babadeda | 108cfca8867eb4f94082cddacf63fbdd8369b0991873a20afc3210f2d5e4ec61

Analysis

max time kernel
151s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-01-2023 08:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

108cfca8867eb4f94082cddacf63fbdd8369b0991873a20afc3210f2d5e4ec61.exe
Size

14.1MB
MD5

aaa058858261d7c0e73fa1b8264a9a3d
SHA1

1233af8c8377567b2b8ebf7642f0036c9797596b
SHA256

108cfca8867eb4f94082cddacf63fbdd8369b0991873a20afc3210f2d5e4ec61
SHA512

4ed1d39dad64f0b79f080d15101ad54b6859b5f71911edb112bb10e860baaf4715d01f9241f5bf60a22da950b0deeddde2bb798710162b151781f4310a80059c
SSDEEP

196608:Unri5hStOZV3jIIZruRDm+09gJGzYvj/N2igdkC3qVa+Pa9k8qCgcr+7hQJ/RYyk:7lTLZD+YG8elEkna+iwCNrUhQHYM4Fdb

Score

10^/10

babadeda phobos crypter evasion loader persistence ransomware spyware stealer trojan

Malware Config

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1984-127-0x0000000007280000-0x00000000072C0000-memory.dmp	family_babadeda

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

648 bcdedit.exe
1448 bcdedit.exe
2096 bcdedit.exe
2108 bcdedit.exe
Deletes backup catalog 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

1168 wbadmin.exe
2120 wbadmin.exe
Executes dropped EXE 2 IoCs

Processes:

WiseTurbo.exeWiseTurbo.exe

pid process

1984 WiseTurbo.exe
1228 WiseTurbo.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

1584 netsh.exe
1692 netsh.exe
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

WiseTurbo.exe

description ioc process

File opened for modification C:\Users\Admin\Pictures\UnpublishRegister.tiff WiseTurbo.exe

pid	process
648	bcdedit.exe
1448	bcdedit.exe
2096	bcdedit.exe
2108	bcdedit.exe

pid	process
1168	wbadmin.exe
2120	wbadmin.exe

pid	process
1984	WiseTurbo.exe
1228	WiseTurbo.exe

pid	process
1584	netsh.exe
1692	netsh.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\UnpublishRegister.tiff	WiseTurbo.exe

Drops startup file 3 IoCs

Processes:

WiseTurbo.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\WiseTurbo.exe	WiseTurbo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	WiseTurbo.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[071D0DA3-2686].[[email protected]].Devos	WiseTurbo.exe

Loads dropped DLL 64 IoCs

Processes:

108cfca8867eb4f94082cddacf63fbdd8369b0991873a20afc3210f2d5e4ec61.exeWiseTurbo.exeWiseTurbo.exe

pid	process
780	108cfca8867eb4f94082cddacf63fbdd8369b0991873a20afc3210f2d5e4ec61.exe
780	108cfca8867eb4f94082cddacf63fbdd8369b0991873a20afc3210f2d5e4ec61.exe
780	108cfca8867eb4f94082cddacf63fbdd8369b0991873a20afc3210f2d5e4ec61.exe
780	108cfca8867eb4f94082cddacf63fbdd8369b0991873a20afc3210f2d5e4ec61.exe
780	108cfca8867eb4f94082cddacf63fbdd8369b0991873a20afc3210f2d5e4ec61.exe
780	108cfca8867eb4f94082cddacf63fbdd8369b0991873a20afc3210f2d5e4ec61.exe
780	108cfca8867eb4f94082cddacf63fbdd8369b0991873a20afc3210f2d5e4ec61.exe
780	108cfca8867eb4f94082cddacf63fbdd8369b0991873a20afc3210f2d5e4ec61.exe
780	108cfca8867eb4f94082cddacf63fbdd8369b0991873a20afc3210f2d5e4ec61.exe
780	108cfca8867eb4f94082cddacf63fbdd8369b0991873a20afc3210f2d5e4ec61.exe
780	108cfca8867eb4f94082cddacf63fbdd8369b0991873a20afc3210f2d5e4ec61.exe
780	108cfca8867eb4f94082cddacf63fbdd8369b0991873a20afc3210f2d5e4ec61.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1228	WiseTurbo.exe
1228	WiseTurbo.exe
1228	WiseTurbo.exe
1228	WiseTurbo.exe
1228	WiseTurbo.exe
1228	WiseTurbo.exe
1228	WiseTurbo.exe
1228	WiseTurbo.exe
1228	WiseTurbo.exe
1228	WiseTurbo.exe
1228	WiseTurbo.exe
1228	WiseTurbo.exe
1228	WiseTurbo.exe
1228	WiseTurbo.exe
1228	WiseTurbo.exe
1228	WiseTurbo.exe
1228	WiseTurbo.exe
1228	WiseTurbo.exe
1228	WiseTurbo.exe
1228	WiseTurbo.exe
1228	WiseTurbo.exe
1228	WiseTurbo.exe
1228	WiseTurbo.exe
1228	WiseTurbo.exe
1228	WiseTurbo.exe
1228	WiseTurbo.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WiseTurbo.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WiseTurbo = "C:\\Users\\Admin\\AppData\\Local\\WiseTurbo.exe"	WiseTurbo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\WiseTurbo = "C:\\Users\\Admin\\AppData\\Local\\WiseTurbo.exe"	WiseTurbo.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

108cfca8867eb4f94082cddacf63fbdd8369b0991873a20afc3210f2d5e4ec61.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	108cfca8867eb4f94082cddacf63fbdd8369b0991873a20afc3210f2d5e4ec61.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

WiseTurbo.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	WiseTurbo.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	WiseTurbo.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\OF1EYD7L\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTOVLSHV\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	WiseTurbo.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	WiseTurbo.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	WiseTurbo.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	WiseTurbo.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	WiseTurbo.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RUC7JGOV\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	WiseTurbo.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	WiseTurbo.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NWV1K27G\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	WiseTurbo.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	WiseTurbo.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\INLM2B61\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QAI10AFD\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	WiseTurbo.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	WiseTurbo.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\8PENRVY0\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6THCX874\desktop.ini	WiseTurbo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	WiseTurbo.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

WiseTurbo.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	WiseTurbo.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	WiseTurbo.exe

Drops file in Program Files directory 64 IoCs

Processes:

