bb5d251130efb47c960fa6b622a603ed4c53e91494f8ebaceefcd65899b02d6a

Analysis

max time kernel
152s
max time network
184s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

454de28853ea54861c14acf6b2520bab.exe
Size

387KB
MD5

454de28853ea54861c14acf6b2520bab
SHA1

2a6774af921e3e3a03fd22714059cbdc33ac6e53
SHA256

bb5d251130efb47c960fa6b622a603ed4c53e91494f8ebaceefcd65899b02d6a
SHA512

f147a4f9332d59a5472ac0a32d16cda5f8d00128b7b56bbdf25b67fc3cc4ac0189deb6fba56a255b50bcab9b0764ab3809867de2788bc1f0523da7f040087efc
SSDEEP

6144:L8dNXSEm8t107G59ZLNokDCW4KwNLl4fn6wRPFDdL6qnoz1+vv8UoGfaD2H:gmU107GVWWCNPLl3Muq++HFomaD2H

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	454de28853ea54861c14acf6b2520bab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	LuckyWheel.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	LuckyWheel.exe

Executes dropped EXE 2 IoCs

pid	Process
1724	LuckyWheel.exe
1720	WindowsServices.exe

Loads dropped DLL 6 IoCs

pid	Process
1988	454de28853ea54861c14acf6b2520bab.exe
1988	454de28853ea54861c14acf6b2520bab.exe
1988	454de28853ea54861c14acf6b2520bab.exe
1988	454de28853ea54861c14acf6b2520bab.exe
1988	454de28853ea54861c14acf6b2520bab.exe
1988	454de28853ea54861c14acf6b2520bab.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	454de28853ea54861c14acf6b2520bab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\LuckyWheel = "C:\\Program Files (x86)\\LuckyWheel\\LuckyWheel.exe"	454de28853ea54861c14acf6b2520bab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	454de28853ea54861c14acf6b2520bab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LuckyWheel = "C:\\Program Files (x86)\\LuckyWheel\\LuckyWheel.exe"	454de28853ea54861c14acf6b2520bab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsServices = "C:\\Program Files (x86)\\LuckyWheel\\WindowsServices.exe"	454de28853ea54861c14acf6b2520bab.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	454de28853ea54861c14acf6b2520bab.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LuckyWheel\kill.bat	454de28853ea54861c14acf6b2520bab.exe
File created	C:\Program Files (x86)\LuckyWheel\ADSSTrayPopup.dll	454de28853ea54861c14acf6b2520bab.exe
File created	C:\Program Files (x86)\LuckyWheel\Newtonsoft.Json.dll	454de28853ea54861c14acf6b2520bab.exe
File created	C:\Program Files (x86)\LuckyWheel\LuckyWheel.exe	454de28853ea54861c14acf6b2520bab.exe
File created	C:\Program Files (x86)\LuckyWheel\WindowsServices.exe	454de28853ea54861c14acf6b2520bab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30ec836b7f80d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8BAF9BD1-EC72-11ED-83EE-CEF47884BE6D} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "390186215"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fba6cfbdd4578d48a4e75475bed73c6a000000000200000000001066000000010000200000002fa05050757af21a9d9ae022ae2758cf4467bf1f4cf62a394e1bebad3b63097c000000000e800000000200002000000065ef11ac0c759f853a7d9c6783ac5585da892243bf701a39b4c118f919722f619000000090020fb5c22214ef4ddaa6818cbf4b24cbc936bed078efbb0807ea9b79e9d9763b37f2369c7b3620dead9147c8b007b35ea6d668d01246d17986bf1f7f7e941bd36297e6c1503122119a6592d8f0be5d407e241a9eaa2e14e5e3abd1e20f4706c08ebbdc3ccdea150b6ba5e03be67968a0d69c8dc8f5f780cc24fcd1985aafaeb8a787370344395b15415293ff99f6c040000000d4f3171cd8da740b8a4189a2d05ed03e8ab07014a40877dcc4a43263f3e04cc522fbc132a13b46d22c12664afc3d4759dfcf645a781f5f1fc252c7ab7131f9c5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fba6cfbdd4578d48a4e75475bed73c6a00000000020000000000106600000001000020000000ac687c295e305c5bf506daad275cfa125ac165ccd9824741036e91fb81f28518000000000e8000000002000020000000fc28a15f24fdb934923b27b4ae20e1ce7fde762f87e26903dd749599340205f820000000347c0faa82d63656c9ff3320c71664af767d8ba3ef8e27dd14394794820b15f34000000056350551756e67344c3df0bdb963f8f78236ccabee6628f293c5b1d93d82fed01e812d37d617d749988c6a2b8b06e18e6ae10f6c761da7578b6aab3718cea27a	