Analysis Overview
SHA256
3efc4518a663cc15ee2022ec284fbcf7ce41a562ce45c2380e6c1cf9822edaab
Threat Level: Shows suspicious behavior
The file 8f9cc18d3743f189e0702d941c4423da was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Installs/modifies Browser Helper Object
Checks installed software on the system
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
NSIS installer
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-04 16:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-04 16:22
Reported
2024-02-04 16:25
Platform
win7-20231215-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8f9cc18d3743f189e0702d941c4423da.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8f9cc18d3743f189e0702d941c4423da.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5E2402A0-5F99-4188-B30D-D8743996B340} | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5E2402A0-5F99-4188-B30D-D8743996B340}\ = "LuckyTender" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\LuckyTender\1.3.0\LuckyTender.dll | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| File created | C:\Program Files (x86)\LuckyTender\uninst.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl.1\ = "SliderShowCtrl Class" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\ = "SliderShowCtrl Class" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3794345D-C731-4FBB-8471-73DDC8DFFDD2}\ = "ISliderWindow" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\ProxyStubClsid32\ = "{3794345D-C731-4FBB-8471-73DDC8DFFDD2}" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl\CLSID\ = "{5E2402A0-5F99-4188-B30D-D8743996B340}" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\VersionIndependentProgID\ = "SliderShow.SliderShowCtrl" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\InprocServer32\ = "C:\\Program Files (x86)\\LuckyTender\\1.3.0\\LuckyTender.dll" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\TypeLib | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\TypeLib\ = "{96EDCF67-4637-4288-9A0D-4282EBF26D62}" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\SliderShow.DLL\AppID = "{7656BFE4-2AAE-4E04-98B6-5912E99FBE38}" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\AppID = "{7656BFE4-2AAE-4E04-98B6-5912E99FBE38}" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96EDCF67-4637-4288-9A0D-4282EBF26D62}\1.0\ = "SliderShow 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96EDCF67-4637-4288-9A0D-4282EBF26D62}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\TypeLib | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70} | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\TypeLib\ = "{96EDCF67-4637-4288-9A0D-4282EBF26D62}" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl\CLSID | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96EDCF67-4637-4288-9A0D-4282EBF26D62}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\TypeLib | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3794345D-C731-4FBB-8471-73DDC8DFFDD2}\InProcServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\ProxyStubClsid32\ = "{3794345D-C731-4FBB-8471-73DDC8DFFDD2}" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\NumMethods | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\NumMethods | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\ProgID\ = "SliderShow.SliderShowCtrl.1" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\ = "ISliderShowCtrl" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\TypeLib\ = "{96EDCF67-4637-4288-9A0D-4282EBF26D62}" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\TypeLib | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\TypeLib\ = "{96EDCF67-4637-4288-9A0D-4282EBF26D62}" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl\CurVer | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832} | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{7656BFE4-2AAE-4E04-98B6-5912E99FBE38} | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl\ = "SliderShowCtrl Class" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13E3FF74-B861-4E69-B223-43D711686832} | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\ = "ISliderWindowAx" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3794345D-C731-4FBB-8471-73DDC8DFFDD2}\NumMethods | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\SliderShow.DLL | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl.1 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96EDCF67-4637-4288-9A0D-4282EBF26D62}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\LuckyTender\\1.3.0\\" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70} | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3794345D-C731-4FBB-8471-73DDC8DFFDD2} | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\ = "ISliderWindowAx" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3794345D-C731-4FBB-8471-73DDC8DFFDD2}\InProcServer32\ = "C:\\Program Files (x86)\\LuckyTender\\1.3.0\\LuckyTender.dll" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\Programmable | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96EDCF67-4637-4288-9A0D-4282EBF26D62}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96EDCF67-4637-4288-9A0D-4282EBF26D62}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\NumMethods\ = "7" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\TypeLib\ = "{96EDCF67-4637-4288-9A0D-4282EBF26D62}" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{7656BFE4-2AAE-4E04-98B6-5912E99FBE38}\ = "SliderShow" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl.1\CLSID | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl.1\CLSID\ = "{5E2402A0-5F99-4188-B30D-D8743996B340}" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8f9cc18d3743f189e0702d941c4423da.exe
"C:\Users\Admin\AppData\Local\Temp\8f9cc18d3743f189e0702d941c4423da.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe
| MD5 | 5b4a528aff5726712c3c4714492fc71a |
| SHA1 | e60a68d8ffb33a81957199e7fa2720a5b74c6ae0 |
| SHA256 | bd0bd14950691bbbd1a8c791b6cecc0136b7f361d3d3617f97ab8aec4bfaee8e |
| SHA512 | 11cae2ad6dc83762c48d30703f0e404d7c708c2c19eb58d32ab557474271c816b08141ffd7588fc0b220728ed00d8e4c1a287becf9451bdcce3d201c098179b9 |
\Program Files (x86)\LuckyTender\1.3.0\LuckyTender.dll
| MD5 | fbbd36fc9f5de933753a1b855944e04a |
| SHA1 | 6aff38e2228f86233e103da286381da37feff0ce |
| SHA256 | ff68a2096413a90a3505610353307a88355e1f34d9417acdd4f2d4855db33b62 |
| SHA512 | 7bc90a7084cfeb60d6abe4c4d4ac641c9b65fd477c8d57c5b4fa0d84b9a797b6c4b207b5ac9fb503b42b12212dbefc9507eddf73ef984eb2d4a9cf6b064dbace |
\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe
| MD5 | f74f15bab08ae5eb5d43b3d774f5cf30 |
| SHA1 | 5e94d983fffed36d41e137254cff59fad6a890c4 |
| SHA256 | 3a5c29bca1bbe551154ce16a8a0a6977a2b899b89c3c46b937d748c65f1897bc |
| SHA512 | 37b779caba37d20493a1835529bb0115377f1f5519af3039ec621b4e458e51f5c51d199145cc64b500c8999828df2456746ab7f5fb85f852bd3f35aeb3eecfae |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe
| MD5 | 1ebe7a67a48c6dcdb4c587295439fd44 |
| SHA1 | 59279c22f71c8324d0ccc2058f2cd7b3c8c41ae3 |
| SHA256 | 23b85b0c7d5aacfcfaff4fa4e3af5e0e09cc24d1d498d104e04ffaabc5b1ebfd |
| SHA512 | 8311f87325e8987bd451888c99aee11955fcbbc2dcc9b834c72c7cef1ccd0244b2bc6d5b107b1faa722d643f2b4f6c7ee85cf4b71477002eef0849aa48a27633 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe
| MD5 | d0226a30350152be71631317e3b77ed9 |
| SHA1 | 57babff43b382f1ccd171915f705978fee4b34c7 |
| SHA256 | e3bd63c7c59777a1064cc6d81a8c7889dff4a7caa19987941f3a9dacb9f246d1 |
| SHA512 | f617f654331046246fc96bcac9735916fae612a023451bc13fd2e93f06187c9f99bb1d1aeee4458163347d85e72f3eb60bc9f662806096ac5e07b598242b330e |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe
| MD5 | 1dd0748cc53b910a4ecd08bddee9d4b7 |
| SHA1 | 812eb569b8c4fd637c04bf95bd7b485e191cfd5b |
| SHA256 | 13b9514fe51cea84dd3681eb1e4d669026d322f2dfe163477d481b9f8fcb6897 |
| SHA512 | b6a412246d2e5853334314614c708a7cf7cd1c784a221ba4cfa81da276904dcd88137cf99f4b7b212396d37e1da7184ee222ed69a56c1525760f24682bff30a9 |
\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe
| MD5 | 8b95c6ab844b7b1fa40a19270c74089a |
| SHA1 | 08887fac24776b322a828ee307db8ecc3c07f692 |