WiseTurbo.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml	WiseTurbo.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Xml.Linq.dll	WiseTurbo.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00601_.WMF.id[071D0DA3-2686].[[email protected]].Devos	WiseTurbo.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152594.WMF.id[071D0DA3-2686].[[email protected]].Devos	WiseTurbo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF	WiseTurbo.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif.id[071D0DA3-2686].[[email protected]].Devos	WiseTurbo.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382970.JPG	WiseTurbo.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBSBR.DPV	WiseTurbo.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.Printing.resources.dll	WiseTurbo.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif	WiseTurbo.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\NPSWF32.dll.id[071D0DA3-2686].[[email protected]].Devos	WiseTurbo.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14795_.GIF	WiseTurbo.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR17F.GIF.id[071D0DA3-2686].[[email protected]].Devos	WiseTurbo.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Bucharest.id[071D0DA3-2686].[[email protected]].Devos	WiseTurbo.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_ja_4.4.0.v20140623020002.jar.id[071D0DA3-2686].[[email protected]].Devos	WiseTurbo.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator_2.0.0.v20131217-1203.jar.id[071D0DA3-2686].[[email protected]].Devos	WiseTurbo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-cli.jar	WiseTurbo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_avi_plugin.dll	WiseTurbo.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME10.CSS.id[071D0DA3-2686].[[email protected]].Devos	WiseTurbo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\settings.js	WiseTurbo.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00296_.WMF.id[071D0DA3-2686].[[email protected]].Devos	WiseTurbo.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02097_.WMF.id[071D0DA3-2686].[[email protected]].Devos	WiseTurbo.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00222_.WMF	WiseTurbo.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions_Generic.css	WiseTurbo.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_snow.png	WiseTurbo.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Tbilisi.id[071D0DA3-2686].[[email protected]].Devos	WiseTurbo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\gadget.xml	WiseTurbo.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_hi.dll	WiseTurbo.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199465.WMF.id[071D0DA3-2686].[[email protected]].Devos	WiseTurbo.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341534.JPG	WiseTurbo.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions.css	WiseTurbo.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-api.xml.id[071D0DA3-2686].[[email protected]].Devos	WiseTurbo.exe
File created	C:\Program Files\Java\jre7\bin\instrument.dll.id[071D0DA3-2686].[[email protected]].Devos	WiseTurbo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_m.png	WiseTurbo.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT	WiseTurbo.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB1B.BDR	WiseTurbo.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_settings.png	WiseTurbo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\art\00_musicbrainz.luac	WiseTurbo.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MUAUTH.CAB	WiseTurbo.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01761_.WMF.id[071D0DA3-2686].[[email protected]].Devos	WiseTurbo.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\cpu.html	WiseTurbo.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_ja.jar.id[071D0DA3-2686].[[email protected]].Devos	WiseTurbo.exe
File created	C:\Program Files\Java\jre7\lib\zi\MST.id[071D0DA3-2686].[[email protected]].Devos	WiseTurbo.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101860.BMP.id[071D0DA3-2686].[[email protected]].Devos	WiseTurbo.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14981_.GIF.id[071D0DA3-2686].[[email protected]].Devos	WiseTurbo.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\THOCR.PSP.id[071D0DA3-2686].[[email protected]].Devos	WiseTurbo.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE.id[071D0DA3-2686].[[email protected]].Devos	WiseTurbo.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe.id[071D0DA3-2686].[[email protected]].Devos	WiseTurbo.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Tijuana.id[071D0DA3-2686].[[email protected]].Devos	WiseTurbo.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.lnk	WiseTurbo.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.jpg	WiseTurbo.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt	WiseTurbo.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03143I.JPG.id[071D0DA3-2686].[[email protected]].Devos	WiseTurbo.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\THMBNAIL.PNG	WiseTurbo.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\msdaurl.dll	WiseTurbo.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\TAB_OFF.GIF.id[071D0DA3-2686].[[email protected]].Devos	WiseTurbo.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\RESUME.DPV	WiseTurbo.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pitcairn.id[071D0DA3-2686].[[email protected]].Devos	WiseTurbo.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search5.api.id[071D0DA3-2686].[[email protected]].Devos	WiseTurbo.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105710.WMF.id[071D0DA3-2686].[[email protected]].Devos	WiseTurbo.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01770_.GIF	WiseTurbo.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSFrontendENU.dll	WiseTurbo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser_5.5.0.165303.jar	WiseTurbo.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Merida.id[071D0DA3-2686].[[email protected]].Devos	WiseTurbo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1100 1228 WerFault.exe WiseTurbo.exe

pid	pid_target	process	target process
1100	1228	WerFault.exe	WiseTurbo.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

108cfca8867eb4f94082cddacf63fbdd8369b0991873a20afc3210f2d5e4ec61.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	108cfca8867eb4f94082cddacf63fbdd8369b0991873a20afc3210f2d5e4ec61.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	108cfca8867eb4f94082cddacf63fbdd8369b0991873a20afc3210f2d5e4ec61.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	108cfca8867eb4f94082cddacf63fbdd8369b0991873a20afc3210f2d5e4ec61.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1968 vssadmin.exe
1552 vssadmin.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main mshta.exe

pid	process
1968	vssadmin.exe
1552	vssadmin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

108cfca8867eb4f94082cddacf63fbdd8369b0991873a20afc3210f2d5e4ec61.exeWiseTurbo.exeWiseTurbo.exe

pid	process
780	108cfca8867eb4f94082cddacf63fbdd8369b0991873a20afc3210f2d5e4ec61.exe
780	108cfca8867eb4f94082cddacf63fbdd8369b0991873a20afc3210f2d5e4ec61.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1228	WiseTurbo.exe
1228	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe
1984	WiseTurbo.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WiseTurbo.exevssvc.exeWMIC.exewbengine.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1984	WiseTurbo.exe
Token: SeBackupPrivilege	1084	vssvc.exe
Token: SeRestorePrivilege	1084	vssvc.exe
Token: SeAuditPrivilege	1084	vssvc.exe
Token: SeIncreaseQuotaPrivilege	556	WMIC.exe
Token: SeSecurityPrivilege	556	WMIC.exe
Token: SeTakeOwnershipPrivilege	556	WMIC.exe
Token: SeLoadDriverPrivilege	556	WMIC.exe
Token: SeSystemProfilePrivilege	556	WMIC.exe
Token: SeSystemtimePrivilege	556	WMIC.exe
Token: SeProfSingleProcessPrivilege	556	WMIC.exe
Token: SeIncBasePriorityPrivilege	556	WMIC.exe
Token: SeCreatePagefilePrivilege	556	WMIC.exe
Token: SeBackupPrivilege	556	WMIC.exe
Token: SeRestorePrivilege	556	WMIC.exe
Token: SeShutdownPrivilege	556	WMIC.exe
Token: SeDebugPrivilege	556	WMIC.exe
Token: SeSystemEnvironmentPrivilege	556	WMIC.exe
Token: SeRemoteShutdownPrivilege	556	WMIC.exe
Token: SeUndockPrivilege	556	WMIC.exe
Token: SeManageVolumePrivilege	556	WMIC.exe
Token: 33	556	WMIC.exe
Token: 34	556	WMIC.exe
Token: 35	556	WMIC.exe
Token: SeIncreaseQuotaPrivilege	556	WMIC.exe
Token: SeSecurityPrivilege	556	WMIC.exe
Token: SeTakeOwnershipPrivilege	556	WMIC.exe
Token: SeLoadDriverPrivilege	556	WMIC.exe
Token: SeSystemProfilePrivilege	556	WMIC.exe
Token: SeSystemtimePrivilege	556	WMIC.exe
Token: SeProfSingleProcessPrivilege	556	WMIC.exe
Token: SeIncBasePriorityPrivilege	556	WMIC.exe
Token: SeCreatePagefilePrivilege	556	WMIC.exe
Token: SeBackupPrivilege	556	WMIC.exe
Token: SeRestorePrivilege	556	WMIC.exe
Token: SeShutdownPrivilege	556	WMIC.exe
Token: SeDebugPrivilege	556	WMIC.exe
Token: SeSystemEnvironmentPrivilege	556	WMIC.exe
Token: SeRemoteShutdownPrivilege	556	WMIC.exe
Token: SeUndockPrivilege	556	WMIC.exe
Token: SeManageVolumePrivilege	556	WMIC.exe
Token: 33	556	WMIC.exe
Token: 34	556	WMIC.exe
Token: 35	556	WMIC.exe
Token: SeBackupPrivilege	1692	wbengine.exe
Token: SeRestorePrivilege	1692	wbengine.exe
Token: SeSecurityPrivilege	1692	wbengine.exe
Token: SeIncreaseQuotaPrivilege	1504	WMIC.exe
Token: SeSecurityPrivilege	1504	WMIC.exe
Token: SeTakeOwnershipPrivilege	1504	WMIC.exe
Token: SeLoadDriverPrivilege	1504	WMIC.exe
Token: SeSystemProfilePrivilege	1504	WMIC.exe
Token: SeSystemtimePrivilege	1504	WMIC.exe
Token: SeProfSingleProcessPrivilege	1504	WMIC.exe
Token: SeIncBasePriorityPrivilege	1504	WMIC.exe
Token: SeCreatePagefilePrivilege	1504	WMIC.exe
Token: SeBackupPrivilege	1504	WMIC.exe
Token: SeRestorePrivilege	1504	WMIC.exe
Token: SeShutdownPrivilege	1504	WMIC.exe
Token: SeDebugPrivilege	1504	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1504	WMIC.exe
Token: SeRemoteShutdownPrivilege	1504	WMIC.exe
Token: SeUndockPrivilege	1504	WMIC.exe
Token: SeManageVolumePrivilege	1504	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