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main	LuckyWheel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1988	454de28853ea54861c14acf6b2520bab.exe
1988	454de28853ea54861c14acf6b2520bab.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1724	LuckyWheel.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1724	LuckyWheel.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1640	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1724	LuckyWheel.exe
1724	LuckyWheel.exe
1640	iexplore.exe
1640	iexplore.exe
1736	IEXPLORE.EXE
1736	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 1724	1988	454de28853ea54861c14acf6b2520bab.exe	27
PID 1988 wrote to memory of 1724	1988	454de28853ea54861c14acf6b2520bab.exe	27
PID 1988 wrote to memory of 1724	1988	454de28853ea54861c14acf6b2520bab.exe	27
PID 1988 wrote to memory of 1724	1988	454de28853ea54861c14acf6b2520bab.exe	27
PID 1988 wrote to memory of 1720	1988	454de28853ea54861c14acf6b2520bab.exe	28
PID 1988 wrote to memory of 1720	1988	454de28853ea54861c14acf6b2520bab.exe	28
PID 1988 wrote to memory of 1720	1988	454de28853ea54861c14acf6b2520bab.exe	28
PID 1988 wrote to memory of 1720	1988	454de28853ea54861c14acf6b2520bab.exe	28
PID 1988 wrote to memory of 1640	1988	454de28853ea54861c14acf6b2520bab.exe	29
PID 1988 wrote to memory of 1640	1988	454de28853ea54861c14acf6b2520bab.exe	29
PID 1988 wrote to memory of 1640	1988	454de28853ea54861c14acf6b2520bab.exe	29
PID 1988 wrote to memory of 1640	1988	454de28853ea54861c14acf6b2520bab.exe	29
PID 1640 wrote to memory of 1736	1640	iexplore.exe	31
PID 1640 wrote to memory of 1736	1640	iexplore.exe	31
PID 1640 wrote to memory of 1736	1640	iexplore.exe	31
PID 1640 wrote to memory of 1736	1640	iexplore.exe	31

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	454de28853ea54861c14acf6b2520bab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	454de28853ea54861c14acf6b2520bab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	LuckyWheel.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	LuckyWheel.exe

C:\Users\Admin\AppData\Local\Temp\454de28853ea54861c14acf6b2520bab.exe
"C:\Users\Admin\AppData\Local\Temp\454de28853ea54861c14acf6b2520bab.exe"
1⤵
- UAC bypass
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1988
- C:\Program Files (x86)\LuckyWheel\LuckyWheel.exe
  "C:\Program Files (x86)\LuckyWheel\LuckyWheel.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1724
- C:\Program Files (x86)\LuckyWheel\WindowsServices.exe
  "C:\Program Files (x86)\LuckyWheel\WindowsServices.exe"
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://zwoops.com/TrMax/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1640 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LuckyWheel\ADSSTrayPopup.dll

Filesize
55KB

MD5
8c92e0740a0d72ee81f113ef625c984e

SHA1
ecf277620678359023e2a6f6842a117b666e4321

SHA256
091a8c575b8a3f6e88b682c9f9aa1388ff8ff0d03c15eb97bdb043901e1f639e

SHA512
35f978185ceb341beb79d36e50152fcc1e97f39eecacb7afdebf72f1838009cfb514dba3894493ab3ca01afa3408fb8d9b8779c9e279596faf2db7148ea37ac1

