940 wrote to memory of 464 4940 msedge.exe 88 PID 4940 wrote to memory of 464 4940 msedge.exe 88 PID 4940 wrote to memory of 464 4940 msedge.exe 88 PID 4940 wrote to memory of 464 4940 msedge.exe 88 PID 4940 wrote to memory of 464 4940 msedge.exe 88 PID 4940 wrote to memory of 464 4940 msedge.exe 88 PID 4940 wrote to memory of 464 4940 msedge.exe 88 PID 4940 wrote to memory of 464 4940 msedge.exe 88 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/folder/o7onBAqb#lPnM6du1_ZsHQgf5SIaC4Q1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffebdfc46f8,0x7ffebdfc4708,0x7ffebdfc47182⤵PID:3088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:22⤵PID:4248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:82⤵PID:464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:12⤵PID:2808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:12⤵PID:2864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4204 /prefetch:82⤵PID:4956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5732 /prefetch:82⤵PID:2416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5732 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:12⤵PID:2064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:12⤵PID:876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3648 /prefetch:82⤵PID:3148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:12⤵PID:4728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6012 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:12⤵PID:4700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:12⤵PID:2536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,17104030694542328437,16127891435114400434,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3144 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:524
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3180
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4080
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x51c 0x2d01⤵PID:4436
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2596
-
C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe"C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe"1⤵PID:4592
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
-
C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe"C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WinRAR.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4012
-
-
C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4420 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WinRAR" /tr "C:\Users\Public\WinRAR.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2008
-
-
-
C:\Users\Public\WinRAR.exeC:\Users\Public\WinRAR.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe"C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe"1⤵PID:3996
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3828
-
-
C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe"C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:368
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WinRAR.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4204
-
-
C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3404
-
-
C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\crack.exe"C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\crack.exe"1⤵
- Drops startup file
PID:3188
-
C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\crack.exe"C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\crack.exe"1⤵
- Executes dropped EXE
PID:3652
-
C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\crack.exe"C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\crack.exe"1⤵
- Executes dropped EXE
PID:3812
-
C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\crack.exe"C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\crack.exe"1⤵
- Executes dropped EXE
PID:748
-