108cfca8867eb4f94082cddacf63fbdd8369b0991873a20afc3210f2d5e4ec61.exeWiseTurbo.exeWiseTurbo.execmd.execmd.execmd.exe

description	pid	process	target process
PID 780 wrote to memory of 1984	780	108cfca8867eb4f94082cddacf63fbdd8369b0991873a20afc3210f2d5e4ec61.exe	WiseTurbo.exe
PID 780 wrote to memory of 1984	780	108cfca8867eb4f94082cddacf63fbdd8369b0991873a20afc3210f2d5e4ec61.exe	WiseTurbo.exe
PID 780 wrote to memory of 1984	780	108cfca8867eb4f94082cddacf63fbdd8369b0991873a20afc3210f2d5e4ec61.exe	WiseTurbo.exe
PID 780 wrote to memory of 1984	780	108cfca8867eb4f94082cddacf63fbdd8369b0991873a20afc3210f2d5e4ec61.exe	WiseTurbo.exe
PID 1228 wrote to memory of 1100	1228	WiseTurbo.exe	WerFault.exe
PID 1228 wrote to memory of 1100	1228	WiseTurbo.exe	WerFault.exe
PID 1228 wrote to memory of 1100	1228	WiseTurbo.exe	WerFault.exe
PID 1228 wrote to memory of 1100	1228	WiseTurbo.exe	WerFault.exe
PID 1984 wrote to memory of 2036	1984	WiseTurbo.exe	cmd.exe
PID 1984 wrote to memory of 2036	1984	WiseTurbo.exe	cmd.exe
PID 1984 wrote to memory of 2036	1984	WiseTurbo.exe	cmd.exe
PID 1984 wrote to memory of 2036	1984	WiseTurbo.exe	cmd.exe
PID 1984 wrote to memory of 1464	1984	WiseTurbo.exe	cmd.exe
PID 1984 wrote to memory of 1464	1984	WiseTurbo.exe	cmd.exe
PID 1984 wrote to memory of 1464	1984	WiseTurbo.exe	cmd.exe
PID 1984 wrote to memory of 1464	1984	WiseTurbo.exe	cmd.exe
PID 1464 wrote to memory of 1584	1464	cmd.exe	netsh.exe
PID 1464 wrote to memory of 1584	1464	cmd.exe	netsh.exe
PID 1464 wrote to memory of 1584	1464	cmd.exe	netsh.exe
PID 2036 wrote to memory of 1968	2036	cmd.exe	vssadmin.exe
PID 2036 wrote to memory of 1968	2036	cmd.exe	vssadmin.exe
PID 2036 wrote to memory of 1968	2036	cmd.exe	vssadmin.exe
PID 1464 wrote to memory of 1692	1464	cmd.exe	netsh.exe
PID 1464 wrote to memory of 1692	1464	cmd.exe	netsh.exe
PID 1464 wrote to memory of 1692	1464	cmd.exe	netsh.exe
PID 2036 wrote to memory of 556	2036	cmd.exe	WMIC.exe
PID 2036 wrote to memory of 556	2036	cmd.exe	WMIC.exe
PID 2036 wrote to memory of 556	2036	cmd.exe	WMIC.exe
PID 2036 wrote to memory of 648	2036	cmd.exe	bcdedit.exe
PID 2036 wrote to memory of 648	2036	cmd.exe	bcdedit.exe
PID 2036 wrote to memory of 648	2036	cmd.exe	bcdedit.exe
PID 2036 wrote to memory of 1448	2036	cmd.exe	bcdedit.exe
PID 2036 wrote to memory of 1448	2036	cmd.exe	bcdedit.exe
PID 2036 wrote to memory of 1448	2036	cmd.exe	bcdedit.exe
PID 2036 wrote to memory of 1168	2036	cmd.exe	wbadmin.exe
PID 2036 wrote to memory of 1168	2036	cmd.exe	wbadmin.exe
PID 2036 wrote to memory of 1168	2036	cmd.exe	wbadmin.exe
PID 1984 wrote to memory of 1964	1984	WiseTurbo.exe	mshta.exe
PID 1984 wrote to memory of 1964	1984	WiseTurbo.exe	mshta.exe
PID 1984 wrote to memory of 1964	1984	WiseTurbo.exe	mshta.exe
PID 1984 wrote to memory of 1964	1984	WiseTurbo.exe	mshta.exe
PID 1984 wrote to memory of 224	1984	WiseTurbo.exe	mshta.exe
PID 1984 wrote to memory of 224	1984	WiseTurbo.exe	mshta.exe
PID 1984 wrote to memory of 224	1984	WiseTurbo.exe	mshta.exe
PID 1984 wrote to memory of 224	1984	WiseTurbo.exe	mshta.exe
PID 1984 wrote to memory of 288	1984	WiseTurbo.exe	mshta.exe
PID 1984 wrote to memory of 288	1984	WiseTurbo.exe	mshta.exe
PID 1984 wrote to memory of 288	1984	WiseTurbo.exe	mshta.exe
PID 1984 wrote to memory of 288	1984	WiseTurbo.exe	mshta.exe
PID 1984 wrote to memory of 1664	1984	WiseTurbo.exe	cmd.exe
PID 1984 wrote to memory of 1664	1984	WiseTurbo.exe	cmd.exe
PID 1984 wrote to memory of 1664	1984	WiseTurbo.exe	cmd.exe
PID 1984 wrote to memory of 1664	1984	WiseTurbo.exe	cmd.exe
PID 1664 wrote to memory of 1552	1664	cmd.exe	vssadmin.exe
PID 1664 wrote to memory of 1552	1664	cmd.exe	vssadmin.exe
PID 1664 wrote to memory of 1552	1664	cmd.exe	vssadmin.exe
PID 1664 wrote to memory of 1504	1664	cmd.exe	WMIC.exe
PID 1664 wrote to memory of 1504	1664	cmd.exe	WMIC.exe
PID 1664 wrote to memory of 1504	1664	cmd.exe	WMIC.exe
PID 1664 wrote to memory of 2096	1664	cmd.exe	bcdedit.exe
PID 1664 wrote to memory of 2096	1664	cmd.exe	bcdedit.exe
PID 1664 wrote to memory of 2096	1664	cmd.exe	bcdedit.exe
PID 1664 wrote to memory of 2108	1664	cmd.exe	bcdedit.exe
PID 1664 wrote to memory of 2108	1664	cmd.exe	bcdedit.exe

C:\Users\Admin\AppData\Local\Temp\108cfca8867eb4f94082cddacf63fbdd8369b0991873a20afc3210f2d5e4ec61.exe
"C:\Users\Admin\AppData\Local\Temp\108cfca8867eb4f94082cddacf63fbdd8369b0991873a20afc3210f2d5e4ec61.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:780
- C:\Users\Admin\AppData\Local\Temp\Tech tool store\WiseTurbo.exe
  "C:\Users\Admin\AppData\Local\Temp\Tech tool store\WiseTurbo.exe"
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Maps connected drives based on registry
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Users\Admin\AppData\Local\Temp\Tech tool store\WiseTurbo.exe
    "C:\Users\Admin\AppData\Local\Temp\Tech tool store\WiseTurbo.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1228
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 364
      4⤵
      Program crash
      PID:1100
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1464
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set currentprofile state off
      4⤵
      Modifies Windows Firewall
      PID:1584
  - - C:\Windows\system32\netsh.exe
      netsh firewall set opmode mode=disable
      4⤵
      Modifies Windows Firewall
      PID:1692
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1968
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:556
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:648
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1448
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:1168
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"
    3⤵
    PID:224
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"
    3⤵
    - Modifies Internet Explorer settings
    PID:288
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1664
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1552
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1504
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2096
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2108
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:2120

