e648b9f735d50b1f253fe6a5ea2fc036810f2c66525609c92d1463219a2ef9c1

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TabularEditor.3.Installer.x64.exe
Size

43.7MB
MD5

92449094c9135b8abec40da0e9780ea7
SHA1

c18cd12a3dca592296e818ddbf265bfb5549be82
SHA256

e648b9f735d50b1f253fe6a5ea2fc036810f2c66525609c92d1463219a2ef9c1
SHA512

e4e8107aa827eeb8db4ec2232c26ec2a98a4d1fcfad9c67050bb8460a716a7b3796c1a9d164f9b9792bdde238b17b7bc5a3f1db59b3c47a412c4154f7494c393
SSDEEP

786432:rsTuRN2znDcYiMBssnpbqrvk56bFQzhy2bv/MGV+50KHWiNXhOdKdM5h+kep9qvT:rsTuRN2zDcbMBssndiv6QFQzzMGYuHi+

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	TabularEditor.3.Installer.x64.exe

Loads dropped DLL 31 IoCs

pid	Process
4084	MsiExec.exe
4084	MsiExec.exe
4084	MsiExec.exe
4084	MsiExec.exe
4084	MsiExec.exe
4084	MsiExec.exe
4084	MsiExec.exe
4084	MsiExec.exe
4084	MsiExec.exe
4084	MsiExec.exe
4084	MsiExec.exe
4084	MsiExec.exe
4084	MsiExec.exe
4084	MsiExec.exe
4084	MsiExec.exe
1068	MsiExec.exe
1068	MsiExec.exe
1068	MsiExec.exe
1068	MsiExec.exe
1068	MsiExec.exe
1068	MsiExec.exe
1068	MsiExec.exe
4932	MsiExec.exe
820	rundll32.exe
820	rundll32.exe
820	rundll32.exe
820	rundll32.exe
820	rundll32.exe
820	rundll32.exe
820	rundll32.exe
4932	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\J:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\N:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\P:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\T:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\E:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\R:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\W:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\R:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\H:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\K:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\V:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\U:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\Z:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\I:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\Q:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\B:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\L:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\O:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\M:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\S:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\T:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\S:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\V:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\M:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\U:	TabularEditor.3.Installer.x64.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Tabular Editor 3\Microsoft.SqlServer.Server.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\runtimes\win-arm64\native\sni.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\System.ServiceModel.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Power BI Desktop\External Tools\tabulareditor3.pbitool.json	rundll32.exe
File created	C:\Program Files\Tabular Editor 3\DevExpress.Data.Desktop.v23.1.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\Microsoft.ApplicationInsights.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\Microsoft.Extensions.DependencyInjection.Abstractions.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\Microsoft.IdentityModel.Tokens.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\runtimes\win\lib\net6.0\System.DirectoryServices.Protocols.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\System.ServiceModel.NetTcp.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\runtimes\win\lib\netcoreapp2.1\System.Data.SqlClient.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\runtimes\win-x64\native\WebView2Loader.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\System.ComponentModel.Composition.Registration.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\System.ServiceModel.Security.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\Azure.Core.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\Azure.Identity.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\Dax.Model.Extractor.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\eula.rtf	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\System.IdentityModel.Tokens.Jwt.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\System.IO.Pipelines.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\Microsoft.AnalysisServices.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\Microsoft.Web.WebView2.Core.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\Microsoft.WindowsAPICodePack.Shell.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\runtimes\win-x64\native\sni.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\ActiveDirectoryObjectPicker.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\Daxscilla.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\runtimes\win\lib\net6.0\Microsoft.Data.SqlClient.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\runtimes\win\lib\net6.0\System.Data.Odbc.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\TOMWrapper.xml	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\Microsoft.Win32.SystemEvents.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\Microsoft.WindowsAPICodePack.Core.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\runtimes\win\lib\net6.0\System.Security.Cryptography.Pkcs.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\System.Diagnostics.DiagnosticSource.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\TOMWrapper.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\DevExpress.Sparkline.v23.1.Core.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\Microsoft.Extensions.DependencyInjection.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\runtimes\win\lib\net6.0\System.Diagnostics.PerformanceCounter.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\runtimes\win\lib\net6.0\System.ServiceProcess.ServiceController.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\System.Composition.TypedParts.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\System.Memory.Data.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\ThirdPartyNotices.txt	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\DevExpress.XtraDiagram.v23.1.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\Microsoft.IdentityModel.Abstractions.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\Microsoft.IdentityModel.Protocols.OpenIdConnect.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\runtimes\win\lib\net6.0\System.IO.Ports.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\DevExpress.XtraTreeList.v23.1.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\DevExpress.XtraVerticalGrid.v23.1.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\runtimes\win-x64\native\Microsoft.Data.SqlClient.SNI.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\System.DirectoryServices.AccountManagement.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\Antlr4.Runtime.Standard.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\CliWrap.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\Dax.Formatter.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\DevExpress.Drawing.v23.1.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\System.Security.Cryptography.Xml.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\TabularEditor3.Utils.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\runtimes\win\lib\net6.0\System.DirectoryServices.AccountManagement.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\runtimes\win-arm64\native\Microsoft.Data.SqlClient.SNI.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\TabularEditor3.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\installer_192dpi.ico	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\M.Analyzer.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\Microsoft.CodeAnalysis.Features.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\Microsoft.Web.WebView2.WinForms.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\System.Diagnostics.PerformanceCounter.dll	msiexec.exe
File created	C:\Program Files\Tabular Editor 3\System.ServiceProcess.ServiceController.dll	msiexec.exe

