Malware Analysis Report

2025-08-05 16:44

Sample ID 240204-tvnsysgcar
Target 8f9cc18d3743f189e0702d941c4423da
SHA256 3efc4518a663cc15ee2022ec284fbcf7ce41a562ce45c2380e6c1cf9822edaab
Tags
adware discovery stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3efc4518a663cc15ee2022ec284fbcf7ce41a562ce45c2380e6c1cf9822edaab

Threat Level: Shows suspicious behavior

The file 8f9cc18d3743f189e0702d941c4423da was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery stealer

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Installs/modifies Browser Helper Object

Checks installed software on the system

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

NSIS installer

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-04 16:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-04 16:22

Reported

2024-02-04 16:25

Platform

win7-20231215-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8f9cc18d3743f189e0702d941c4423da.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5E2402A0-5F99-4188-B30D-D8743996B340} C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5E2402A0-5F99-4188-B30D-D8743996B340}\ = "LuckyTender" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\LuckyTender\1.3.0\LuckyTender.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
File created C:\Program Files (x86)\LuckyTender\uninst.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl.1\ = "SliderShowCtrl Class" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\ = "SliderShowCtrl Class" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3794345D-C731-4FBB-8471-73DDC8DFFDD2}\ = "ISliderWindow" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\ProxyStubClsid32\ = "{3794345D-C731-4FBB-8471-73DDC8DFFDD2}" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl\CLSID\ = "{5E2402A0-5F99-4188-B30D-D8743996B340}" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\VersionIndependentProgID\ = "SliderShow.SliderShowCtrl" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\InprocServer32\ = "C:\\Program Files (x86)\\LuckyTender\\1.3.0\\LuckyTender.dll" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\TypeLib C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\TypeLib\ = "{96EDCF67-4637-4288-9A0D-4282EBF26D62}" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\SliderShow.DLL\AppID = "{7656BFE4-2AAE-4E04-98B6-5912E99FBE38}" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\AppID = "{7656BFE4-2AAE-4E04-98B6-5912E99FBE38}" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96EDCF67-4637-4288-9A0D-4282EBF26D62}\1.0\ = "SliderShow 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96EDCF67-4637-4288-9A0D-4282EBF26D62}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\TypeLib C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70} C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\TypeLib\ = "{96EDCF67-4637-4288-9A0D-4282EBF26D62}" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl\CLSID C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96EDCF67-4637-4288-9A0D-4282EBF26D62}\1.0\0 C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\TypeLib C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3794345D-C731-4FBB-8471-73DDC8DFFDD2}\InProcServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\ProxyStubClsid32\ = "{3794345D-C731-4FBB-8471-73DDC8DFFDD2}" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\NumMethods C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\NumMethods C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\ProgID\ = "SliderShow.SliderShowCtrl.1" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\ = "ISliderShowCtrl" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\TypeLib\ = "{96EDCF67-4637-4288-9A0D-4282EBF26D62}" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\TypeLib C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\TypeLib\ = "{96EDCF67-4637-4288-9A0D-4282EBF26D62}" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl\CurVer C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832} C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{7656BFE4-2AAE-4E04-98B6-5912E99FBE38} C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl\ = "SliderShowCtrl Class" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13E3FF74-B861-4E69-B223-43D711686832} C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\ = "ISliderWindowAx" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3794345D-C731-4FBB-8471-73DDC8DFFDD2}\NumMethods C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\SliderShow.DLL C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl.1 C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96EDCF67-4637-4288-9A0D-4282EBF26D62}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\LuckyTender\\1.3.0\\" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70} C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3794345D-C731-4FBB-8471-73DDC8DFFDD2} C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\ = "ISliderWindowAx" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3794345D-C731-4FBB-8471-73DDC8DFFDD2}\InProcServer32\ = "C:\\Program Files (x86)\\LuckyTender\\1.3.0\\LuckyTender.dll" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\Programmable C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96EDCF67-4637-4288-9A0D-4282EBF26D62}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96EDCF67-4637-4288-9A0D-4282EBF26D62}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\NumMethods\ = "7" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\TypeLib\ = "{96EDCF67-4637-4288-9A0D-4282EBF26D62}" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{7656BFE4-2AAE-4E04-98B6-5912E99FBE38}\ = "SliderShow" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl.1\CLSID C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl.1\CLSID\ = "{5E2402A0-5F99-4188-B30D-D8743996B340}" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1856 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\8f9cc18d3743f189e0702d941c4423da.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe
PID 1856 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\8f9cc18d3743f189e0702d941c4423da.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe
PID 1856 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\8f9cc18d3743f189e0702d941c4423da.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe
PID 1856 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\8f9cc18d3743f189e0702d941c4423da.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe
PID 1856 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\8f9cc18d3743f189e0702d941c4423da.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe
PID 1856 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\8f9cc18d3743f189e0702d941c4423da.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe
PID 1856 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\8f9cc18d3743f189e0702d941c4423da.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe
PID 1856 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\8f9cc18d3743f189e0702d941c4423da.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe
PID 1856 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\8f9cc18d3743f189e0702d941c4423da.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe
PID 1856 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\8f9cc18d3743f189e0702d941c4423da.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe
PID 1856 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\8f9cc18d3743f189e0702d941c4423da.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe
PID 1856 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\8f9cc18d3743f189e0702d941c4423da.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe
PID 1856 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\8f9cc18d3743f189e0702d941c4423da.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe
PID 1856 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\8f9cc18d3743f189e0702d941c4423da.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8f9cc18d3743f189e0702d941c4423da.exe