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1936

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Tech tool store\MSVCP140.dll

Filesize
428KB

MD5
fdd04dbbcf321eee5f4dd67266f476b0

SHA1
65ffdfe2664a29a41fcf5039229ccecad5b825b9

SHA256
21570bcb7a77e856f3113235d2b05b2b328d4bb71b4fd9ca4d46d99adac80794

SHA512
04cfc3097fbce6ee1b7bac7bd63c3cffe7dca16f0ec9cd8fe657d8b7ebd06dcba272ff472f98c6385c3cfb9b1ac3f47be8ca6d3ea80ab4aeed44a0e2ce3185dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tech tool store\NlogExt.dll

Filesize
3.1MB

MD5
1a75878dea8f5580c25e0b9f1c734949

SHA1
20d4c35f95b4d608aa73897680b3f0ceb219d37f

SHA256
1b393ad82fbe93add01c73613156cecd98f9668f5ed8a0faa04704a510b7bf2e

SHA512
6e65f45ef099d21beaf429e0e0c6c6122e64d27f6932afd2a2459fc6cafb5af58efb45440cc1e3f51ac7678748af85cb9e878e68efa3505980f115dc6a272ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tech tool store\StormLib.dll

Filesize
217KB

MD5
09c4266b11233aedaff9bbb97ff7dc50

SHA1
212f6f2df299f8f1c4c481bb92e9e958d48421e3

SHA256
f52d1ed4c1350bf7726ad3ef926329267e35bf67bd938e5e1aae324dcef31469

SHA512
b17e865ec5a8caf5bca88857ea3bad0dfc5d9fd0448ee52671876202b1870783a5de8f2d76b9d5363aeeb89b383314c8d65769674bd9b911551cdaa5c8654dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tech tool store\VCRUNTIME140.dll

Filesize
77KB

MD5
ba65db6bfef78a96aee7e29f1449bf8a

SHA1
06c7beb9fd1f33051b0e77087350903c652f4b77

SHA256
141690572594dbd3618a4984712e9e36fc09c9906bb845ce1a9531ac8f7ad493

SHA512
ca63eeac10ef55d7e2e55479b25cf394e58aef1422951f361f762ab667f72a3454f55afc04e967e8cdd20cf3eebe97083e0438ea941916a09e7d091818ea830e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tech tool store\WiseTurbo.exe

Filesize
8.6MB

MD5
1459f9d0c62412b9df206c7e819fbf62

SHA1
daddb63d6b1a191e896a01ada7ea79dabf686655

SHA256
75569178b9ff9f2719e17d2d270322151ffc63f8eaac774a64f6c627014451d8

SHA512
924d14ba741b64a813e566864b098e0a426e48412942945d2034ab685548794ca93a4d759fc098f5e8e4df80146a82572bbfe09c7599a109a1dc4837259da5c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tech tool store\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
86279521328398e87699d248628eb13a

SHA1
e4d4c39bda90635f1f5c2fc58b1304e2daac9caf

SHA256
3c9b67616fd0ceb3dd92e605918b08556683ebab5537aa76dff300fbd54b0337

SHA512
2cc328955611ad8369ff9facf9c1aabe99a20c3ded2977ad86c69e0f54acd78fa6f572ed688625c8c63016826a10b3578e3c186ef2b39c4bf393ab5e399913a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tech tool store\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
422adad24e8da100f85bf3de86b5f302

SHA1
7004b3ed8663b5890cd25e1a7899a766be912728

SHA256
e04642684dc7376839c570bc11e9b46cae14420f1a85f7562fd2c4d656a22956

SHA512
e689ecb1a1cb1e7735cb6a961fd054d87bcad01acf76950b14a3bf4e08ddb7a8d31805c203374ee081a4ec13c40b25b3dc83b3895b9bfbd9c135673e98e6ee63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tech tool store\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
602a35b140d9d68d7b3e488896158365

SHA1
f1ba615abb54ff786ddbc74dffffd56394bfc892

SHA256
43b98f74476c86107c8317749f54a107e2955696e4f79d3d02683dd7034d1d52

SHA512
4388947f90838cae8b5f8137c9ed2a099028b4341da8c574d536c6ad096bad0e217e105f0367750c70e3d3ca4857255b674955c71ecff0fda9c47a4b1951b8b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tech tool store\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
a07afa26ab56a8d3b8b16591a1962005

SHA1
2b6f3143487f747911ee20f039f1ffb1381858ac

SHA256
6be230837149dc2a8c7772142a674c3f90930a55da7f91d791942d8276d5440b

SHA512
b77b277d10cf6b8d209679684ead55b4347caef3213acdccdee35b5d4fe0e3fc136daf057830512c5473c4653a8d66357927c4b7d204c07d7508f792299d7fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tech tool store\api-ms-win-core-synch-l1-2-0.dll

Filesize
11KB

MD5
ed215daa7493bf93c5eadef178a261e0

SHA1
b20c8dc7ba00f98a326f5f4fd55329b72f8e5699

SHA256
8b7c8fc657e0dab0f2506001ca4bb76e675ffd18a2b4d9c1e03b876e008a7a26

SHA512
3ed052eada11c3dc44f81f330bd2a2526170515bc6a90281872a93ee49f9add8c9ad36b9a9e9185e251d664c1694d06625e0148e113addc32e53d705d2655f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tech tool store\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
a9c7db516186c8e367fed757e238c61a

SHA1
1318d6496e7146e773aca85be6d0e9b87a09e284

SHA256
ded52bac23633a03341969c5b98b0d94d24fa3284c1ddd0c489e453b39cec659

SHA512
6aad003287afe86abccf34f6b15338c0c7380f4837805d919064a26380d2f3f7698515f927c148e618c12f0943d3621184bebc70a8b07eed64ad88689fbcc5cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tech tool store\api-ms-win-crt-convert-l1-1-0.dll

Filesize
15KB

MD5
c6385b316bb04ca36d76b077eeb9a61e

SHA1
fc376f68798fecd41fb1c936eed1bce3f2ee6bef

SHA256
060636cfc58587b4344a6d0ff4f44dd77266f2bbdb877cb50cb1b44a7e3969bc

SHA512
bddf0f34bedb17ecf1d270a0613f27d174ae04f920192d7d1af6c15245175318b29691e748c36e2ce0a3027495b2f5a0bb688ae16095fad9dcd8c283b6d1b1d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tech tool store\api-ms-win-crt-environment-l1-1-0.dll

Filesize
11KB

MD5
311e582d5d3d8421e883c4a8248eacc8

SHA1
c99e61d1446fce0f883a2aad261af22d77953a59

SHA256
369cc4d3bb05f4160a0bc9683feb1df2e94d02f061e4b23d53c3a6e2230cd5e4

SHA512
050ed1310e667e6bb22bb7952794745df1eee0c78f18240cc2217e748a11213d094b48153964c3da0ad8141da1709ece637315633396c77c035bb0565fa981b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tech tool store\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
13KB

MD5
10731d3320c12abb62d3866d7e728cce

SHA1
df4e131c825d1ca5cd14e00e5c04785d6ca508f7

SHA256
9f3eb90963916194f167e98e049707b14fa84a3f11cb8cc7b940d95956601700

SHA512
7eeef98682872fd95a38a03435546349c8488607e59870086b486b807e8b53893603175d9ad0f3b80c1924381daca8d14868a6079988a944b005783b4e2e358e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tech tool store\api-ms-win-crt-heap-l1-1-0.dll