Drops file in Windows directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI8549.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI99B3.tmp-\CustomAction.config	rundll32.exe
File created	C:\Windows\Installer\e588393.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e588393.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI90D6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\{B12CDF87-F0DA-45F8-BC12-09D2BE83AFAE}\TabularEditor_192DPI.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{B12CDF87-F0DA-45F8-BC12-09D2BE83AFAE}\TabularEditor_192DPI.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI99B3.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI84AC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8579.tmp	msiexec.exe
File created	C:\Windows\Installer\e588395.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI99B3.tmp-\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI9D0F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI85E7.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B12CDF87-F0DA-45F8-BC12-09D2BE83AFAE}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9116.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9368.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI99B3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI99B3.tmp-\TabularEditor3.Installer.CA.dll	rundll32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8685.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Colors	TabularEditor.3.Installer.x64.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\78FDC21BAD0F8F54CB21902DEB38FAEA	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\78FDC21BAD0F8F54CB21902DEB38FAEA\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\78FDC21BAD0F8F54CB21902DEB38FAEA\PackageCode = "ED77E0709EDB54F4E9B3207977B70852"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\78FDC21BAD0F8F54CB21902DEB38FAEA\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\78FDC21BAD0F8F54CB21902DEB38FAEA\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\62098CEFD88C89546BFAE1C68BB843BE	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\78FDC21BAD0F8F54CB21902DEB38FAEA\SourceList\PackageName = "TabularEditor.3.Installer.x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\78FDC21BAD0F8F54CB21902DEB38FAEA\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\78FDC21BAD0F8F54CB21902DEB38FAEA\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\78FDC21BAD0F8F54CB21902DEB38FAEA\Version = "51249152"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\78FDC21BAD0F8F54CB21902DEB38FAEA\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\78FDC21BAD0F8F54CB21902DEB38FAEA	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\78FDC21BAD0F8F54CB21902DEB38FAEA\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\78FDC21BAD0F8F54CB21902DEB38FAEA\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\78FDC21BAD0F8F54CB21902DEB38FAEA\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\62098CEFD88C89546BFAE1C68BB843BE\78FDC21BAD0F8F54CB21902DEB38FAEA	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\78FDC21BAD0F8F54CB21902DEB38FAEA\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Tabular Editor ApS\\Tabular Editor 3 3.14.0\\install\\E83AFAE\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\78FDC21BAD0F8F54CB21902DEB38FAEA\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\78FDC21BAD0F8F54CB21902DEB38FAEA\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\78FDC21BAD0F8F54CB21902DEB38FAEA\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\78FDC21BAD0F8F54CB21902DEB38FAEA\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Tabular Editor ApS\\Tabular Editor 3 3.14.0\\install\\E83AFAE\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\78FDC21BAD0F8F54CB21902DEB38FAEA\ProductName = "Tabular Editor 3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\78FDC21BAD0F8F54CB21902DEB38FAEA\ProductIcon = "C:\\Windows\\Installer\\{B12CDF87-F0DA-45F8-BC12-09D2BE83AFAE}\\TabularEditor_192DPI.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\78FDC21BAD0F8F54CB21902DEB38FAEA\SourceList	msiexec.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	TabularEditor.3.Installer.x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	TabularEditor.3.Installer.x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	TabularEditor.3.Installer.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	TabularEditor.3.Installer.x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	TabularEditor.3.Installer.x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	TabularEditor.3.Installer.x64.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5020	msiexec.exe
5020	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	5020	msiexec.exe