Download Submit
C:\Program Files (x86)\LuckyWheel\LuckyWheel.exe

Filesize
71KB

MD5
6133f69f01608a83451e9b418348f1b0

SHA1
b2dc516d30d97a3221b8c726d5b619955305d3b5

SHA256
00a6465e2347daee6b6e00cf5d14740519a9520dfa0dafde076fdc2696414a14

SHA512
ab5d3f1af5ef71bdf5966d6bac13f0cfeea5b8e15d752daa742636db3e959a76e212f09ddca6baeda1d8954432693b3129892c43e177eb231d5042ee57d9d7fa

Download Submit
C:\Program Files (x86)\LuckyWheel\LuckyWheel.exe

Filesize
71KB

MD5
6133f69f01608a83451e9b418348f1b0

SHA1
b2dc516d30d97a3221b8c726d5b619955305d3b5

SHA256
00a6465e2347daee6b6e00cf5d14740519a9520dfa0dafde076fdc2696414a14

SHA512
ab5d3f1af5ef71bdf5966d6bac13f0cfeea5b8e15d752daa742636db3e959a76e212f09ddca6baeda1d8954432693b3129892c43e177eb231d5042ee57d9d7fa

Download Submit
C:\Program Files (x86)\LuckyWheel\Newtonsoft.Json.dll

Filesize
690KB

MD5
da5033255da26654935f7840def3c6a0

SHA1
f420e2935ec83c15fdf642c1d02e42fabe53a774

SHA256
7cbb3f382970b9b830529cb943f83ff35d817ba45f4d260b9330fe8f5095b277

SHA512
0dd5ea326d4073c5d340f8414f6fcd0a385d2a087e33a201433e36bfcb86f2321f8f805efaee8b7a3565dc5f2b8d7bed72c86db70fe545d792f70d5daca89d48

Download Submit
C:\Program Files (x86)\LuckyWheel\WindowsServices.exe

Filesize
15KB

MD5
332fe4462b3c1fe60239772e81008311

SHA1
a3f4ef8eeb31e0e5b9877754d2e7d594b0d92d48

SHA256
d3ac8d5db7a6fd808795222d0cebce7e9115344a761dca09d92bc36ff2d38b07

SHA512
967313357aa43f75593afecf4cdc45499e6f50fbbe6a54c9257239e8ce1e2faa2d8e403c1cdc62186f1dbcba67811d62097f42fe044792f41dcbe092784346b2

Download Submit
C:\Program Files (x86)\LuckyWheel\WindowsServices.exe

Filesize
15KB

MD5
332fe4462b3c1fe60239772e81008311

SHA1
a3f4ef8eeb31e0e5b9877754d2e7d594b0d92d48

SHA256
d3ac8d5db7a6fd808795222d0cebce7e9115344a761dca09d92bc36ff2d38b07

SHA512
967313357aa43f75593afecf4cdc45499e6f50fbbe6a54c9257239e8ce1e2faa2d8e403c1cdc62186f1dbcba67811d62097f42fe044792f41dcbe092784346b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
464009f8d4b9054fe5294ac7d1441a96

SHA1
1ec5bc70a61511d9f9a61f769c0b3da834ebb6d2

SHA256
0dd6a1b71493ee3a4a3451d0eb6c0fdb4ed136e476c200f39c9ed8b22333643c

SHA512
3085f627f063229e4d93886eee46069c74bc37935fccda58881c49b53b6f55ce505a676329394dcb8d8829cf0ae4bad9c34ad40e26d5cf8fa1edb5483dd76eca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bb90c1e80076af76170db13e7dfb4b4b

