0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160

Analysis

max time kernel
91s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
29-05-2022 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Size

533KB
MD5

258b93d2011a413acdeeb13879890da7
SHA1

bcf7e2a0d1c64b6c1b5667531844bb10ae7779b7
SHA256

0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160
SHA512

cba899bc469d175b55f56186b9d1f570aecc714dc720cacde8fe3084e625170169b182b98a8f06be640c7c3a6c37a8f6521f582c397e1a1372c891d697cda3dc

Score

9^/10

adware discovery persistence stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 14 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\version.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\version.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\version.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\version.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\version.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\version.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\version.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\version.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\nsRandom.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\nsRandom.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\version.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\version.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\version.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\version.dll	acprotect

Executes dropped EXE 4 IoCs

Processes:

skywidget.exeskywidgeter.exeskywidgeted.exeskywidgets.exe

pid process

2028 skywidget.exe
2668 skywidgeter.exe
2744 skywidgeted.exe
4420 skywidgets.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\version.dll	upx
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\version.dll	upx
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\version.dll	upx
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\version.dll	upx
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\version.dll	upx
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\version.dll	upx
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\version.dll	upx
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\version.dll	upx
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\nsRandom.dll	upx
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\nsRandom.dll	upx
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\version.dll	upx
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\version.dll	upx
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\version.dll	upx
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\version.dll	upx

Loads dropped DLL 33 IoCs

Processes:

0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe

pid	process
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\skywidgetRun = "\"C:\\Program Files (x86)\\Skywidget\\skywidget.exe\" subcmd"	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SkywidgetUpDates = "C:\\Program Files (x86)\\Skywidget\\skywidgeted.exe"	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Skywidget = "\"C:\\Program Files (x86)\\Skywidget\\skywidgets.exe\" Runcmd"	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Drops file in Program Files directory 6 IoCs

Processes:

0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe

description	ioc	process
File created	C:\Program Files (x86)\Skywidget\skywidgeter.exe	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
File created	C:\Program Files (x86)\Skywidget\skywidget.dll	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
File created	C:\Program Files (x86)\Skywidget\skywidgeted.exe	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
File created	C:\Program Files (x86)\Skywidget\skywidgets.exe	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
File created	C:\Program Files (x86)\Skywidget\skywidget.exe	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
File created	C:\Program Files (x86)\Skywidget\uninstall.exe	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

572 schtasks.exe
3728 schtasks.exe
3708 schtasks.exe

pid	process
572	schtasks.exe
3728	schtasks.exe
3708	schtasks.exe

Modifies registry class 51 IoCs

Processes:

0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FC6D9FF6-5B26-4607-9D1E-02699F83265C}\ProxyStubClsid32	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\skywidget.skywidget_Obj\ = "skywidget_Obj Class"	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\skywidget.skywidget_Obj\CLSID	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5AC6C4E6-9E10-4D22-A4D8-8C371C1FD6E2}	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5AC6C4E6-9E10-4D22-A4D8-8C371C1FD6E2}\ProgID\ = "skywidget.skywidget_Obj.1"	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5AC6C4E6-9E10-4D22-A4D8-8C371C1FD6E2}\VersionIndependentProgID	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C92B1604-4D70-41DF-8DFF-E7BBC6C59CFD}\1.0\ = "skywidget 1.0 Çü½Ä ¶óÀÌºê·¯¸®"	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FC6D9FF6-5B26-4607-9D1E-02699F83265C}	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{E4A7A183-E1E4-4B6C-8801-8D787E32A01A}\ = "skywidget"	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\skywidget.DLL	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\skywidget.skywidget_Obj.1\ = "skywidget_Obj Class"	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\skywidget.skywidget_Obj.1\CLSID\ = "{5AC6C4E6-9E10-4D22-A4D8-8C371C1FD6E2}"	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5AC6C4E6-9E10-4D22-A4D8-8C371C1FD6E2}\ProgID	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C92B1604-4D70-41DF-8DFF-E7BBC6C59CFD}\1.0\FLAGS\ = "0"	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\skywidget.skywidget_Obj.1	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\skywidget.skywidget_Obj.1\CLSID	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\skywidget.skywidget_Obj\CLSID\ = "{5AC6C4E6-9E10-4D22-A4D8-8C371C1FD6E2}"	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C92B1604-4D70-41DF-8DFF-E7BBC6C59CFD}\1.0\HELPDIR\	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FC6D9FF6-5B26-4607-9D1E-02699F83265C}\TypeLib	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FC6D9FF6-5B26-4607-9D1E-02699F83265C}\ = "Iskywidget_Obj"	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{E4A7A183-E1E4-4B6C-8801-8D787E32A01A}	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\skywidget.DLL\AppID = "{E4A7A183-E1E4-4B6C-8801-8D787E32A01A}"	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\skywidget.skywidget_Obj	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5AC6C4E6-9E10-4D22-A4D8-8C371C1FD6E2}\InprocServer32\ = "C:\\Program Files (x86)\\Skywidget\\skywidget.dll"	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5AC6C4E6-9E10-4D22-A4D8-8C371C1FD6E2}\TypeLib	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FC6D9FF6-5B26-4607-9D1E-02699F83265C}\TypeLib\Version = "1.0"	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C92B1604-4D70-41DF-8DFF-E7BBC6C59CFD}\1.0	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C92B1604-4D70-41DF-8DFF-E7BBC6C59CFD}\1.0\0	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C92B1604-4D70-41DF-8DFF-E7BBC6C59CFD}\1.0\0\win32	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FC6D9FF6-5B26-4607-9D1E-02699F83265C}	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FC6D9FF6-5B26-4607-9D1E-02699F83265C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FC6D9FF6-5B26-4607-9D1E-02699F83265C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5AC6C4E6-9E10-4D22-A4D8-8C371C1FD6E2}\VersionIndependentProgID\ = "skywidget.skywidget_Obj"	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C92B1604-4D70-41DF-8DFF-E7BBC6C59CFD}\1.0\0\win32\ = "C:\\Program Files (x86)\\Skywidget\\skywidget.dll"	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FC6D9FF6-5B26-4607-9D1E-02699F83265C}\TypeLib	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FC6D9FF6-5B26-4607-9D1E-02699F83265C}\ProxyStubClsid32	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FC6D9FF6-5B26-4607-9D1E-02699F83265C}\TypeLib\ = "{C92B1604-4D70-41DF-8DFF-E7BBC6C59CFD}"	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\skywidget.skywidget_Obj\CurVer	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5AC6C4E6-9E10-4D22-A4D8-8C371C1FD6E2}\ = "skywidget"	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5AC6C4E6-9E10-4D22-A4D8-8C371C1FD6E2}\InprocServer32	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5AC6C4E6-9E10-4D22-A4D8-8C371C1FD6E2}\AppID = "{E4A7A183-E1E4-4B6C-8801-8D787E32A01A}"	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C92B1604-4D70-41DF-8DFF-E7BBC6C59CFD}\1.0\FLAGS	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C92B1604-4D70-41DF-8DFF-E7BBC6C59CFD}\1.0\HELPDIR	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FC6D9FF6-5B26-4607-9D1E-02699F83265C}\TypeLib\ = "{C92B1604-4D70-41DF-8DFF-E7BBC6C59CFD}"	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FC6D9FF6-5B26-4607-9D1E-02699F83265C}\TypeLib\Version = "1.0"	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\skywidget.skywidget_Obj\CurVer\ = "skywidget.skywidget_Obj.1"	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5AC6C4E6-9E10-4D22-A4D8-8C371C1FD6E2}\Programmable	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5AC6C4E6-9E10-4D22-A4D8-8C371C1FD6E2}\InprocServer32\ThreadingModel = "Apartment"	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5AC6C4E6-9E10-4D22-A4D8-8C371C1FD6E2}\TypeLib\ = "{C92B1604-4D70-41DF-8DFF-E7BBC6C59CFD}"	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C92B1604-4D70-41DF-8DFF-E7BBC6C59CFD}	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FC6D9FF6-5B26-4607-9D1E-02699F83265C}\ = "Iskywidget_Obj"	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exeskywidget.exeskywidgeter.exe