Token: SeCreateTokenPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeAssignPrimaryTokenPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeLockMemoryPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeIncreaseQuotaPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeMachineAccountPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeTcbPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeSecurityPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeTakeOwnershipPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeLoadDriverPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeSystemProfilePrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeSystemtimePrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeProfSingleProcessPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeIncBasePriorityPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeCreatePagefilePrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeCreatePermanentPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeBackupPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeRestorePrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeShutdownPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeDebugPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeAuditPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeSystemEnvironmentPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeChangeNotifyPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeRemoteShutdownPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeUndockPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeSyncAgentPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeEnableDelegationPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeManageVolumePrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeImpersonatePrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeCreateGlobalPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeCreateTokenPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeAssignPrimaryTokenPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeLockMemoryPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeIncreaseQuotaPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeMachineAccountPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeTcbPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeSecurityPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeTakeOwnershipPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeLoadDriverPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeSystemProfilePrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeSystemtimePrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeProfSingleProcessPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeIncBasePriorityPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeCreatePagefilePrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeCreatePermanentPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeBackupPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeRestorePrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeShutdownPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeDebugPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeAuditPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeSystemEnvironmentPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeChangeNotifyPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeRemoteShutdownPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeUndockPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeSyncAgentPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeEnableDelegationPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeManageVolumePrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeImpersonatePrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeCreateGlobalPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeCreateTokenPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeAssignPrimaryTokenPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeLockMemoryPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeIncreaseQuotaPrivilege	952	TabularEditor.3.Installer.x64.exe
Token: SeMachineAccountPrivilege	952	TabularEditor.3.Installer.x64.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
952	TabularEditor.3.Installer.x64.exe
952	TabularEditor.3.Installer.x64.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 4084	5020	msiexec.exe	94
PID 5020 wrote to memory of 4084	5020	msiexec.exe	94
PID 5020 wrote to memory of 4084	5020	msiexec.exe	94
PID 952 wrote to memory of 1080	952	TabularEditor.3.Installer.x64.exe	108
PID 952 wrote to memory of 1080	952	TabularEditor.3.Installer.x64.exe	108
PID 952 wrote to memory of 1080	952	TabularEditor.3.Installer.x64.exe	108
PID 5020 wrote to memory of 1068	5020	msiexec.exe	109
PID 5020 wrote to memory of 1068	5020	msiexec.exe	109
PID 5020 wrote to memory of 1068	5020	msiexec.exe	109
PID 5020 wrote to memory of 4932	5020	msiexec.exe	110
PID 5020 wrote to memory of 4932	5020	msiexec.exe	110
PID 5020 wrote to memory of 4932	5020	msiexec.exe	110
PID 4932 wrote to memory of 820	4932	MsiExec.exe	111
PID 4932 wrote to memory of 820	4932	MsiExec.exe	111
PID 4932 wrote to memory of 820	4932	MsiExec.exe	111