SHA1
82e990fcb90f5dc15e350308b11d556370433878

SHA256
dee11066389ecbcecaf0c98a10ec5a69f4fe652ceeacb440832cc0c082348863

SHA512
68823079b33d486c5c3c9bf05c519e70cfc5e7083b40361618d507d4e99a73caea733f948b338fa1c5dc2d12064fc5272601b58197182ac3044451431f72324d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4dee29beb2ec0a0861752dffca936026

SHA1
a96624b9e9b3aa3e30eb2899f145d8d3111e1833

SHA256
a1b3b9b8761c4a233570531c8d24f863dad5dbbd0d722e2dc9019a92ea72e01c

SHA512
a9f4fda6cf372ebc4bf49d860a9fc19892d2caf1c2acc3e19b2dc1d20aa0f28c0b4f135abd6329824552de1f78c58ab15afadac0699e430f91742bd043eb6e73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
52475b405e4888abcc30df543feb3b7f

SHA1
2d4c37f98faad3151586a33b63e14bf28c0d328c

SHA256
87ec615e24403c0750ccf526f74e9c9ba9f4337850cbb6a2271a5a31cacff075

SHA512
ee2c9b12df0fbc5728191b56476df07b8d50422efcb5e06416d009af1f6900ce821b6a25c5fb0ea2a168f629c2db48bca36df954e1727cab26f9f483e645276c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1dcc9afc7bdaf64607459738a04b502c

SHA1
3deee65ab56ac166d0112595c9d50d1cf890e7ac

SHA256
26ca9beaf1b8ca3d655636fd1a25c640b20006f7963a4f474a7ef828c5a0f681

SHA512
6318e1ca2599ee43ab57f853e279b98be2cbf1371fa096ca0d54f49557d04193d440e59a4fad89082b321fea721ffd4cdb2209cf0ea9174a4d3439d8e4a2258c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
54546d8a62a2177980eeeafe8d3c262e

SHA1
9e7f8ccb4694344a085b0412ecf3bf16bda408aa

SHA256
8821838023bfcf72c9643df4b931c390adc8c5bd5647691df4b1ff1e0a07678c

SHA512
b7d7f257230b5a53be25e1cc27c562b635b7e2ee8a8f9c2d81b78af5d6be9c35fa0f5ecfd023076bea5e4d4f6715e94dc82c7a831c3d9a5ffb8bb3543f1eb28f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
099c430a62370b9efbdd93d7fd68daef

SHA1
0ad066f1496f7c34185b98299920627c99b68b08

SHA256
b6ea6c8f18a81bae80559a5fadfb7dd571ce970c66c2a86488314d92eae7cde8

SHA512
2590aacfebf8ebad091bcb34956d47bceff7df74a6c4a21a5c2ec3f37ec67f7854248a70d6b2fd9fa571e3c73342f17a8aa4afca935e23db69b5d7d2d9c83ceb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e67a867ef4c68cffe8a363346048ce5c

SHA1
e5a7b801fd258b4daad800ff48cecb4caaeaff6d

SHA256
3fd4955a39bfc4a9ddcf50a1235b7248f3d1a2e2bfd50724e1dbb4dbb90b8600

SHA512
ee7a2b8a7a5998c5130d086b3757839da3a835c68932daa226aedf68d36053191f443ffb85841a8e2d422cb613c6826ffe67628b2a2268f412b01d4231872d77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fb2aff92c1f8cc5f2a84fe852306fd7e

SHA1
1b5ecaf11c5ca56d90be125c9f27369ee030d9bd

SHA256
3bcef9fc2877a3976a018b760a279e4c1e3a568d8a9012e9098009301c61fb11

SHA512
edaf9b8930f0abbc36acd8ced5fe0b2643acfa49409d2b635fdbe6e641cc3b194cec93364ea279f03b5e030895f68a6ca2f4602d360326ae350e05f74319492d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ACT9UUKV\headerBanner[5].htm