pid	process
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
2028	skywidget.exe
2028	skywidget.exe
2668	skywidgeter.exe
2668	skywidgeter.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

skywidget.exeskywidgeter.exeskywidgets.exe

pid process

2028 skywidget.exe
2668 skywidgeter.exe
4420 skywidgets.exe
4420 skywidgets.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

skywidget.exeskywidgeter.exeskywidgeted.exeskywidgets.exe

pid	process
2028	skywidget.exe
2028	skywidget.exe
2668	skywidgeter.exe
2668	skywidgeter.exe
2744	skywidgeted.exe
2744	skywidgeted.exe
4420	skywidgets.exe
4420	skywidgets.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.execmd.execmd.exeskywidget.execmd.exeskywidgeter.exe

description	pid	process	target process
PID 3164 wrote to memory of 4112	3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe	cmd.exe
PID 3164 wrote to memory of 4112	3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe	cmd.exe
PID 3164 wrote to memory of 4112	3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe	cmd.exe
PID 4112 wrote to memory of 3728	4112	cmd.exe	schtasks.exe
PID 4112 wrote to memory of 3728	4112	cmd.exe	schtasks.exe
PID 4112 wrote to memory of 3728	4112	cmd.exe	schtasks.exe
PID 3164 wrote to memory of 2028	3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe	skywidget.exe
PID 3164 wrote to memory of 2028	3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe	skywidget.exe
PID 3164 wrote to memory of 2028	3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe	skywidget.exe
PID 3164 wrote to memory of 3036	3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe	cmd.exe
PID 3164 wrote to memory of 3036	3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe	cmd.exe
PID 3164 wrote to memory of 3036	3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe	cmd.exe
PID 3036 wrote to memory of 3708	3036	cmd.exe	schtasks.exe
PID 3036 wrote to memory of 3708	3036	cmd.exe	schtasks.exe
PID 3036 wrote to memory of 3708	3036	cmd.exe	schtasks.exe
PID 2028 wrote to memory of 1248	2028	skywidget.exe	sc.exe
PID 2028 wrote to memory of 1248	2028	skywidget.exe	sc.exe
PID 2028 wrote to memory of 1248	2028	skywidget.exe	sc.exe
PID 3164 wrote to memory of 1696	3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe	cmd.exe
PID 3164 wrote to memory of 1696	3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe	cmd.exe
PID 3164 wrote to memory of 1696	3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe	cmd.exe
PID 1696 wrote to memory of 572	1696	cmd.exe	schtasks.exe
PID 1696 wrote to memory of 572	1696	cmd.exe	schtasks.exe
PID 1696 wrote to memory of 572	1696	cmd.exe	schtasks.exe
PID 3164 wrote to memory of 2668	3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe	skywidgeter.exe
PID 3164 wrote to memory of 2668	3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe	skywidgeter.exe
PID 3164 wrote to memory of 2668	3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe	skywidgeter.exe
PID 3164 wrote to memory of 2744	3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe	skywidgeted.exe
PID 3164 wrote to memory of 2744	3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe	skywidgeted.exe
PID 3164 wrote to memory of 2744	3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe	skywidgeted.exe
PID 3164 wrote to memory of 4420	3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe	skywidgets.exe
PID 3164 wrote to memory of 4420	3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe	skywidgets.exe
PID 3164 wrote to memory of 4420	3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe	skywidgets.exe
PID 3164 wrote to memory of 4856	3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe	cmd.exe
PID 3164 wrote to memory of 4856	3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe	cmd.exe
PID 3164 wrote to memory of 4856	3164	0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe	cmd.exe
PID 2668 wrote to memory of 4928	2668	skywidgeter.exe	sc.exe
PID 2668 wrote to memory of 4928	2668	skywidgeter.exe	sc.exe
PID 2668 wrote to memory of 4928	2668	skywidgeter.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe
"C:\Users\Admin\AppData\Local\Temp\0dd232a695488d5f9b54d3f96049a13ee8566c4af75a96ab20a9fe9f679fb160.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3164