Filesize
12KB

MD5
cf5f256e8cd76ba85e6c3047f078814a

SHA1
b7cde77313ceaae76a46c1111b33b3d8f47c4214

SHA256
9382fc8d5cbcc23c5d05e6f48f4188af3f96efbbdc5a7ec05b37e252440ecfc1

SHA512
856eff4fff1d11a725af9c3e5ceac6d02a89297a16e97edec171839aa12c468fc37d60ec5df06d507cee695f71b7fbd4bc0ba51b7934d886e66a43b249e62da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tech tool store\api-ms-win-crt-locale-l1-1-0.dll

Filesize
11KB

MD5
60ffdc3ef20b127e3fd14a0719328c34

SHA1
b510833350328f79a79fa464ea9d5e9455643659

SHA256
43c9ea4ddecf2f34852559cf0b40b5261e6701d3743ab219f48d43a312707ad9

SHA512
caef6ee08c9f6fabecef1f0be37ab34e2d4dc22f15a775b2f0dcacda1f0fcdf2259399e6fbab85f0f00e8e4b03d77fe88b85b901a9ba2f775a50f2da724da26e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tech tool store\api-ms-win-crt-math-l1-1-0.dll

Filesize
21KB

MD5
78dfcb76dc8b42411dbc682f78f5c6eb

SHA1
e50f6719fee44c70518cf8442737a688b5f45e62

SHA256
8673dd898f899de831fc3052c8b8254b7b85ee7f2b9b6c422736668689c9b14f

SHA512
968bb3bc952f4057f74c9c8825fcc2db34b9c56166ee39db3bab3d4ecf51fb65af250a8a65340274a1a0c0eed73b6c8962df5d2fce586c1ef4e19706edd5e6e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tech tool store\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
8bd7a27e6ca969d3eb46086d411ce05d

SHA1
3bbf6f55853b1487debca58d7cb5c877d0abd517

SHA256
8edc95578b8c9ca93a65907e428fa2b57fef8370b902912689332bc61094904c

SHA512
fee8359398efe6a995a214d4e47de43aba12d33bb9cb1de18659d332d94ef83a4a77618b6caa9f455b0c6da4c10ab459209d483b9e778d9b522771ca692ca454

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tech tool store\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
17KB

MD5
f681a45c47ebb2c56c1465677ec33ff3

SHA1
06bf7798c51325cf1806e14dea56ff98b05b7846

SHA256
3a03d727d291be57057587227273af410eda935438d8a0a165ec63ae772809af

SHA512
eeb05f1af7e1c714c658e9aa06e8c6dbeeb5f2e8dcf3fdb7b9b408018e41402d83893472114e0cf6d3a9a3bf54ec45c4f7a4840a09570d190277aa3514681ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tech tool store\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
00446e48d60abf044acc72b46d5c3afb

SHA1
0ccc0c5034ac063e1d4af851b0de1f4ea99aff97

SHA256
82d26998b4b3c26dbc1c1fff9d6106109a081205081d3c0669e59d20d918bc5a

SHA512
69114f0efb3c853bffb55c15e5ad1b7919057a676056d57634a6a39916e232cde2dcdc49ea0f9751ddea6550ffa58f84b1f8918b3c9fd7e88c8b8f7eb4afeaf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tech tool store\api-ms-win-crt-time-l1-1-0.dll

Filesize
13KB

MD5
376b4a7a02f20ed3aede05039ec3daf0

SHA1
c9149b37f85cfc724bedc0ecd543d95280055de1

SHA256
b0b8fc7de3641c3f23d30a4792c8584db33db6133ee29135c70bb504e80e4a2c

SHA512
ff7fba7cd8c9b55c1c87104d7d9074ef0eed524b02480ecf2c80e5cd489c568e1ed63bc62699a03272cab3dcbf20e6437e1f47ce112bcb3336d27ed2790430c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tech tool store\api-ms-win-crt-utility-l1-1-0.dll

Filesize
11KB

MD5
6376bf5bac3f0208f0a5d11415ccd444

SHA1
c3fe96e51c3f3e622dcedd2ddf8d23f9442361b8

SHA256
e36763df57cd26ec2b4d52e27de51a4ca6f18caf86cbac8307bf4817705f9a0e

SHA512
9614e423c850bdb584f18555825214d42106966b1ee71e75ba7407591aa5de407b43909ce972e1923df82e9a0e953597fe19646296962194ebeb1579493d91c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tech tool store\bz2.dll

Filesize
63KB

MD5
bb1ea7cade180a0c012c2289c7d820cc

SHA1
67a17ae0aed053d8fb071450dff8f843a1255112

SHA256
30998439b2fbc620f3f87799f8a98e8519f26b227bf498877b11dfb52147b698

SHA512
3b10462ae03ea57bfad298c4d59da247b8ad971aeec0c9ad439a72b1756ee627fba23fe9044df9a8301b0fe1099bbb9988869ccce1102314052a49bf0cbdf317

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tech tool store\libmap.dll

Filesize
32KB

MD5
53634bc76f19ea065981ac1b02225df9

SHA1
7d1cb4ae535c30d2443c4b8f14927300c8449839

SHA256
e9053b628bf89440e0ad4874a5c234fe058539f20f9bf02d36c7492fed70857a

SHA512
3b46f34b4d370f44f219f0a404ae1f9a53897ddaabfb7665197dc16b538a13d9ee89af7053fd74998dc38321af8f076759f535d5a855f6ff5212d88704c79d3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tech tool store\sqlite3.dll

Filesize
883KB

MD5
c86d13c52aa1c7d0e39cc9f6d20ccd22

SHA1
8622a443874feebb2e5cdb9792a447acb97f78af

SHA256
7fdc0ad5ee9678eb66448b121beba9597ca6742d4474ff75d080a5c5014ec9c9

SHA512
ea629707a590a3494f63d17e6d4b74f9fc3341216f3fada2f1a1e5c318f83149130ea87afb8eb87168428ed21dc0c4cd4612bf66517ec67874e9a75c694e6af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tech tool store\ucrtbase.DLL

Filesize
880KB

MD5
5dafe0bfb955e780b3d50da4524b752f

SHA1
91c0d9fabe748d373215ba21b90278671b5f8957

SHA256
6255112c9978c07a05c6feaee01cf4be74b2920dc7017fbc1a42f8f5d23c20f9

SHA512
37fd37f3ad87838f596d1e8e497fe66d1a1c4128625ab456ec850179dd1e1f33cf4945d0faaf6cdbd1ed586ecfb7ff3e7cf10a88a823cc5eb06c2fc4fa16bff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tech tool store\zlib1.dll

Filesize
76KB

MD5
7cfdbfec8b16876767f5895fae94f6cd

SHA1
49644b75dc5ef3e1f6e122f8b6e5569b74b1e2a5

SHA256
322062f0287317d3f41180bf79e54c4ddf4646a08fcd55263fd05ad56b8e1cba

SHA512
02a10c91098b79cf4b53dfeb595283cd0bcd5b70ddc803f401600d321a54d3ce51ec24962473a47b9679b573a2223ff7f02be57866bfd961cea3f1a81bcea683

Download Submit
\Users\Admin\AppData\Local\Temp\BRL0000030c\BR1536.tmp

Filesize
43KB

MD5
c5dc46c377c927c8e91b18cde57cf0fc

SHA1
22ce8600d4dbaf9af6eded556d390212274911d1

SHA256
a53f9dbbe62911ddc088a10bc8d10b5d8b30ed999438e788b6bfe24f0ba6e2b8

SHA512
f208b88f84b9fea0fc184926551eb60f843e997390ceed7cfde5ff7bb7c6b6bcd47a0d5021a92064e57e6b400bbbe21cec93fa2358728a29c35d2bc147cc1432