C:\Users\Admin\AppData\Local\Temp\TabularEditor.3.Installer.x64.exe
"C:\Users\Admin\AppData\Local\Temp\TabularEditor.3.Installer.x64.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Modifies Control Panel
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:952
- C:\Users\Admin\AppData\Local\Temp\TabularEditor.3.Installer.x64.exe
  "C:\Users\Admin\AppData\Local\Temp\TabularEditor.3.Installer.x64.exe" /i "C:\Users\Admin\AppData\Roaming\Tabular Editor ApS\Tabular Editor 3 3.14.0\install\E83AFAE\TabularEditor.3.Installer.x64.msi" AI_EUIMSI=1 APPDIR="C:\Program Files\Tabular Editor 3" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tabular Editor 3" SECONDSEQUENCE="1" CLIENTPROCESSID="952" CHAINERUIPROCESSID="952Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" AGREE_CHECKBOX="Yes" PRIMARYFOLDER="APPDIR" ROOTDRIVE="F:\" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\TabularEditor.3.Installer.x64.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1710604144 " TARGETDIR="F:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\AppData\Local\Temp\TabularEditor.3.Installer.x64.exe" AI_INSTALL="1"
  2⤵
  - Enumerates connected drives
  - Modifies system certificate store
  PID:1080

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A49133C79C7BA0ED15E3EE28C8BBDFE9 C
  2⤵
  - Loads dropped DLL
  PID:4084
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E7206AC1D51C834EB7C01B8E9FAF5AFC
  2⤵
  - Loads dropped DLL
  PID:1068
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4AE75290CACFD75968B617BC73EB10D8 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI99B3.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240687609 306 TabularEditor3.Installer.CA!TabularEditor.Installer.CustomActions.RegisterWithPowerBI
    3⤵
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e588394.rbs

Filesize
41KB

MD5
f19396d05d6a299e8e8107ae6abfafb6

SHA1
02298b4284cd99381b39e856081d46a78da9da80

SHA256
68848ec22df8091c8fd5e8c464f828cf6bdc6ebd4f42b73df646ee610da27c7e

SHA512
59a621ab59bd84ecfa523ba85f63676b72643fee5ae9a592d90203e54d1b777ce0b811f8dc15a923b7f3c1f4931f54a12c99f60cf90fed1b0ab67ba8a6a3edaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_77CE493961898248548404A9747CAE7A

Filesize
1KB

MD5
87dcddee327f9a3694672aa3d4ea312d

SHA1
2e3bb0de63c7d63de0fe612e4b8b5a8c764d4241

SHA256
e757b5cb8ffeae4b5c6d86b09ca94e450cab1233f3b9c7ea5d95acaa5e736aa7

SHA512
df92040a60783a2809a1100d9f8cff4822ea783447040cd3447389cca6a8555ab6736f491d495fc700ccbc06065323e5f1a43734352a8a32550a9a9a72539080

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
1KB

MD5
544ae7bb3d13a8a424d53b802af32a01

SHA1
52d011854e43388f5110bfc6969b1f8b65ab823f

SHA256
f51b9065fbe6f4812a02e5375d1ee7b0fcae4df0e8f1c86e16c5c5d95fffa30d

SHA512
085c9543b5231d868bebfe8ceb0fa75defde3299210a45062cdb7fa54186651a45c892a7bc171fc7d8ab5282db7d239018f386f30b8b76f85b5352931125ac5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_77CE493961898248548404A9747CAE7A

Filesize
536B

MD5
e0ddd270b781837a135eb23c3d3d449f

SHA1
bd92e185eaf6f4ea1c1379e31d614d3a4110f26a

SHA256
757c3f127db06b838403d8b36722f33832c811294b3f71c91478b26ca3f6fbd2

SHA512
3dcce8e984534b0012985dbe8e6fc04b155c6a603f14c8222e1e588a52334cbdf03e9fda2471b58c7128338089d63e9a347620f7f29e9aa51328e3ae1756bf52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
536B

MD5
40503c4df9d11caa99bba4617427b02e

SHA1
63a7625806b3b70ec0f9395f59504c58734a4ad7

SHA256
38c60db5b96ee606d3ebe6b5c875585749015550243dc4d9901ecf8248ad8ba0

SHA512
59505b3434ef2bbc519f7f865d7a5060f5faaa16353c274c3c2a30c05d25549e5f2e234d966f91216fa27c3e4607d5c85741c3f51ce7e213f590779386054f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_952\backgroundprepare

Filesize
134B

MD5
a0efb0e7b9cee25b09e09a1a64e96ba6

SHA1
0c1e18f6f5e6e5e6953e9fb99ca60fdec35d6e39

SHA256
f044f542bc46464054084c63596877f06c6e2c215c0e954c4ace9787ced82787

SHA512
7e53f9f564aaa529b3b15035671957c2923ec98ddee93758ea7a4c8645ee9058962078771b853e3490290fde1f57030dff5092d40d69418776ffee89f79c8a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_952\checkbox

Filesize
1KB

MD5
0b044ccde7aa9d86e02a94030d744ac2

SHA1
0594ebb3737536703907ba5672ccd351c6afb98a

SHA256
bce5b6de3a1c7af7ec14b6643da25f7c9e15bd5f1c4a38abfcddc70a5e93bdd3

SHA512
dbfba793722589f1a76dbc75c9a2f3646733e4a079a6b70003716a7f7b8fa1a6a2b234ec9132f5737e91d20d460db1e29826b2d7ac740f73136975f19e336cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_952\frame_bottom_left.bmp