| SHA256 | 75782517fe8cd1e87a440c60848690be68e7e9ac71bdd3da2993857f664e791c |
| SHA512 | a5d5d3f5e0a6f5cf58c0a52fcdd8efb245dea4763d34be7ee3acda202f2fde796c7879e118c957a2eeda8fb936dda30816535633825cc672edf726ceabee7022 |
\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe
| MD5 | 4c5c9bc08662b6e3bc2d8e2f3dc38ea7 |
| SHA1 | 040daf2000cdf49f159f5232f5751a79208ede02 |
| SHA256 | c1b51655c8783902f73a75b809dd2e5e64437f1163dc497a8b26cdaff81ab80f |
| SHA512 | 3693577c7b0659b4df4f3aa6fb759ed741c286023e60eda637189a6182e4940544f8400fa6d87d7155e8c29371b8a2730ae9067e25b1ac01576eb59fac9e3f7f |
\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe
| MD5 | 33010933d4b582cbc2b3b1f4ad864156 |
| SHA1 | 14c167feeef914a639dcd68751842141feaef5fd |
| SHA256 | 8c971da2ccb79bbd52b213644421a2f7f720d1aa3c95e557ed595ef34b179bf3 |
| SHA512 | 1b046a39ed2dd24fdb0f1a9ff668cba5ffed3b741782857265172d97457f9a553c4208129bdb3cca2fb2a4506e11bb5a7e8bdf883d542434231351856404c9bf |
memory/1856-27-0x0000000000400000-0x0000000000421000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-04 16:22
Reported
2024-02-04 16:25
Platform
win10v2004-20231215-en
Max time kernel
143s
Max time network
151s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8f9cc18d3743f189e0702d941c4423da.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5E2402A0-5F99-4188-B30D-D8743996B340}\ = "LuckyTender" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5E2402A0-5F99-4188-B30D-D8743996B340} | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\LuckyTender\1.3.0\LuckyTender.dll | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| File created | C:\Program Files (x86)\LuckyTender\uninst.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832} | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13E3FF74-B861-4E69-B223-43D711686832} | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\NumMethods\ = "7" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96EDCF67-4637-4288-9A0D-4282EBF26D62}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70} | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3794345D-C731-4FBB-8471-73DDC8DFFDD2}\InProcServer32\ = "C:\\Program Files (x86)\\LuckyTender\\1.3.0\\LuckyTender.dll" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3794345D-C731-4FBB-8471-73DDC8DFFDD2} | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3794345D-C731-4FBB-8471-73DDC8DFFDD2}\NumMethods | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\NumMethods\ = "11" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96EDCF67-4637-4288-9A0D-4282EBF26D62}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\ = "ISliderShowCtrl" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\ = "ISliderWindowAx" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3794345D-C731-4FBB-8471-73DDC8DFFDD2}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl\CurVer\ = "SliderShow.SliderShowCtrl.1" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\TypeLib\ = "{96EDCF67-4637-4288-9A0D-4282EBF26D62}" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\ProxyStubClsid32\ = "{3794345D-C731-4FBB-8471-73DDC8DFFDD2}" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96EDCF67-4637-4288-9A0D-4282EBF26D62}\1.0 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\TypeLib\ = "{96EDCF67-4637-4288-9A0D-4282EBF26D62}" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\ = "ISliderShowCtrl" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\TypeLib\ = "{96EDCF67-4637-4288-9A0D-4282EBF26D62}" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\TypeLib\ = "{96EDCF67-4637-4288-9A0D-4282EBF26D62}" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\ = "SliderShowCtrl Class" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\NumMethods | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96EDCF67-4637-4288-9A0D-4282EBF26D62}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\LuckyTender\\1.3.0\\" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\WOW6432Node\Interface | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96EDCF67-4637-4288-9A0D-4282EBF26D62}\1.0\ = "SliderShow 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl.1\CLSID | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl\ = "SliderShowCtrl Class" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl\CLSID\ = "{5E2402A0-5F99-4188-B30D-D8743996B340}" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl\CurVer | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3794345D-C731-4FBB-8471-73DDC8DFFDD2}\ProxyStubClsid32\ = "{3794345D-C731-4FBB-8471-73DDC8DFFDD2}" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{7656BFE4-2AAE-4E04-98B6-5912E99FBE38} | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl.1\CLSID\ = "{5E2402A0-5F99-4188-B30D-D8743996B340}" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\TypeLib | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\ = "ISliderWindowAx" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl.1 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SliderShow.SliderShowCtrl.1\ = "SliderShowCtrl Class" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96EDCF67-4637-4288-9A0D-4282EBF26D62}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96EDCF67-4637-4288-9A0D-4282EBF26D62}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\TypeLib | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3794345D-C731-4FBB-8471-73DDC8DFFDD2}\ = "ISliderWindow" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{7656BFE4-2AAE-4E04-98B6-5912E99FBE38}\ = "SliderShow" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\ProgID\ = "SliderShow.SliderShowCtrl.1" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96EDCF67-4637-4288-9A0D-4282EBF26D62}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70} | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3794345D-C731-4FBB-8471-73DDC8DFFDD2}\ = "PSFactoryBuffer" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3794345D-C731-4FBB-8471-73DDC8DFFDD2}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\SliderShow.DLL | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\VersionIndependentProgID\ = "SliderShow.SliderShowCtrl" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE85A67A-3F04-4ABA-A10B-A37B220AFB70}\TypeLib\ = "{96EDCF67-4637-4288-9A0D-4282EBF26D62}" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340} | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2402A0-5F99-4188-B30D-D8743996B340}\Programmable | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96EDCF67-4637-4288-9A0D-4282EBF26D62}\1.0\0\win32\ = "C:\\Program Files (x86)\\LuckyTender\\1.3.0\\LuckyTender.dll" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{13E3FF74-B861-4E69-B223-43D711686832}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8f9cc18d3743f189e0702d941c4423da.exe
"C:\Users\Admin\AppData\Local\Temp\8f9cc18d3743f189e0702d941c4423da.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.112.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup2.exe
| MD5 | 5b4a528aff5726712c3c4714492fc71a |
| SHA1 | e60a68d8ffb33a81957199e7fa2720a5b74c6ae0 |
| SHA256 | bd0bd14950691bbbd1a8c791b6cecc0136b7f361d3d3617f97ab8aec4bfaee8e |
| SHA512 | 11cae2ad6dc83762c48d30703f0e404d7c708c2c19eb58d32ab557474271c816b08141ffd7588fc0b220728ed00d8e4c1a287becf9451bdcce3d201c098179b9 |
C:\Program Files (x86)\LuckyTender\1.3.0\LuckyTender.dll
| MD5 | fbbd36fc9f5de933753a1b855944e04a |
| SHA1 | 6aff38e2228f86233e103da286381da37feff0ce |
| SHA256 | ff68a2096413a90a3505610353307a88355e1f34d9417acdd4f2d4855db33b62 |
| SHA512 | 7bc90a7084cfeb60d6abe4c4d4ac641c9b65fd477c8d57c5b4fa0d84b9a797b6c4b207b5ac9fb503b42b12212dbefc9507eddf73ef984eb2d4a9cf6b064dbace |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup1.exe
| MD5 | 6eb8b23d51279bb8585fc88731001d80 |
| SHA1 | b993ba10af96d7db79ec4fd4771511d880255604 |
| SHA256 | b58d68b9c4488c7a2137582ae26c7e743f8a8c1bbbef1f9f1cd9f8a03f03ccdd |
| SHA512 | 74683daefdc3095fe298dcfe0b7596fd91526f4281974f14bf39c04f0e19343e3792b34c114d4c8bcc418b7b5d9cdc201eebe06538347337abcb1231af60ef0a |
memory/2740-27-0x0000000000400000-0x0000000000421000-memory.dmp