"C:\Users\Admin\AppData\Local\Temp\8f9cc18d3743f189e0702d941c4423da.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe

MD5 5b4a528aff5726712c3c4714492fc71a
SHA1 e60a68d8ffb33a81957199e7fa2720a5b74c6ae0
SHA256 bd0bd14950691bbbd1a8c791b6cecc0136b7f361d3d3617f97ab8aec4bfaee8e
SHA512 11cae2ad6dc83762c48d30703f0e404d7c708c2c19eb58d32ab557474271c816b08141ffd7588fc0b220728ed00d8e4c1a287becf9451bdcce3d201c098179b9

\Program Files (x86)\LuckyTender\1.3.0\LuckyTender.dll

MD5 fbbd36fc9f5de933753a1b855944e04a
SHA1 6aff38e2228f86233e103da286381da37feff0ce
SHA256 ff68a2096413a90a3505610353307a88355e1f34d9417acdd4f2d4855db33b62
SHA512 7bc90a7084cfeb60d6abe4c4d4ac641c9b65fd477c8d57c5b4fa0d84b9a797b6c4b207b5ac9fb503b42b12212dbefc9507eddf73ef984eb2d4a9cf6b064dbace

\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe

MD5 f74f15bab08ae5eb5d43b3d774f5cf30
SHA1 5e94d983fffed36d41e137254cff59fad6a890c4
SHA256 3a5c29bca1bbe551154ce16a8a0a6977a2b899b89c3c46b937d748c65f1897bc
SHA512 37b779caba37d20493a1835529bb0115377f1f5519af3039ec621b4e458e51f5c51d199145cc64b500c8999828df2456746ab7f5fb85f852bd3f35aeb3eecfae

C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe

MD5 1ebe7a67a48c6dcdb4c587295439fd44
SHA1 59279c22f71c8324d0ccc2058f2cd7b3c8c41ae3
SHA256 23b85b0c7d5aacfcfaff4fa4e3af5e0e09cc24d1d498d104e04ffaabc5b1ebfd
SHA512 8311f87325e8987bd451888c99aee11955fcbbc2dcc9b834c72c7cef1ccd0244b2bc6d5b107b1faa722d643f2b4f6c7ee85cf4b71477002eef0849aa48a27633

C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe

MD5 d0226a30350152be71631317e3b77ed9
SHA1 57babff43b382f1ccd171915f705978fee4b34c7
SHA256 e3bd63c7c59777a1064cc6d81a8c7889dff4a7caa19987941f3a9dacb9f246d1
SHA512 f617f654331046246fc96bcac9735916fae612a023451bc13fd2e93f06187c9f99bb1d1aeee4458163347d85e72f3eb60bc9f662806096ac5e07b598242b330e