C:\Windows\SysWOW64\cmd.exe
cmd /C schtasks /Create /F /TN "swgWin" /SC ONLOGON /TR "'C:\Program Files (x86)\Skywidget\skywidget.exe' schcmd" /rL HIGHEST
2⤵
- Suspicious use of WriteProcessMemory
PID:4112

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /F /TN "swgWin" /SC ONLOGON /TR "'C:\Program Files (x86)\Skywidget\skywidget.exe' schcmd" /rL HIGHEST
3⤵
- Creates scheduled task(s)
PID:3728

C:\Program Files (x86)\Skywidget\skywidget.exe
"C:\Program Files (x86)\Skywidget\skywidget.exe" Updatecmd
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\sc.exe
sc query npf
3⤵
PID:1248

C:\Windows\SysWOW64\cmd.exe
cmd /C schtasks /Create /F /TN "SkyWidgetSystem" /SC ONLOGON /TR "'C:\Program Files (x86)\Skywidget\skywidgets.exe' Runcmd" /rL HIGHEST
2⤵
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /F /TN "SkyWidgetSystem" /SC ONLOGON /TR "'C:\Program Files (x86)\Skywidget\skywidgets.exe' Runcmd" /rL HIGHEST
3⤵
- Creates scheduled task(s)
PID:3708

C:\Windows\SysWOW64\cmd.exe
cmd /C schtasks /Create /F /TN "skywidgeter" /SC ONLOGON /TR "'C:\Program Files (x86)\Skywidget\skywidgeter.exe' Runcmd" /rL HIGHEST
2⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /F /TN "skywidgeter" /SC ONLOGON /TR "'C:\Program Files (x86)\Skywidget\skywidgeter.exe' Runcmd" /rL HIGHEST
3⤵
- Creates scheduled task(s)
PID:572

C:\Program Files (x86)\Skywidget\skywidgeter.exe
"C:\Program Files (x86)\Skywidget\skywidgeter.exe" Updatecmd
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\SysWOW64\sc.exe
sc query npf
3⤵
PID:4928

C:\Program Files (x86)\Skywidget\skywidgeted.exe
"C:\Program Files (x86)\Skywidget\skywidgeted.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2744

C:\Program Files (x86)\Skywidget\skywidgets.exe
"C:\Program Files (x86)\Skywidget\skywidgets.exe" Updatecmd
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c \DelUS.bat
2⤵
PID:4856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DelUS.bat
Filesize
264B

MD5
847608d04a7631e5d4b7fa42e5c6a107

SHA1
ff082cd634e5a6fd9f7aa4cb67a465a01786ba8b

SHA256
6e0dd4eabfd1db2005c28a98f4942f5ca51bbf405285b132836c890a01062ea1

SHA512
7ed7ae76f5d21d61378c7b68c1804a677768b90998c951f031099c47ca98a5256dfcfde9ed3a063b12fe014c52e37138f76099ebe6f7c46f4832350f75de46e3

Download Submit
C:\Program Files (x86)\Skywidget\skywidget.dll
Filesize
173KB

MD5
de1de0ece862dc67cb6da23e6f221ee1

SHA1
06565d855cac9f7509c01992171e88791baf619c

SHA256
7c5a1dbfc8770d41df44c8e84b76f88a0dfbc763f014455b18d90eea87b85bb5

SHA512
69963f248a4538f06b50a5e3edb1ba9ec22b4358b154d4453eceb144049daa82c29e870218880f99718732a145ca6f348b4f3dd5d5b729ebef895a1d1e770676

Download Submit
C:\Program Files (x86)\Skywidget\skywidget.exe
Filesize
409KB

MD5
ade4db664f0486c25d04db9991e60164

SHA1
fc9116e9044d54fb98df55edd08c4f2844146bf3

SHA256
12c09b58894a4677dde8c4852d75eba862103780837c83e664f74aa309494552

SHA512
f4c98f2f283601dfdc9b32065486d6447e5e720565ea0388895f9e2da012c3404cb71aaa8e88c0197fc10522bd8cab3cf5f53b914ca3fd2fa4ca86e63bc022c9