Download Submit
\Users\Admin\AppData\Local\Temp\BRL0000030c\BR15D3.tmp

Filesize
288KB

MD5
122a3741699fb5c0950273245c9dea15

SHA1
811f9149e3310a8e6521da156f92f3aaab012145

SHA256
f675eba3b22e0a2238ec4961d99de3bacca0ab553ab26eecb49800a12a9371ab

SHA512
567c480f70fdc78769ae45bf83b6632f7ab380ebeb00689028d39ff03840c8b778149a3fafe1dab2ac77a1fd17a23b09f58774b1c5e791bfd33b99528225eccc

Download Submit
\Users\Admin\AppData\Local\Temp\BRL0000030c\BR16BE.tmp

Filesize
35KB

MD5
08ad4cd2a940379f1dcdbdb9884a1375

SHA1
c302b7589ba4f05c6429e7f89ad0cb84dd9dfbac

SHA256
78827e2b1ef0aad4f8b1b42d0964064819aa22bfcd537ebaacb30d817edc06d8

SHA512
f37bd071994c31b361090a149999e8b2d4a7839f19ea63e1d4563aada1371be37f2bfcc474e24de95ff77ca4124a39580c9f711e2fbe54265713ab76f631835a

Download Submit
\Users\Admin\AppData\Local\Temp\BRL0000030c\BR170D.tmp

Filesize
121KB

MD5
f5cec0e851d679bc6cfe5923c8cdd5c8

SHA1
5eee0f3192e2656d0891e363a5d69f61f457b186

SHA256
ac0976f2a6f221045d0fd22bb32bab0c8439d186acd118ad0faa2d69cbd2840e

SHA512
226f47164392ee339412f8ee5dad3faf40e26c52e2ae039826323ea0ef66d23776b1e972cd6f817e7dea1da0f87f20d3b6c7380fd8e891ec21a2f13dfc4915f8

Download Submit
\Users\Admin\AppData\Local\Temp\BRL0000030c\BR173D.tmp

Filesize
532KB

MD5
a6f7a08b0676f0564a51b5c47973e635

SHA1
d56f5f9e2580b81717317da6582da9d379426d5b

SHA256
5dd27e845af9333ad7b907a37ab3d239b75be6ccc1f51ef4b21e59b037ce778c

SHA512
1101813034db327af1c16d069a4dfa91ab97ee8188f9ed1a6da9d25558866e7e9af59102e58127e64441d3e4a768b2ad788fd0e5a16db994a14637bfbade2954

Download Submit
\Users\Admin\AppData\Local\Temp\BRL0000030c\BR17EA.tmp

Filesize
72KB

MD5
c04970b55bcf614f24ca75b1de641ae2

SHA1
52b182caef513ed1c36f28eb45cedb257fa8ce40

SHA256
5ddee4aab3cf33e505f52199d64809125b26de04fb9970ca589cd8619c859d80

SHA512
a5f2660e336bf74a1936fb2e1c724220d862632907f5fd690b365009ac3e1bf35fa6689071f3da4049e495f340ff83f8438b79079ef1f248b9dcaedbdd5d3e40

Download Submit
\Users\Admin\AppData\Local\Temp\BRL0000030c\BR1829.tmp

Filesize
14KB

MD5
77fe66d74901495f4b41a5918acd02ff

SHA1
ce5bbd53152cd5b03df8bcc232a1aea36a012764

SHA256
b017168c69ef40115141813e47122391602e1af28af342c56495b09f1c3c7522

SHA512
cc6e323d0076577a0a04dbe2c33d90dc616cb5ec3637d3df67cbf169766ca2e6de567fcff4f32938fd6118d98e4796642a3010b7264f0ae247fa8f0fe079bd70

Download Submit
\Users\Admin\AppData\Local\Temp\BRL0000030c\BR1914.tmp

Filesize
14KB

MD5
d74aadd701bfacc474c431acab7b9265

SHA1
8a2b424d1f949430ddc1faddee3e9ccb79c95de2

SHA256
f1029f5cca3dabfeffe2c9db6ad84a9ff0f64f5b2fb85cb6ab348740f756e07d

SHA512
0ef85e311fb4843997fd5f87f0a2eec9715e26eae76bfb7bb701d8c043720aeaf7f4825d25187bf35e0a9f00def15ed071120128805445f1330c07c3e0ea5ced

Download Submit
\Users\Admin\AppData\Local\Temp\BRL0000030c\BR1AAB.tmp

Filesize
366KB

MD5
0700f3dbe367287ce10472cffbd3d7d1

SHA1
079790389532599ce04fd82c2b89db5e4dedf26c

SHA256
77e46a6a8fbc079cdb1d3ee299af36c3d1881d38d93c4e0551f114965cdaf10f

SHA512
28eb67d348c8e9e36032d041315b6ee790d2e9021a3a657a7fe33c66ad1f8daa5b3e0833a2a432cb4a4c5795fea5a80a1810440fb441b6f0d56cf0d00d3e0a17

Download Submit
\Users\Admin\AppData\Local\Temp\BRL0000030c\BR1B0A.tmp

Filesize
74KB

MD5
924b90c3d9e645dfad53f61ea4e91942

SHA1
65d397199ff191e5078095036e49f08376f9ae4e

SHA256
41788435f245133ec5511111e2c5d52f7515e359876180067e0b5ba85c729322

SHA512
76833708828c8f3fad941abeea158317aff98cf0691b5d5dfa4bca15279cdad1cc23a771258e4de41cf12a58f7033a3ee08b0b5eb834d22be568ea98b183ccd9

Download Submit
\Users\Admin\AppData\Local\Temp\BRL0000030c\BR1B2A.tmp

Filesize
102KB

MD5
77c853090012e97f6ce9212e66ef8a5e

SHA1
69425ae525ceff28c14e4855c002db432421ca92

SHA256
122debc552cb9a54704c3bb4a363b2494df16f0797642e0dee84712282d4df21

SHA512
17b62a1defc291a8af7b7e701ca7ab1a0d72605c6595a52c89b8e94c4a49e2d037931371e9966ac66dc764e968dca3728633e81545d8ba6aba09d8f39a6f914c

Download Submit
\Users\Admin\AppData\Local\Temp\Tech tool store\NlogExt.dll

Filesize
3.1MB

MD5
1a75878dea8f5580c25e0b9f1c734949

SHA1
20d4c35f95b4d608aa73897680b3f0ceb219d37f

SHA256
1b393ad82fbe93add01c73613156cecd98f9668f5ed8a0faa04704a510b7bf2e

SHA512
6e65f45ef099d21beaf429e0e0c6c6122e64d27f6932afd2a2459fc6cafb5af58efb45440cc1e3f51ac7678748af85cb9e878e68efa3505980f115dc6a272ac2

Download Submit
\Users\Admin\AppData\Local\Temp\Tech tool store\StormLib.dll

Filesize
217KB

MD5
09c4266b11233aedaff9bbb97ff7dc50

SHA1
212f6f2df299f8f1c4c481bb92e9e958d48421e3

SHA256
f52d1ed4c1350bf7726ad3ef926329267e35bf67bd938e5e1aae324dcef31469

SHA512
b17e865ec5a8caf5bca88857ea3bad0dfc5d9fd0448ee52671876202b1870783a5de8f2d76b9d5363aeeb89b383314c8d65769674bd9b911551cdaa5c8654dcb

Download Submit
\Users\Admin\AppData\Local\Temp\Tech tool store\WiseTurbo.exe

Filesize
8.6MB

MD5
1459f9d0c62412b9df206c7e819fbf62

SHA1
daddb63d6b1a191e896a01ada7ea79dabf686655

SHA256
75569178b9ff9f2719e17d2d270322151ffc63f8eaac774a64f6c627014451d8

SHA512
924d14ba741b64a813e566864b098e0a426e48412942945d2034ab685548794ca93a4d759fc098f5e8e4df80146a82572bbfe09c7599a109a1dc4837259da5c2

Download Submit
\Users\Admin\AppData\Local\Temp\Tech tool store\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
86279521328398e87699d248628eb13a