C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe

MD5 1dd0748cc53b910a4ecd08bddee9d4b7
SHA1 812eb569b8c4fd637c04bf95bd7b485e191cfd5b
SHA256 13b9514fe51cea84dd3681eb1e4d669026d322f2dfe163477d481b9f8fcb6897
SHA512 b6a412246d2e5853334314614c708a7cf7cd1c784a221ba4cfa81da276904dcd88137cf99f4b7b212396d37e1da7184ee222ed69a56c1525760f24682bff30a9

\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe

MD5 8b95c6ab844b7b1fa40a19270c74089a
SHA1 08887fac24776b322a828ee307db8ecc3c07f692
SHA256 75782517fe8cd1e87a440c60848690be68e7e9ac71bdd3da2993857f664e791c
SHA512 a5d5d3f5e0a6f5cf58c0a52fcdd8efb245dea4763d34be7ee3acda202f2fde796c7879e118c957a2eeda8fb936dda30816535633825cc672edf726ceabee7022

\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe

MD5 4c5c9bc08662b6e3bc2d8e2f3dc38ea7
SHA1 040daf2000cdf49f159f5232f5751a79208ede02
SHA256 c1b51655c8783902f73a75b809dd2e5e64437f1163dc497a8b26cdaff81ab80f
SHA512 3693577c7b0659b4df4f3aa6fb759ed741c286023e60eda637189a6182e4940544f8400fa6d87d7155e8c29371b8a2730ae9067e25b1ac01576eb59fac9e3f7f

\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe

MD5 33010933d4b582cbc2b3b1f4ad864156
SHA1 14c167feeef914a639dcd68751842141feaef5fd
SHA256 8c971da2ccb79bbd52b213644421a2f7f720d1aa3c95e557ed595ef34b179bf3
SHA512 1b046a39ed2dd24fdb0f1a9ff668cba5ffed3b741782857265172d97457f9a553c4208129bdb3cca2fb2a4506e11bb5a7e8bdf883d542434231351856404c9bf

memory/1856-27-0x0000000000400000-0x0000000000421000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-04 16:22