C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\crack.exe"C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\crack.exe"1⤵
- Executes dropped EXE
PID:4180
-
C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Shield 7.1.exe"C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Shield 7.1.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5072
-
C:\Users\Public\WinRAR.exeC:\Users\Public\WinRAR.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4000
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Pass to use.txt1⤵PID:4784
-
C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe"C:\Users\Admin\Downloads\Luxury Shield 7.1\Luxury Shield 7.1\Luxury Sheild v7.1.exe"1⤵PID:4516
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3600
-
-
C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe"C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WinRAR.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452
-
-
C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3136
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
42B
MD584cfdb4b995b1dbf543b26b86c863adc
SHA1d2f47764908bf30036cf8248b9ff5541e2711fa2
SHA256d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b
SHA512485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce
-
Filesize
2KB
MD5a43e653ffb5ab07940f4bdd9cc8fade4
SHA1af43d04e3427f111b22dc891c5c7ee8a10ac4123
SHA256c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe
SHA51262a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b
-
Filesize
152B
MD59e3fc58a8fb86c93d19e1500b873ef6f
SHA1c6aae5f4e26f5570db5e14bba8d5061867a33b56
SHA256828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4
SHA512e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e
-
Filesize
152B
MD527304926d60324abe74d7a4b571c35ea
SHA178b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1
SHA2567039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de
SHA512f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd
-
Filesize
17KB
MD5950eca48e414acbe2c3b5d046dcb8521
SHA11731f264e979f18cdf08c405c7b7d32789a6fb59
SHA256c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2
SHA51227e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD585e8d507d1888f1006993f9802b4ad50
SHA12de1a156f5f97e4dcfb108efcfc81f8a57777ffe
SHA256a45d5cae10272c5c7f55b7d40cbba3cb2d5ee61d1ba6ad2a5069a49e622c92c0
SHA51234c62c575dcdd5a38190601ef9de2303336bf513db4287815e693f46c0f2c03975fe3a1377bb4e4c2733376184e772cdb0c2f62defd02f67fa1037a2d2ad74ef
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
188B
MD5008114e1a1a614b35e8a7515da0f3783
SHA13c390d38126c7328a8d7e4a72d5848ac9f96549b
SHA2567301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18
SHA512a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b
-
Filesize
6KB
MD59c6f8d643780274b351af6c02d0a9b91
SHA132b8db5f0c08d1ecdc821a4d99ca45ce6a6b1ac6
SHA2561640392373eb59bd395fa5352f8498b2a678cb3337155263ff6b5630d371f849
SHA51214e53ae0532507056c1aa0f753f1cb588098b6dec69e59038ab61d785d1bbc352750a04ba9650dc69317b45d87ba14107a8ecd01235d93ae1fbced548ad5fb99
-
Filesize
6KB
MD5d8e63429ba7d30ea63d6c1c4b1380517
SHA1bdb00f44863d7b640f89e0843790652382e4ce1e
SHA2560602f0778d81a47ae520602276723e0345ef9802b5ee7f482079041036b02940
SHA5125b61f74fa867ad11fed9366e3f7e642519919cd406e7bed4c909d2d51e5965b3ba85457ea2b9e4feb4f7e0ce9936eb4d8e1f8f5b0bb2893e20a2b1a2681a3659
-
Filesize
6KB
MD5de70addc0f1dfe0cca77192550636188
SHA1a5f1e323e246ea88d02c9146dfc31348d7f1a0d4
SHA256f0b669ad5859597ebfd442da56d759d4293e4021bcce63e9f8c8585b9b858ea5
SHA5127a1079b96503e5d42af60da18defb8fb0581d40da0d032e372d9cbb2b2b0c745dd4143befc7060d17bd4c6d679421e957503ed8e1e33681e2b6e6f7631c1ecee
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD55309bd54a0bb601ffc878af79d4c2793
SHA1ed2a7e06399c09142cbb3dec2062dfad63c09fd2
SHA2564fecec3b3c9bc623436aa38d91500982bd44e2c044d8af71caf39abf541c433e