Download Submit
C:\Program Files (x86)\Skywidget\skywidget.exe
Filesize
409KB

MD5
ade4db664f0486c25d04db9991e60164

SHA1
fc9116e9044d54fb98df55edd08c4f2844146bf3

SHA256
12c09b58894a4677dde8c4852d75eba862103780837c83e664f74aa309494552

SHA512
f4c98f2f283601dfdc9b32065486d6447e5e720565ea0388895f9e2da012c3404cb71aaa8e88c0197fc10522bd8cab3cf5f53b914ca3fd2fa4ca86e63bc022c9

Download Submit
C:\Program Files (x86)\Skywidget\skywidgeted.exe
Filesize
577KB

MD5
aff96bba73c906c9f5a42306ab504f0e

SHA1
cb3033e18d1ae17197232a02d189f9affd39437f

SHA256
5df129c40cff34646e268f49b28650ecc553d382770aa9921d9fd9e1a896314b

SHA512
8dd2bf53e079e2c47d1e891dfc0a165dbc569326122ad47ef84d88bdf39d17ed4aa5f177e05e54df9fe2a0efaed80ace7fa2f196c1532a43160cb6ecb5620b8f

Download Submit
C:\Program Files (x86)\Skywidget\skywidgeted.exe
Filesize
577KB

MD5
aff96bba73c906c9f5a42306ab504f0e

SHA1
cb3033e18d1ae17197232a02d189f9affd39437f

SHA256
5df129c40cff34646e268f49b28650ecc553d382770aa9921d9fd9e1a896314b

SHA512
8dd2bf53e079e2c47d1e891dfc0a165dbc569326122ad47ef84d88bdf39d17ed4aa5f177e05e54df9fe2a0efaed80ace7fa2f196c1532a43160cb6ecb5620b8f

Download Submit
C:\Program Files (x86)\Skywidget\skywidgeter.exe
Filesize
405KB

MD5
e22a97711614f677c2be3ae51461180b

SHA1
839303b1c5436be79ceefe57e90e8ec40e3b354c

SHA256
312f8e94faaac46f79321e7e955a25f6409babe9d67322fd53b35e4d7403e51d

SHA512
c6a048d36adb4b9ce914b59a44477c8a444308df176ff63ed595e251123990c9926a58ba17e8b80ee06fc1dc34adf073cb4911c21087bca9986d59634d7a5bee

Download Submit
C:\Program Files (x86)\Skywidget\skywidgeter.exe
Filesize
405KB

MD5
e22a97711614f677c2be3ae51461180b

SHA1
839303b1c5436be79ceefe57e90e8ec40e3b354c

SHA256
312f8e94faaac46f79321e7e955a25f6409babe9d67322fd53b35e4d7403e51d

SHA512
c6a048d36adb4b9ce914b59a44477c8a444308df176ff63ed595e251123990c9926a58ba17e8b80ee06fc1dc34adf073cb4911c21087bca9986d59634d7a5bee

Download Submit
C:\Program Files (x86)\Skywidget\skywidgets.exe
Filesize
369KB

MD5
1a646f66f4d47d2173a43d37642955f6

SHA1
31a8cf87b45498d67c56c46867af65dc96c921d7

SHA256
9a4e9b69feb53c5edd1f763aec7f5b356cffb5255dc3b439945526c268b1c6bc

SHA512
ac7e95e6b754a8278e8b61941c33540ef3a16ed40ea94df375c46561648b8f876dcda250a8bdfd717a6014d90e6736db0415d07492a996994858222c30db6a70

Download Submit
C:\Program Files (x86)\Skywidget\skywidgets.exe
Filesize
369KB

MD5
1a646f66f4d47d2173a43d37642955f6

SHA1
31a8cf87b45498d67c56c46867af65dc96c921d7

SHA256
9a4e9b69feb53c5edd1f763aec7f5b356cffb5255dc3b439945526c268b1c6bc

SHA512
ac7e95e6b754a8278e8b61941c33540ef3a16ed40ea94df375c46561648b8f876dcda250a8bdfd717a6014d90e6736db0415d07492a996994858222c30db6a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\DLLWebCount.dll
Filesize
32KB

