File name: | Luxury Shield 7.1.rar |
Full analysis: | https://app.any.run/tasks/62b42f10-472e-4fe1-a46d-668d1c361fbd |
Verdict: | Malicious activity |
Analysis date: | March 31, 2023, 20:59:23 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v4, os: Win32, flags: RecoveryRecordPresent |
MD5: | 96F765B91EBA925C6B262D89D1A6A8C9 |
SHA1: | 65AAB7E376393E03D78D11C95E7543E1D95EFE72 |
SHA256: | 65FAE68ECD6E5EFDD44A5A68B33349ADE1C172AE08EA7A1654343CEDF065A298 |
SSDEEP: | 196608:c1roE5rz7tHv2TFc3xo3GJDKbEFYXi2vQeuQLr8HPHpXSU:c18y9v2TE2GoUD2vpr8HRJ |
.rar | | | RAR compressed archive (v-4.x) (58.3) |
---|---|---|
.rar | | | RAR compressed archive (gen) (41.6) |
ArchivedFileName: | Luxury Shield 7.1\Luxury Shield 7.1.exe |
---|---|
PackingMethod: | Normal |
ModifyDate: | 2023:03:23 10:27:22 |
OperatingSystem: | Win32 |
UncompressedSize: | 8479180 |
CompressedSize: | 8370456 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2512 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Luxury Shield 7.1.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
1628 | "C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\Luxury Shield 7.1\Luxury Shield 7.1.exe" "C:\Users\admin\Desktop\Luxury Shield 7.1\" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
3180 | "C:\Users\admin\Desktop\Luxury Shield 7.1\Luxury Sheild v7.1.exe" | C:\Users\admin\Desktop\Luxury Shield 7.1\Luxury Sheild v7.1.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Luxury Shield Exit code: 0 Version: 7.1.0.0 Modules
| |||||||||||||||
3404 | "cmd.exe" /c start computerdefaults.exe && powershell.exe Remove-Item -Path HKCU:\Software\Classes\ms-settings\shell -Recurse | C:\Windows\System32\cmd.exe | — | Luxury Sheild v7.1.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
3416 | computerdefaults.exe | C:\Windows\System32\ComputerDefaults.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Set Program Access and Computer Defaults Control Panel Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3676 | "C:\Windows\system32\ComputerDefaults.exe" | C:\Windows\System32\ComputerDefaults.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Set Program Access and Computer Defaults Control Panel Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2708 | "C:\Windows\system32\ComputerDefaults.exe" | C:\Windows\System32\ComputerDefaults.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Set Program Access and Computer Defaults Control Panel Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1868 | powershell.exe Remove-Item -Path HKCU:\Software\Classes\ms-settings\shell -Recurse | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
1416 | "C:\Windows\System32\ie4uinit.exe" -reinstall | C:\Windows\System32\ie4uinit.exe | ComputerDefaults.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: IE Per-User Initialization Utility Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3252 | C:\Windows\system32\unregmp2.exe /SetWMPAsDefault | C:\Windows\System32\unregmp2.exe | — | ComputerDefaults.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Windows Media Player Setup Utility Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (2512) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2512) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
(PID) Process: | (2512) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
(PID) Process: | (2512) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
(PID) Process: | (2512) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2512) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2512) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2512) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2512) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin |
Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000 | |||
(PID) Process: | (2512) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\General |
Operation: | write | Name: | LastFolder |
Value: C:\Users\admin\Desktop |
PID | Process | Filename | Type | |
---|---|---|---|---|
2424 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-642749F0-978.pma | — | |
MD5:— | SHA256:— | |||
1628 | WinRAR.exe | C:\Users\admin\Desktop\Luxury Shield 7.1\Luxury Sheild v7.1.exe | executable | |
MD5:F145671C3C65072A5A49F1D1D68A4A3A | SHA256:D5DCDE7CED43245641793538F847C55E3271F5FF8EB45FA5616A00634B7E64A1 | |||
1628 | WinRAR.exe | C:\Users\admin\Desktop\Luxury Shield 7.1\ILMerge.exe | executable | |
MD5:2BB6322885E6CA0986206DE174E842C9 | SHA256:8110D740B485BCB06FF406B17001714C3A146FE6517098C9DC90D812B83389FD | |||
1628 | WinRAR.exe | C:\Users\admin\Desktop\Luxury Shield 7.1\learn all kind of hacking.url | url | |
MD5:7ADE4A739CBD8F44D0EF52A2F1BC6E7B | SHA256:CC7649ED53C65E4851ACE414529564FE16801BB2BED4CB15588BFD6B4AC13616 | |||
2512 | WinRAR.exe | C:\Users\admin\Desktop\Luxury Shield 7.1\Luxury Shield 7.1.exe | executable | |
MD5:E484D9F831BAE0A774F3AC0FCFF44512 | SHA256:CDB6B34EB4090B0BE2B503767A8463741BC17B5CAC2D2E22CAF52AA1676616A7 | |||
2900 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVREC5F.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2424 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\4cf7a2d5-a909-4bd6-888c-6efd57185e08.tmp | text | |
MD5:BADDBD6372ECB314D38A1ED22B2DC8A5 | SHA256:47B77C64B87FE5A8D32F22ACF32FE599917981E9383AC70B7BB005D4AD388B7E | |||
2424 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Local State | text | |
MD5:BADDBD6372ECB314D38A1ED22B2DC8A5 | SHA256:47B77C64B87FE5A8D32F22ACF32FE599917981E9383AC70B7BB005D4AD388B7E | |||
1628 | WinRAR.exe | C:\Users\admin\Desktop\Luxury Shield 7.1\Pass to use.txt | text | |
MD5:F2B0D578A79AC19B492E04BC5A7050F7 | SHA256:78F53709CCE69E858FBB201BE13803E63D7E0AA84D7CABE1353CE4989C68EEC7 | |||
2424 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\2fe18425-dad5-43b5-b981-f6efd1e46dd8.tmp | text | |
MD5:BADDBD6372ECB314D38A1ED22B2DC8A5 | SHA256:47B77C64B87FE5A8D32F22ACF32FE599917981E9383AC70B7BB005D4AD388B7E |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3320 | WinRAR.exe | 149.154.167.220:443 | api.telegram.org | Telegram Messenger Inc | GB | malicious |
3320 | WinRAR.exe | 209.25.141.229:17251 | society-painted.at.ply.gg | PLAYIT-GG | US | malicious |
Domain | IP | Reputation |
---|---|---|
api.telegram.org |
| shared |
society-painted.at.ply.gg |
| malicious |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET HUNTING Telegram API Domain in DNS Lookup |
3320 | WinRAR.exe | Misc activity | ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) |
3320 | WinRAR.exe | Misc activity | ET HUNTING Telegram API Certificate Observed |
— | — | Potentially Bad Traffic | ET INFO playit .gg Tunneling Domain in DNS Lookup |