SHA1
e4d4c39bda90635f1f5c2fc58b1304e2daac9caf

SHA256
3c9b67616fd0ceb3dd92e605918b08556683ebab5537aa76dff300fbd54b0337

SHA512
2cc328955611ad8369ff9facf9c1aabe99a20c3ded2977ad86c69e0f54acd78fa6f572ed688625c8c63016826a10b3578e3c186ef2b39c4bf393ab5e399913a6

Download Submit
\Users\Admin\AppData\Local\Temp\Tech tool store\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
422adad24e8da100f85bf3de86b5f302

SHA1
7004b3ed8663b5890cd25e1a7899a766be912728

SHA256
e04642684dc7376839c570bc11e9b46cae14420f1a85f7562fd2c4d656a22956

SHA512
e689ecb1a1cb1e7735cb6a961fd054d87bcad01acf76950b14a3bf4e08ddb7a8d31805c203374ee081a4ec13c40b25b3dc83b3895b9bfbd9c135673e98e6ee63

Download Submit
\Users\Admin\AppData\Local\Temp\Tech tool store\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
602a35b140d9d68d7b3e488896158365

SHA1
f1ba615abb54ff786ddbc74dffffd56394bfc892

SHA256
43b98f74476c86107c8317749f54a107e2955696e4f79d3d02683dd7034d1d52

SHA512
4388947f90838cae8b5f8137c9ed2a099028b4341da8c574d536c6ad096bad0e217e105f0367750c70e3d3ca4857255b674955c71ecff0fda9c47a4b1951b8b6

Download Submit
\Users\Admin\AppData\Local\Temp\Tech tool store\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
a07afa26ab56a8d3b8b16591a1962005

SHA1
2b6f3143487f747911ee20f039f1ffb1381858ac

SHA256
6be230837149dc2a8c7772142a674c3f90930a55da7f91d791942d8276d5440b

SHA512
b77b277d10cf6b8d209679684ead55b4347caef3213acdccdee35b5d4fe0e3fc136daf057830512c5473c4653a8d66357927c4b7d204c07d7508f792299d7fe9

Download Submit
\Users\Admin\AppData\Local\Temp\Tech tool store\api-ms-win-core-synch-l1-2-0.dll

Filesize
11KB

MD5
ed215daa7493bf93c5eadef178a261e0

SHA1
b20c8dc7ba00f98a326f5f4fd55329b72f8e5699

SHA256
8b7c8fc657e0dab0f2506001ca4bb76e675ffd18a2b4d9c1e03b876e008a7a26

SHA512
3ed052eada11c3dc44f81f330bd2a2526170515bc6a90281872a93ee49f9add8c9ad36b9a9e9185e251d664c1694d06625e0148e113addc32e53d705d2655f03

Download Submit
\Users\Admin\AppData\Local\Temp\Tech tool store\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
a9c7db516186c8e367fed757e238c61a

SHA1
1318d6496e7146e773aca85be6d0e9b87a09e284

SHA256
ded52bac23633a03341969c5b98b0d94d24fa3284c1ddd0c489e453b39cec659

SHA512
6aad003287afe86abccf34f6b15338c0c7380f4837805d919064a26380d2f3f7698515f927c148e618c12f0943d3621184bebc70a8b07eed64ad88689fbcc5cb

Download Submit
\Users\Admin\AppData\Local\Temp\Tech tool store\api-ms-win-crt-convert-l1-1-0.dll

Filesize
15KB

MD5
c6385b316bb04ca36d76b077eeb9a61e

SHA1
fc376f68798fecd41fb1c936eed1bce3f2ee6bef

SHA256
060636cfc58587b4344a6d0ff4f44dd77266f2bbdb877cb50cb1b44a7e3969bc

SHA512
bddf0f34bedb17ecf1d270a0613f27d174ae04f920192d7d1af6c15245175318b29691e748c36e2ce0a3027495b2f5a0bb688ae16095fad9dcd8c283b6d1b1d4

Download Submit
\Users\Admin\AppData\Local\Temp\Tech tool store\api-ms-win-crt-environment-l1-1-0.dll

Filesize
11KB

MD5
311e582d5d3d8421e883c4a8248eacc8

SHA1
c99e61d1446fce0f883a2aad261af22d77953a59

SHA256
369cc4d3bb05f4160a0bc9683feb1df2e94d02f061e4b23d53c3a6e2230cd5e4

SHA512
050ed1310e667e6bb22bb7952794745df1eee0c78f18240cc2217e748a11213d094b48153964c3da0ad8141da1709ece637315633396c77c035bb0565fa981b4

Download Submit
\Users\Admin\AppData\Local\Temp\Tech tool store\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
13KB

MD5
10731d3320c12abb62d3866d7e728cce

SHA1
df4e131c825d1ca5cd14e00e5c04785d6ca508f7

SHA256
9f3eb90963916194f167e98e049707b14fa84a3f11cb8cc7b940d95956601700

SHA512
7eeef98682872fd95a38a03435546349c8488607e59870086b486b807e8b53893603175d9ad0f3b80c1924381daca8d14868a6079988a944b005783b4e2e358e

Download Submit
\Users\Admin\AppData\Local\Temp\Tech tool store\api-ms-win-crt-heap-l1-1-0.dll

Filesize
12KB

MD5
cf5f256e8cd76ba85e6c3047f078814a

SHA1
b7cde77313ceaae76a46c1111b33b3d8f47c4214

SHA256
9382fc8d5cbcc23c5d05e6f48f4188af3f96efbbdc5a7ec05b37e252440ecfc1

SHA512
856eff4fff1d11a725af9c3e5ceac6d02a89297a16e97edec171839aa12c468fc37d60ec5df06d507cee695f71b7fbd4bc0ba51b7934d886e66a43b249e62da5

Download Submit
\Users\Admin\AppData\Local\Temp\Tech tool store\api-ms-win-crt-locale-l1-1-0.dll

Filesize
11KB

MD5
60ffdc3ef20b127e3fd14a0719328c34

SHA1
b510833350328f79a79fa464ea9d5e9455643659

SHA256
43c9ea4ddecf2f34852559cf0b40b5261e6701d3743ab219f48d43a312707ad9

SHA512
caef6ee08c9f6fabecef1f0be37ab34e2d4dc22f15a775b2f0dcacda1f0fcdf2259399e6fbab85f0f00e8e4b03d77fe88b85b901a9ba2f775a50f2da724da26e

Download Submit
\Users\Admin\AppData\Local\Temp\Tech tool store\api-ms-win-crt-math-l1-1-0.dll

Filesize
21KB

MD5
78dfcb76dc8b42411dbc682f78f5c6eb

SHA1
e50f6719fee44c70518cf8442737a688b5f45e62

SHA256
8673dd898f899de831fc3052c8b8254b7b85ee7f2b9b6c422736668689c9b14f

SHA512
968bb3bc952f4057f74c9c8825fcc2db34b9c56166ee39db3bab3d4ecf51fb65af250a8a65340274a1a0c0eed73b6c8962df5d2fce586c1ef4e19706edd5e6e1

Download Submit
\Users\Admin\AppData\Local\Temp\Tech tool store\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
8bd7a27e6ca969d3eb46086d411ce05d

SHA1
3bbf6f55853b1487debca58d7cb5c877d0abd517

SHA256
8edc95578b8c9ca93a65907e428fa2b57fef8370b902912689332bc61094904c

SHA512
fee8359398efe6a995a214d4e47de43aba12d33bb9cb1de18659d332d94ef83a4a77618b6caa9f455b0c6da4c10ab459209d483b9e778d9b522771ca692ca454

Download Submit
\Users\Admin\AppData\Local\Temp\Tech tool store\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
17KB

MD5
f681a45c47ebb2c56c1465677ec33ff3

SHA1
06bf7798c51325cf1806e14dea56ff98b05b7846

SHA256
3a03d727d291be57057587227273af410eda935438d8a0a165ec63ae772809af

SHA512
eeb05f1af7e1c714c658e9aa06e8c6dbeeb5f2e8dcf3fdb7b9b408018e41402d83893472114e0cf6d3a9a3bf54ec45c4f7a4840a09570d190277aa3514681ab8