SHA512ffbe51137974aada858f137211dde871a6afff7d12ee92ed33d0838c91cc437c8c2bc2a859c7d0889616f23a9b957b110b897860d4fedad7f9b540e2910e2e92
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe580105.TMP
Filesize48B
MD5bf7f582b016a010bf7ef7f90f4a1a321
SHA1ed1fcaf3d85a0d01e19840f8b59a6ff45d665bbb
SHA2560e62f31161b2c88672722e551b2269179a9997a715d88207c46b3f91f0d2ff41
SHA512618043f0d97d09a6a2195f23865a258c276b66f5dd8a69c9462c7b6f8c736454d98ca0480744adde8355cbace59290db8a743a58c6e88e29d12e22bacc92af38
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD541c5e810cc20e5bcbf9217ff8b8cb9b4
SHA111624a668508a08df7bd3dcb2813b24233a543f3
SHA256ce6faad693527bedd7770af8da6a0a2a1739b6103fe2389e3df3e0e9431bcbd3
SHA51209a306611be501a90ad2540eb000d9fe58cf55dc9982a89683f862272c100a525ba5a8dc635ca9683d978f1849bcea3942d036789fed3c849c57e32aff638324
-
Filesize
11KB
MD51a6d47189d415a50c79abd24fe6c4161
SHA1c02d8d560c2d6351763019bf294447182515466f
SHA256506fa4433ea56160f03c76f598a1fdf69b2dd22505c654821c85611f15ef4a13
SHA512dfb43d009233ce32912ddc000bc171ef409883dbe72789531d1b2463bc6dd770b5d48e1334bce2bbeefddebecb77f8553b19379824c34d4340223ec15a8a5d78
-
Filesize
944B
MD57eb4e058795aaf02e9e161eb5d5e3689
SHA1aeaedbcadbc7b39f0016113bc252fe2faa5ed7b7
SHA256e63490ad7aadfe933139b4ed59694ee60928fc9c2ca56e89f05218d99d8e2ce8
SHA512d226dd70a46ff7e93cee23efcdbd4665b631af6bff1db253538a672248ea853fc3065e06b623f55eceba46fc4f6421fe076a2f1b003cd4007e2f1e23b5475fa9
-
Filesize
944B
MD5e60eb305a7b2d9907488068b7065abd3
SHA11643dd7f915ac50c75bc01c53d68c5dafb9ce28d
SHA256ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135
SHA51295c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b
-
Filesize
944B
MD53b444d3f0ddea49d84cc7b3972abe0e6
SHA10a896b3808e68d5d72c2655621f43b0b2c65ae02
SHA256ab075b491d20c6f66c7bd40b57538c1cfdaab5aac4715bfe3bbc7f4745860a74
SHA512eb0ab5d68472ec42de4c9b6d84306d7bca3874be1d0ac572030a070f21a698432418068e1a6006ff88480be8c8f54c769dee74b2def403f734109dba7261f36b
-
Filesize
944B
MD5dbb22d95851b93abf2afe8fb96a8e544
SHA1920ec5fdb323537bcf78f7e29a4fc274e657f7a4
SHA256e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465
SHA51216031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc
-
Filesize
944B
MD5cc19bcff372d20459d3651ba8aef50e7
SHA13c6f1d4cdd647864fb97a16b1aefba67fcee11f7
SHA256366473e774d8976c7fd4dc582220666fb61a4feb3f7c95e69b2a68ad9e446ec9
SHA512a0e360ca4b6e874fd44612bf4b17f3722c0619da4f6bade12a62efadae88c2d33460114eaafa2bc3fb1cef5bea07e745b8bee24f15d0cacaff5f4a521b225080
-
Filesize
7.5MB
MD59502776952e6900ae1f98934004b4293
SHA13905f80a539d37c648a5da1cc6dace16d3516c2c
SHA256d8ca879cf734c21b84e3983a9245c4da2b38cfe23b1691e4ca265286c3782b1f
SHA512cbef89e577c883283ce3e9bb48e2ba9eda010e40e6cb1a383d99e32b728a9553cdb83e0831c0bff961fd271cee4eab921f53c97d9412e87bec4d0498400b5fbb
-
Filesize
226KB
MD560219035e32ad00d4c691a1bdc6455fb
SHA15f3740fcf89a95437ce184cfe22f23ed8b5b9254
SHA256e005f5c2e4fdd277ced1ae42272b864e47de334e0d2a1043f24c21253da18ae5
SHA512b98eb125f7812ac5d2243bd0d6ee07e918af5d0a46d86a6b242a7d8f91dbaaa48fabb562c316abbbf93db0c5ffc3a16184233000b379bafcdb3104c470055fc7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
16.4MB
MD56a777757bb51c01bac95b3648b7cfc76
SHA10047ce451ce9f63c1e2537b0b69405c243a9685a
SHA25629b29eaa1b33d92f8b7536ca0513887e26f232acb8ca438beb89555d4ce8136a
SHA51212e366d5e2560862670774d021fb6a7fdd8f7583b21e52887141788a58bf1dd3f6bda47e4c9a9282aee2e59a412163c236a1c6d497912a1becc1d0f74d3dcaac
-
Filesize
9KB
MD534ef4aa10e7411cca216d92994bcce20
SHA113338054d516019e6100ecc76e7157f0ee5ed87d
SHA2567ea2aab51d2e6abdaf6d182b0657a6503c1dee86fc42f40b4dd9895b31e4d8c0
SHA51208c726b105bdd94c74b65ed8a1968f234bc4ffd4dca8b49c98f4da9a7ac0b0fb92c14476ae0ff323d3e6d7b7bdba6b8732459601f807037bf5757f5f4efb06f4