Filesize
66B

MD5
1fb3755fe9676fca35b8d3c6a8e80b45

SHA1
7c60375472c2757650afbe045c1c97059ca66884

SHA256
384ebd5800becadf3bd9014686e6cc09344f75ce426e966d788eb5473b28aa21

SHA512
dee9db50320a27de65581c20d9e6cf429921ebee9d4e1190c044cc6063d217ca89f5667dc0d93faf7dcc2d931fe4e85c025c6f71c1651cbd2d12a43f915932c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_952\frame_bottom_mid.bmp

Filesize
66B

MD5
71fa2730c42ae45c8b373053cc504731

SHA1
ef523fc56f6566fbc41c7d51d29943e6be976d5e

SHA256
205209facdebf400319dbcb1020f0545d7564b9415c47497528593e344795afd

SHA512
ea4415619720cc1d9fb1bb89a14903bfd1471b89f9c4847df4839084aae573d49b4969d3799ad30ff25b71f6e31f8d9f30701e1240d3cd6a063819c04873f21f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_952\frame_caption.bmp

Filesize
206B

MD5
8641f45594b8d413bf1da25ce59f1207

SHA1
afebb23f5a55d304d028ca9942526b3649cddb52

SHA256
0403ed31d75dcc182dd98f2b603da4c36b6325e9d159cac4371e1448244bb707

SHA512
86a5f959f8462f866466dc706d3ae627b1fb019b8a33ee7fe48e3b69f92bf33dc0f1417c0d5116552b25b488bcb5d9050a33773e6883ebe08410267d95b2353a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_952\frame_left.bmp

Filesize
66B

MD5
30384472ae83ff8a7336b987292d8349

SHA1
85d3e6cffe47f5a0a4e1a87ac9da729537783cd0

SHA256
f545ec56bc9b690a6b952471669a8316e18274d64e2ebc9e365fcf44363a125a

SHA512
7611f930a0a1089cc5004203ec128c916f0c2aedae3a6fcc2eaffa8cd004dcbf154714e401947921a06896ca77c77daec7f9bda82369aacd3bb666f8a0331963

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_952\frame_left_inactive.bmp

Filesize
66B

MD5
4b84f29fbce81aab5af97a311d0e51e2

SHA1
60723cf4b91c139661db5ecb0964deca1fc196ea

SHA256
c93be5a7c979c534274fc1a965d26c126efa5d58c14066b14937e5aba3b9eb55

SHA512
775eadccc44fddbd1e0d4231bc90d222f0a9749199e1963449ad20285ea92941a5685cdc12c0cd8c0ef0a21e10bdacaf139e5c69cd5e402cc110679323c23df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_952\frame_top_left.bmp

Filesize
154B

MD5
1966f4308086a013b8837dddf88f67ad

SHA1
1b66c1b1ad519cad2a273e2e5b2cfd77b8e3a190

SHA256
17b5cd496d98db14e7c9757e38892883c7b378407e1f136889a9921abe040741

SHA512
ec50f92b77bca5117a9a262ba1951e37d6139b838099e1546ab2716c7bafb0fc542ce7f1993a19591c832384df01b722d87bb5a6a010091fc880de6e5cfa6c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_952\frame_top_mid.bmp

Filesize
66B

MD5
4e0ac65606b6aacd85e11c470ceb4e54

SHA1
3f321e3bbde641b7733b806b9ef262243fb8af3b

SHA256
1d59fe11b3f1951c104f279c1338fc307940268971d016ebe929a9998a5038ee

SHA512
7b28bcb4e76af3b863a7c3390b6cd3316c4631434e1d1e2df8d6e0eb9987a61a4f1a24de59567394e346d45e332403a0817ed0b0b64d7a624dbe48e30db9bb64

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_952\logotransp.png

Filesize
2KB

MD5
591181aa7b9e1df21a5b5e1ea49092bc

SHA1
0b62267faa9b131d82ef355724e5579cb3e1bb4c

SHA256
26b881052c0b2287b4e5de4fb23d4e7bf99a5104eb8d6080445ffc5877e922e3

SHA512
3d3a7dc5b877fb20cec9810731be412c187a43710e29eb9775ae97ad7afd066f33fa84dab73854fdb4103dd4f81af96831c736105e7b8e437d5ee959da81811e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_952\nextcancelbuttons.xaml