Filesize
15B

MD5
cf9752d163e399497aeab80ae3446246

SHA1
ea3b026dba8552e366b26fd78ee0b76465552d84

SHA256
3c2962d235bbc4f4e302c81eb7a2177d8dff2cdbe91b9494270d3ba83161d8f4

SHA512
513433cd330665d652649449ad8a75435721bde3919dcc2b6f8ce96b98cb692cea5bac5b6f1478b251dc59f883aa737a5152dc3458fe8722ae285fec9298bb59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AFOBZ3YS\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6E02.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7036.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6F6B.tmp

Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7397.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjBE04.tmp\KillProcDLL.dll

Filesize
4KB

MD5
99f345cf51b6c3c317d20a81acb11012

SHA1
b3d0355f527c536ea14a8ff51741c8739d66f727

SHA256
c2689ba1f66066afce85ca6457ecd36370be0fe351c58422e45efd0948655c93

SHA512
937aa75be84a74f2be3b54dc80fac02c17dad1915d924ef82ab354d2a49bc773ee6d801203c52686113783a7c7ea0e8ed8e673ba696d6d3212f7006e291ed2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjBE04.tmp\System.dll

Filesize
11KB

MD5
cf85183b87314359488b850f9e97a698

SHA1
6b6c790037eec7ebea4d05590359cb4473f19aea

SHA256
3b6a5cb2a3c091814fce297c04fb677f72732fb21615102c62a195fdc2e7dfac

SHA512
fe484b3fc89aeed3a6b71b90b90ea11a787697e56be3077154b6ddc2646850f6c38589ed422ff792e391638a80a778d33f22e891e76b5d65896c6fb4696a2c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjBE04.tmp\UserInfo.dll

Filesize
4KB

MD5
d41cf0e4d88c60408f3d5b97f49d40c0

SHA1
1aa117b1ef998993f495833a08dd8cb12356be0f

SHA256
2dbdb3abd5652302254466aefa0f40048832f2a39fbb8a63c97fda8116021ff9

SHA512
35bf8f92d502a007838576c25aa25d1d7cc01a639df624cfb166085b51f1ba9cd4791c854f879e7b138492a3492365d88c0c5d7accfe5ac1e0e73685117f9209

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\I8WEBOB7.txt

Filesize
600B

MD5
a2afc9970e1a8da665d5ff6aa8198656

SHA1
decb2af68ee22d42f5b87238f94c2b3506c2053c

SHA256
e5ab02aa6a3b0bae91b46beb99480bf6ca00e2873fca8b43d1758f2d222adf9a

SHA512
8305582932da131e40fa718d975e9ce48f676f4f279e4b118a0b1cd872e884d251fdd0ad5985cac24661449bafbe787af4f019c3563fa0674ed39e5ee9b467ae

Download Submit
\Program Files (x86)\LuckyWheel\LuckyWheel.exe

Filesize
71KB

MD5
6133f69f01608a83451e9b418348f1b0

SHA1
b2dc516d30d97a3221b8c726d5b619955305d3b5

SHA256
00a6465e2347daee6b6e00cf5d14740519a9520dfa0dafde076fdc2696414a14

SHA512
ab5d3f1af5ef71bdf5966d6bac13f0cfeea5b8e15d752daa742636db3e959a76e212f09ddca6baeda1d8954432693b3129892c43e177eb231d5042ee57d9d7fa

Download Submit
\Program Files (x86)\LuckyWheel\WindowsServices.exe

Filesize
15KB

MD5
332fe4462b3c1fe60239772e81008311

SHA1
a3f4ef8eeb31e0e5b9877754d2e7d594b0d92d48

SHA256
d3ac8d5db7a6fd808795222d0cebce7e9115344a761dca09d92bc36ff2d38b07

SHA512
967313357aa43f75593afecf4cdc45499e6f50fbbe6a54c9257239e8ce1e2faa2d8e403c1cdc62186f1dbcba67811d62097f42fe044792f41dcbe092784346b2