MD5
248536afcb6f59c1797f079a0da15b63

SHA1
7fa238f871b357c66168728ab1bb38addcfba3f8

SHA256
9c5f4eeadc9c2881bc02b45d757b35d3bfd2dc7d917d2e8fde2917fabf48908f

SHA512
b82accc8530650ebae8d4f8752002c2d23ab7b29e958e6c14731ad186a0fcdbbab937723a540de62d58f4659580843191fd53cb415e07167d7b55cd174a79652

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\DLLWebCount.dll
Filesize
32KB

MD5
248536afcb6f59c1797f079a0da15b63

SHA1
7fa238f871b357c66168728ab1bb38addcfba3f8

SHA256
9c5f4eeadc9c2881bc02b45d757b35d3bfd2dc7d917d2e8fde2917fabf48908f

SHA512
b82accc8530650ebae8d4f8752002c2d23ab7b29e958e6c14731ad186a0fcdbbab937723a540de62d58f4659580843191fd53cb415e07167d7b55cd174a79652

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\DLLWebCount.dll
Filesize
32KB

MD5
248536afcb6f59c1797f079a0da15b63

SHA1
7fa238f871b357c66168728ab1bb38addcfba3f8

SHA256
9c5f4eeadc9c2881bc02b45d757b35d3bfd2dc7d917d2e8fde2917fabf48908f

SHA512
b82accc8530650ebae8d4f8752002c2d23ab7b29e958e6c14731ad186a0fcdbbab937723a540de62d58f4659580843191fd53cb415e07167d7b55cd174a79652

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\DLLWebCount.dll
Filesize
32KB

MD5
248536afcb6f59c1797f079a0da15b63

SHA1
7fa238f871b357c66168728ab1bb38addcfba3f8

SHA256
9c5f4eeadc9c2881bc02b45d757b35d3bfd2dc7d917d2e8fde2917fabf48908f

SHA512
b82accc8530650ebae8d4f8752002c2d23ab7b29e958e6c14731ad186a0fcdbbab937723a540de62d58f4659580843191fd53cb415e07167d7b55cd174a79652

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\FindProcDLL.dll
Filesize
32KB

MD5
849abe37c3b8a6dd48089b769ee789c5

SHA1
81d5d6c4d6328059a07ae59878c717211a726512

SHA256
0ac175b28d2a156e71bda214d4a35321c85d434e325624564f0a5eee23c718be

SHA512
fa1f60aa1e26dffe6a0b2ee8cba6490cc2d1f94613777466ce434a71431bd88f8c3964718f3ea1dd2c8ca41847cc259999bb293ea2591f4f0a0add286229f76f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\KillProcDLL.dll
Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\KillProcDLL.dll
Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\KillProcDLL.dll
Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\KillProcDLL.dll
Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\KillProcDLL.dll
Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\KillProcDLL.dll
Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\KillProcDLL.dll
Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\KillProcDLL.dll
Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\KillProcDLL.dll
Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\SelfDelete.dll
Filesize
24KB

MD5
ddc0d6806073a5b034104c88288ca762

SHA1
9663cc10c496f05d6167e19c3920245040e5e431

SHA256
2f4767da9dc7e720d910d32d451674cd08b7892ca753ec5c10b11fe85e12f06b

SHA512
545ca797a397cfcbd9b5d3bd2da2e3219ba7a294e541831655c5763a7f17480fd0b990d0c2e58ba8c71f81d85472b2da6d079b8211b44c40c8c36d21168ec054

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\nsRandom.dll
Filesize
21KB

MD5
ab467b8dfaa660a0f0e5b26e28af5735

SHA1
596abd2c31eaff3479edf2069db1c155b59ce74d

SHA256
db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73

SHA512
7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\nsRandom.dll
Filesize
21KB

MD5
ab467b8dfaa660a0f0e5b26e28af5735

SHA1
596abd2c31eaff3479edf2069db1c155b59ce74d

SHA256
db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73

SHA512
7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\version.dll
Filesize
22KB

MD5
fbe588b15eb1bd86defade69f796b56f

SHA1
2f63cf44039addddb22c2c0497673b49e6b3ad7a

SHA256
31144e8b156fe87317073c48a09abcb033fda8dbdd96986c4abea8c00c00355f

SHA512
e1a9e29e4c62e77a2ec2c539344f0b5a8cd67ca3fd8dfefb0b0666a992eb2fabadb0034d439c4adbbdffd9c9439f23ee5757fac0ed669d3c9db48f50c677143d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\version.dll
Filesize
22KB