Reported

2024-02-04 16:25

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8f9cc18d3743f189e0702d941c4423da.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8f9cc18d3743f189e0702d941c4423da.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5E2402A0-5F99-4188-B30D-D8743996B340}\ = "LuckyTender" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5E2402A0-5F99-4188-B30D-D8743996B340} C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\LuckyTender\1.3.0\LuckyTender.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
File created C:\Program Files (x86)\LuckyTender\uninst.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832} C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13E3FF74-B861-4E69-B223-43D711686832} C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\NumMethods\ = "7" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96EDCF67-4637-4288-9A0D-4282EBF26D62}\1.0\0 C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70} C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3794345D-C731-4FBB-8471-73DDC8DFFDD2}\InProcServer32\ = "C:\\Program Files (x86)\\LuckyTender\\1.3.0\\LuckyTender.dll" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3794345D-C731-4FBB-8471-73DDC8DFFDD2} C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3794345D-C731-4FBB-8471-73DDC8DFFDD2}\NumMethods C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\NumMethods\ = "11" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96EDCF67-4637-4288-9A0D-4282EBF26D62}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\ = "ISliderShowCtrl" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\ = "ISliderWindowAx" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3794345D-C731-4FBB-8471-73DDC8DFFDD2}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl\CurVer\ = "SliderShow.SliderShowCtrl.1" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\TypeLib\ = "{96EDCF67-4637-4288-9A0D-4282EBF26D62}" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\ProxyStubClsid32\ = "{3794345D-C731-4FBB-8471-73DDC8DFFDD2}" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96EDCF67-4637-4288-9A0D-4282EBF26D62}\1.0 C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\TypeLib\ = "{96EDCF67-4637-4288-9A0D-4282EBF26D62}" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\ = "ISliderShowCtrl" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\TypeLib\ = "{96EDCF67-4637-4288-9A0D-4282EBF26D62}" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\TypeLib\ = "{96EDCF67-4637-4288-9A0D-4282EBF26D62}" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\ = "SliderShowCtrl Class" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\NumMethods C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96EDCF67-4637-4288-9A0D-4282EBF26D62}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\LuckyTender\\1.3.0\\" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\WOW6432Node\Interface C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96EDCF67-4637-4288-9A0D-4282EBF26D62}\1.0\ = "SliderShow 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl.1\CLSID C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl\ = "SliderShowCtrl Class" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl\CLSID\ = "{5E2402A0-5F99-4188-B30D-D8743996B340}" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl\CurVer C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3794345D-C731-4FBB-8471-73DDC8DFFDD2}\ProxyStubClsid32\ = "{3794345D-C731-4FBB-8471-73DDC8DFFDD2}" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{7656BFE4-2AAE-4E04-98B6-5912E99FBE38} C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl.1\CLSID\ = "{5E2402A0-5F99-4188-B30D-D8743996B340}" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\TypeLib C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\ = "ISliderWindowAx" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl.1 C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl.1\ = "SliderShowCtrl Class" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96EDCF67-4637-4288-9A0D-4282EBF26D62}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96EDCF67-4637-4288-9A0D-4282EBF26D62}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\TypeLib C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3794345D-C731-4FBB-8471-73DDC8DFFDD2}\ = "ISliderWindow" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{7656BFE4-2AAE-4E04-98B6-5912E99FBE38}\ = "SliderShow" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\ProgID\ = "SliderShow.SliderShowCtrl.1" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96EDCF67-4637-4288-9A0D-4282EBF26D62}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70} C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3794345D-C731-4FBB-8471-73DDC8DFFDD2}\ = "PSFactoryBuffer" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3794345D-C731-4FBB-8471-73DDC8DFFDD2}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\SliderShow.DLL C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\VersionIndependentProgID\ = "SliderShow.SliderShowCtrl" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\TypeLib\ = "{96EDCF67-4637-4288-9A0D-4282EBF26D62}" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340} C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\Programmable C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96EDCF67-4637-4288-9A0D-4282EBF26D62}\1.0\0\win32\ = "C:\\Program Files (x86)\\LuckyTender\\1.3.0\\LuckyTender.dll" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8f9cc18d3743f189e0702d941c4423da.exe

"C:\Users\Admin\AppData\Local\Temp\8f9cc18d3743f189e0702d941c4423da.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 186.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe

MD5 5b4a528aff5726712c3c4714492fc71a
SHA1 e60a68d8ffb33a81957199e7fa2720a5b74c6ae0
SHA256 bd0bd14950691bbbd1a8c791b6cecc0136b7f361d3d3617f97ab8aec4bfaee8e
SHA512 11cae2ad6dc83762c48d30703f0e404d7c708c2c19eb58d32ab557474271c816b08141ffd7588fc0b220728ed00d8e4c1a287becf9451bdcce3d201c098179b9

C:\Program Files (x86)\LuckyTender\1.3.0\LuckyTender.dll

MD5 fbbd36fc9f5de933753a1b855944e04a
SHA1 6aff38e2228f86233e103da286381da37feff0ce
SHA256 ff68a2096413a90a3505610353307a88355e1f34d9417acdd4f2d4855db33b62
SHA512 7bc90a7084cfeb60d6abe4c4d4ac641c9b65fd477c8d57c5b4fa0d84b9a797b6c4b207b5ac9fb503b42b12212dbefc9507eddf73ef984eb2d4a9cf6b064dbace

C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe

MD5 6eb8b23d51279bb8585fc88731001d80
SHA1 b993ba10af96d7db79ec4fd4771511d880255604
SHA256 b58d68b9c4488c7a2137582ae26c7e743f8a8c1bbbef1f9f1cd9f8a03f03ccdd
SHA512 74683daefdc3095fe298dcfe0b7596fd91526f4281974f14bf39c04f0e19343e3792b34c114d4c8bcc418b7b5d9cdc201eebe06538347337abcb1231af60ef0a

memory/2740-27-0x0000000000400000-0x0000000000421000-memory.dmp