Download Submit
\Users\Admin\AppData\Local\Temp\Tech tool store\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
00446e48d60abf044acc72b46d5c3afb

SHA1
0ccc0c5034ac063e1d4af851b0de1f4ea99aff97

SHA256
82d26998b4b3c26dbc1c1fff9d6106109a081205081d3c0669e59d20d918bc5a

SHA512
69114f0efb3c853bffb55c15e5ad1b7919057a676056d57634a6a39916e232cde2dcdc49ea0f9751ddea6550ffa58f84b1f8918b3c9fd7e88c8b8f7eb4afeaf2

Download Submit
\Users\Admin\AppData\Local\Temp\Tech tool store\api-ms-win-crt-time-l1-1-0.dll

Filesize
13KB

MD5
376b4a7a02f20ed3aede05039ec3daf0

SHA1
c9149b37f85cfc724bedc0ecd543d95280055de1

SHA256
b0b8fc7de3641c3f23d30a4792c8584db33db6133ee29135c70bb504e80e4a2c

SHA512
ff7fba7cd8c9b55c1c87104d7d9074ef0eed524b02480ecf2c80e5cd489c568e1ed63bc62699a03272cab3dcbf20e6437e1f47ce112bcb3336d27ed2790430c5

Download Submit
\Users\Admin\AppData\Local\Temp\Tech tool store\api-ms-win-crt-utility-l1-1-0.dll

Filesize
11KB

MD5
6376bf5bac3f0208f0a5d11415ccd444

SHA1
c3fe96e51c3f3e622dcedd2ddf8d23f9442361b8

SHA256
e36763df57cd26ec2b4d52e27de51a4ca6f18caf86cbac8307bf4817705f9a0e

SHA512
9614e423c850bdb584f18555825214d42106966b1ee71e75ba7407591aa5de407b43909ce972e1923df82e9a0e953597fe19646296962194ebeb1579493d91c2

Download Submit
\Users\Admin\AppData\Local\Temp\Tech tool store\bz2.dll

Filesize
63KB

MD5
bb1ea7cade180a0c012c2289c7d820cc

SHA1
67a17ae0aed053d8fb071450dff8f843a1255112

SHA256
30998439b2fbc620f3f87799f8a98e8519f26b227bf498877b11dfb52147b698

SHA512
3b10462ae03ea57bfad298c4d59da247b8ad971aeec0c9ad439a72b1756ee627fba23fe9044df9a8301b0fe1099bbb9988869ccce1102314052a49bf0cbdf317

Download Submit
\Users\Admin\AppData\Local\Temp\Tech tool store\msvcp140.dll

Filesize
428KB

MD5
fdd04dbbcf321eee5f4dd67266f476b0

SHA1
65ffdfe2664a29a41fcf5039229ccecad5b825b9

SHA256
21570bcb7a77e856f3113235d2b05b2b328d4bb71b4fd9ca4d46d99adac80794

SHA512
04cfc3097fbce6ee1b7bac7bd63c3cffe7dca16f0ec9cd8fe657d8b7ebd06dcba272ff472f98c6385c3cfb9b1ac3f47be8ca6d3ea80ab4aeed44a0e2ce3185dd

Download Submit
\Users\Admin\AppData\Local\Temp\Tech tool store\sqlite3.dll

Filesize
883KB

MD5
c86d13c52aa1c7d0e39cc9f6d20ccd22

SHA1
8622a443874feebb2e5cdb9792a447acb97f78af

SHA256
7fdc0ad5ee9678eb66448b121beba9597ca6742d4474ff75d080a5c5014ec9c9

SHA512
ea629707a590a3494f63d17e6d4b74f9fc3341216f3fada2f1a1e5c318f83149130ea87afb8eb87168428ed21dc0c4cd4612bf66517ec67874e9a75c694e6af6

Download Submit
\Users\Admin\AppData\Local\Temp\Tech tool store\ucrtbase.dll

Filesize
880KB

MD5
5dafe0bfb955e780b3d50da4524b752f

SHA1
91c0d9fabe748d373215ba21b90278671b5f8957

SHA256
6255112c9978c07a05c6feaee01cf4be74b2920dc7017fbc1a42f8f5d23c20f9

SHA512
37fd37f3ad87838f596d1e8e497fe66d1a1c4128625ab456ec850179dd1e1f33cf4945d0faaf6cdbd1ed586ecfb7ff3e7cf10a88a823cc5eb06c2fc4fa16bff3

Download Submit
\Users\Admin\AppData\Local\Temp\Tech tool store\vcruntime140.dll

Filesize
77KB

MD5
ba65db6bfef78a96aee7e29f1449bf8a

SHA1
06c7beb9fd1f33051b0e77087350903c652f4b77

SHA256
141690572594dbd3618a4984712e9e36fc09c9906bb845ce1a9531ac8f7ad493

SHA512
ca63eeac10ef55d7e2e55479b25cf394e58aef1422951f361f762ab667f72a3454f55afc04e967e8cdd20cf3eebe97083e0438ea941916a09e7d091818ea830e

Download Submit
\Users\Admin\AppData\Local\Temp\Tech tool store\zlib1.dll

Filesize
76KB

MD5
7cfdbfec8b16876767f5895fae94f6cd

SHA1
49644b75dc5ef3e1f6e122f8b6e5569b74b1e2a5

SHA256
322062f0287317d3f41180bf79e54c4ddf4646a08fcd55263fd05ad56b8e1cba

SHA512
02a10c91098b79cf4b53dfeb595283cd0bcd5b70ddc803f401600d321a54d3ce51ec24962473a47b9679b573a2223ff7f02be57866bfd961cea3f1a81bcea683

Download Submit
memory/224-145-0x0000000000000000-mapping.dmp

Download
memory/288-146-0x0000000000000000-mapping.dmp

Download
memory/556-139-0x0000000000000000-mapping.dmp

Download
memory/648-140-0x0000000000000000-mapping.dmp

Download
memory/780-54-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download
memory/1100-130-0x0000000000000000-mapping.dmp

Download
memory/1168-142-0x0000000000000000-mapping.dmp

Download
memory/1448-141-0x0000000000000000-mapping.dmp

Download
memory/1464-132-0x0000000000000000-mapping.dmp

Download
memory/1504-150-0x0000000000000000-mapping.dmp

Download
memory/1552-149-0x0000000000000000-mapping.dmp

Download
memory/1584-135-0x000007FEFBD81000-0x000007FEFBD83000-memory.dmp

Filesize
8KB

Download
memory/1584-133-0x0000000000000000-mapping.dmp

Download
memory/1664-147-0x0000000000000000-mapping.dmp

Download
memory/1692-136-0x0000000000000000-mapping.dmp

Download
memory/1964-144-0x0000000000000000-mapping.dmp

Download
memory/1968-134-0x0000000000000000-mapping.dmp

Download
memory/1984-127-0x0000000007280000-0x00000000072C0000-memory.dmp

Filesize
256KB

Download
memory/1984-121-0x00000000070C0000-0x000000000717C000-memory.dmp

Filesize
752KB

Download
memory/1984-67-0x0000000000000000-mapping.dmp

Download
memory/1984-128-0x0000000007200000-0x0000000007213000-memory.dmp

Filesize
76KB

Download
memory/1984-138-0x0000000007200000-0x0000000007213000-memory.dmp

Filesize
76KB

Download
memory/2036-131-0x0000000000000000-mapping.dmp

Download
memory/2096-151-0x0000000000000000-mapping.dmp

Download
memory/2108-152-0x0000000000000000-mapping.dmp

Download
memory/2120-153-0x0000000000000000-mapping.dmp

Download