MD5
fbe588b15eb1bd86defade69f796b56f

SHA1
2f63cf44039addddb22c2c0497673b49e6b3ad7a

SHA256
31144e8b156fe87317073c48a09abcb033fda8dbdd96986c4abea8c00c00355f

SHA512
e1a9e29e4c62e77a2ec2c539344f0b5a8cd67ca3fd8dfefb0b0666a992eb2fabadb0034d439c4adbbdffd9c9439f23ee5757fac0ed669d3c9db48f50c677143d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\version.dll
Filesize
22KB

MD5
fbe588b15eb1bd86defade69f796b56f

SHA1
2f63cf44039addddb22c2c0497673b49e6b3ad7a

SHA256
31144e8b156fe87317073c48a09abcb033fda8dbdd96986c4abea8c00c00355f

SHA512
e1a9e29e4c62e77a2ec2c539344f0b5a8cd67ca3fd8dfefb0b0666a992eb2fabadb0034d439c4adbbdffd9c9439f23ee5757fac0ed669d3c9db48f50c677143d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\version.dll
Filesize
22KB

MD5
fbe588b15eb1bd86defade69f796b56f

SHA1
2f63cf44039addddb22c2c0497673b49e6b3ad7a

SHA256
31144e8b156fe87317073c48a09abcb033fda8dbdd96986c4abea8c00c00355f

SHA512
e1a9e29e4c62e77a2ec2c539344f0b5a8cd67ca3fd8dfefb0b0666a992eb2fabadb0034d439c4adbbdffd9c9439f23ee5757fac0ed669d3c9db48f50c677143d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\version.dll
Filesize
22KB

MD5
fbe588b15eb1bd86defade69f796b56f

SHA1
2f63cf44039addddb22c2c0497673b49e6b3ad7a

SHA256
31144e8b156fe87317073c48a09abcb033fda8dbdd96986c4abea8c00c00355f

SHA512
e1a9e29e4c62e77a2ec2c539344f0b5a8cd67ca3fd8dfefb0b0666a992eb2fabadb0034d439c4adbbdffd9c9439f23ee5757fac0ed669d3c9db48f50c677143d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\version.dll
Filesize
22KB

MD5
fbe588b15eb1bd86defade69f796b56f

SHA1
2f63cf44039addddb22c2c0497673b49e6b3ad7a

SHA256
31144e8b156fe87317073c48a09abcb033fda8dbdd96986c4abea8c00c00355f

SHA512
e1a9e29e4c62e77a2ec2c539344f0b5a8cd67ca3fd8dfefb0b0666a992eb2fabadb0034d439c4adbbdffd9c9439f23ee5757fac0ed669d3c9db48f50c677143d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\version.dll
Filesize
22KB

MD5
fbe588b15eb1bd86defade69f796b56f

SHA1
2f63cf44039addddb22c2c0497673b49e6b3ad7a

SHA256
31144e8b156fe87317073c48a09abcb033fda8dbdd96986c4abea8c00c00355f

SHA512
e1a9e29e4c62e77a2ec2c539344f0b5a8cd67ca3fd8dfefb0b0666a992eb2fabadb0034d439c4adbbdffd9c9439f23ee5757fac0ed669d3c9db48f50c677143d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\version.dll
Filesize
22KB

MD5
fbe588b15eb1bd86defade69f796b56f

SHA1
2f63cf44039addddb22c2c0497673b49e6b3ad7a

SHA256
31144e8b156fe87317073c48a09abcb033fda8dbdd96986c4abea8c00c00355f

SHA512
e1a9e29e4c62e77a2ec2c539344f0b5a8cd67ca3fd8dfefb0b0666a992eb2fabadb0034d439c4adbbdffd9c9439f23ee5757fac0ed669d3c9db48f50c677143d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\version.dll
Filesize
22KB