Download Submit
\Users\Admin\AppData\Local\Temp\nsjBE04.tmp\KillProcDLL.dll

Filesize
4KB

MD5
99f345cf51b6c3c317d20a81acb11012

SHA1
b3d0355f527c536ea14a8ff51741c8739d66f727

SHA256
c2689ba1f66066afce85ca6457ecd36370be0fe351c58422e45efd0948655c93

SHA512
937aa75be84a74f2be3b54dc80fac02c17dad1915d924ef82ab354d2a49bc773ee6d801203c52686113783a7c7ea0e8ed8e673ba696d6d3212f7006e291ed2ef

Download Submit
\Users\Admin\AppData\Local\Temp\nsjBE04.tmp\KillProcDLL.dll

Filesize
4KB

MD5
99f345cf51b6c3c317d20a81acb11012

SHA1
b3d0355f527c536ea14a8ff51741c8739d66f727

SHA256
c2689ba1f66066afce85ca6457ecd36370be0fe351c58422e45efd0948655c93

SHA512
937aa75be84a74f2be3b54dc80fac02c17dad1915d924ef82ab354d2a49bc773ee6d801203c52686113783a7c7ea0e8ed8e673ba696d6d3212f7006e291ed2ef

Download Submit
\Users\Admin\AppData\Local\Temp\nsjBE04.tmp\System.dll

Filesize
11KB

MD5
cf85183b87314359488b850f9e97a698

SHA1
6b6c790037eec7ebea4d05590359cb4473f19aea

SHA256
3b6a5cb2a3c091814fce297c04fb677f72732fb21615102c62a195fdc2e7dfac

SHA512
fe484b3fc89aeed3a6b71b90b90ea11a787697e56be3077154b6ddc2646850f6c38589ed422ff792e391638a80a778d33f22e891e76b5d65896c6fb4696a2c3b

Download Submit
\Users\Admin\AppData\Local\Temp\nsjBE04.tmp\UserInfo.dll

Filesize
4KB

MD5
d41cf0e4d88c60408f3d5b97f49d40c0

SHA1
1aa117b1ef998993f495833a08dd8cb12356be0f

SHA256
2dbdb3abd5652302254466aefa0f40048832f2a39fbb8a63c97fda8116021ff9

SHA512
35bf8f92d502a007838576c25aa25d1d7cc01a639df624cfb166085b51f1ba9cd4791c854f879e7b138492a3492365d88c0c5d7accfe5ac1e0e73685117f9209

Download Submit
memory/1720-94-0x000000001B2A0000-0x000000001B320000-memory.dmp

Filesize
512KB

Download
memory/1720-90-0x0000000001320000-0x0000000001328000-memory.dmp

Filesize
32KB

Download
memory/1724-85-0x0000000002C70000-0x0000000002D22000-memory.dmp

Filesize
712KB

Download
memory/1724-139-0x00000000036D0000-0x0000000003750000-memory.dmp

Filesize
512KB

Download
memory/1724-138-0x00000000036D0000-0x0000000003750000-memory.dmp

Filesize
512KB

Download
memory/1724-131-0x00000000036D0000-0x0000000003750000-memory.dmp

Filesize
512KB

Download
memory/1724-103-0x00000000036D0000-0x0000000003750000-memory.dmp

Filesize
512KB

Download
memory/1724-102-0x00000000036D0000-0x0000000003750000-memory.dmp

Filesize
512KB

Download
memory/1724-101-0x00000000036D0000-0x0000000003750000-memory.dmp

Filesize
512KB

Download
memory/1724-93-0x00000000036D0000-0x0000000003750000-memory.dmp

Filesize
512KB

Download
memory/1724-92-0x00000000002C0000-0x00000000002CE000-memory.dmp

Filesize
56KB

Download
memory/1724-83-0x0000000010720000-0x0000000010732000-memory.dmp

Filesize
72KB

Download
memory/1988-69-0x00000000002E0000-0x00000000002E3000-memory.dmp

Filesize
12KB

Download