MD5
fbe588b15eb1bd86defade69f796b56f

SHA1
2f63cf44039addddb22c2c0497673b49e6b3ad7a

SHA256
31144e8b156fe87317073c48a09abcb033fda8dbdd96986c4abea8c00c00355f

SHA512
e1a9e29e4c62e77a2ec2c539344f0b5a8cd67ca3fd8dfefb0b0666a992eb2fabadb0034d439c4adbbdffd9c9439f23ee5757fac0ed669d3c9db48f50c677143d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\version.dll
Filesize
22KB

MD5
fbe588b15eb1bd86defade69f796b56f

SHA1
2f63cf44039addddb22c2c0497673b49e6b3ad7a

SHA256
31144e8b156fe87317073c48a09abcb033fda8dbdd96986c4abea8c00c00355f

SHA512
e1a9e29e4c62e77a2ec2c539344f0b5a8cd67ca3fd8dfefb0b0666a992eb2fabadb0034d439c4adbbdffd9c9439f23ee5757fac0ed669d3c9db48f50c677143d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\version.dll
Filesize
22KB

MD5
fbe588b15eb1bd86defade69f796b56f

SHA1
2f63cf44039addddb22c2c0497673b49e6b3ad7a

SHA256
31144e8b156fe87317073c48a09abcb033fda8dbdd96986c4abea8c00c00355f

SHA512
e1a9e29e4c62e77a2ec2c539344f0b5a8cd67ca3fd8dfefb0b0666a992eb2fabadb0034d439c4adbbdffd9c9439f23ee5757fac0ed669d3c9db48f50c677143d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACE1.tmp\version.dll
Filesize
22KB

MD5
fbe588b15eb1bd86defade69f796b56f

SHA1
2f63cf44039addddb22c2c0497673b49e6b3ad7a

SHA256
31144e8b156fe87317073c48a09abcb033fda8dbdd96986c4abea8c00c00355f

SHA512
e1a9e29e4c62e77a2ec2c539344f0b5a8cd67ca3fd8dfefb0b0666a992eb2fabadb0034d439c4adbbdffd9c9439f23ee5757fac0ed669d3c9db48f50c677143d

Download Submit
memory/572-176-0x0000000000000000-mapping.dmp

Download
memory/1248-169-0x0000000000000000-mapping.dmp

Download
memory/1696-175-0x0000000000000000-mapping.dmp

Download
memory/2028-152-0x0000000000000000-mapping.dmp

Download
memory/2668-182-0x0000000000000000-mapping.dmp

Download
memory/2744-184-0x0000000000000000-mapping.dmp

Download
memory/3036-161-0x0000000000000000-mapping.dmp

Download
memory/3164-178-0x0000000003710000-0x0000000003722000-memory.dmp

Filesize
72KB

Download
memory/3164-148-0x0000000003710000-0x0000000003722000-memory.dmp

Filesize
72KB

Download
memory/3164-179-0x0000000003710000-0x0000000003722000-memory.dmp

Filesize
72KB

Download
memory/3164-177-0x0000000003710000-0x0000000003722000-memory.dmp

Filesize
72KB

Download
memory/3164-165-0x0000000003710000-0x0000000003722000-memory.dmp

Filesize
72KB

Download
memory/3164-164-0x0000000003710000-0x0000000003722000-memory.dmp

Filesize
72KB

Download
memory/3164-163-0x0000000003710000-0x0000000003722000-memory.dmp

Filesize
72KB

Download
memory/3164-180-0x0000000003710000-0x0000000003722000-memory.dmp

Filesize
72KB

Download
memory/3164-150-0x0000000003710000-0x0000000003722000-memory.dmp

Filesize
72KB

Download
memory/3164-149-0x0000000003710000-0x0000000003722000-memory.dmp

Filesize
72KB

Download
memory/3708-162-0x0000000000000000-mapping.dmp

Download
memory/3728-147-0x0000000000000000-mapping.dmp

Download
memory/4112-146-0x0000000000000000-mapping.dmp

Download
memory/4420-187-0x0000000000000000-mapping.dmp

Download
memory/4856-191-0x0000000000000000-mapping.dmp

Download
memory/4928-193-0x0000000000000000-mapping.dmp

Download