Filesize
1KB

MD5
3dec9f3886a7d180b1da7a72541dbf81

SHA1
07f3ba034be78970a86d055daed59bf7d87f8d21

SHA256
fb1c5df8785650b20612b61a66ecbda5e1ed323d6c8ac45b2ebccbe9193779f8

SHA512
0250b81a2795fcac69e3f2c95bdff406f01ff207e81bead96b2739f28e26dd2d97d82cccbfbd92b7141b1eabd2310db048618fef1cc5261fdff212d19bb910bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_952\sys_close_hot.png

Filesize
276B

MD5
17242d201d004bb34449aab0428d2df1

SHA1
77a332c6a6c4bfc47a2120203cfeabb8a2268a6b

SHA256
15405855866fa2b7c60afbc8ba720aae8f2ba7fb60bfa641dc9d10361e56f033

SHA512
605a97e2614c664417d53263be21c67b1504a46ee61b92b0a84ac18a7baab05eb56b72d4cf27372ae6c157928080ba16e24081e95458eb122ba18f3722c2d21f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_952\sys_close_normal.png

Filesize
225B

MD5
8ba33e929eb0c016036968b6f137c5fa

SHA1
b563d786bddd6f1c30924da25b71891696346e15

SHA256
bbcac1632131b21d40c80ff9e14156d36366d2e7bb05eed584e9d448497152d5

SHA512
ba3a70757bd0db308e689a56e2f359c4356c5a7dd9e2831f4162ea04381d4bbdbef6335d97a2c55f588c7172e1c2ebf7a3bd481d30871f05e61eea17246a958e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_952\sys_min_hot.png

Filesize
180B

MD5
1a883668b735248518bfc4eefd248113

SHA1
1112803a0558a1ad049d1cac6b8a9d626b582606

SHA256
bcbb601daa5a139419f3cd0f6084615574c41b837426ebff561b7846dfec038e

SHA512
d321878ed517544c815fd0236bdff6fcb6da5c5c3658338afba646f1d8f2e246c6c880d4f592ff574a18f9efdf160e5772bbf876fb207c8fd25c1f9dd9ddfd04

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI45A5.tmp

Filesize
738KB

MD5
36cd2870d577ff917ba93c9f50f86374

SHA1
e51baf257f5a3c3cd7b68690e36945fa3284e710

SHA256
8d3e94c47af3da706a9fe9e4428b2fefd5e9e6c7145e96927fffdf3dd5e472b8

SHA512
426fe493a25e99ca9630ad4706ca5ac062445391ab2087793637339f3742a5e1af2cedb4682babc0c4e7f9e06fed0b4ed543ddeb6f4e6f75c50349c0354aceda

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI480A.tmp

Filesize
870KB

MD5
65b853552e16654c53ab4d16920a9182

SHA1
9f8182ef1b58d0d52f4faf1688d4f4e9dd8af5c5

SHA256
80c5e769470bb98c5b1ec3be0a9a51f0821c67e9adc7e3e254bbc41183ceb76f

SHA512
b56c00e78ca901738a4a067709c772cfbdf10d3a049af4e7eb6bd7a0cb0629472d7798dabb0eb82958ae90cd71acc79e5cbc3d26b0f42d3cc7cc8ec2236aa54a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI480A.tmp

Filesize
857KB

MD5
7640ccc9fc74039031cd166ad017a693

SHA1
60dd7054e3623fa2c110af6a06acdf9f2ead7581

SHA256
b9ef3913cba5d99e85859ef6a58c92ae4ea4d63de9388844f4051898c03de636

SHA512
7df71f3e078e18af13dcc47d86917d05dd46278eecea4bf70ef5e570a1ba1a1350c70ff5cf9f71fc1d7cf235be39464dfc7cb1d623e900ddcb8b251cf5841459

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4898.tmp

Filesize
704KB

MD5
6820f0c6e8c5f583e27dd3949162e28e

SHA1
0df92a41fdeabdf852b2d44791f3fb3a8b6861e5

SHA256
10395f8db878c438e6cdbf2b9ceea96b591f707c14bcb317668266a35dde4e39

SHA512
e7de4d86652a61628a4291c3c8b723b6586a560a3b6acbba95df70df2b05f175fc523f3d96388d4e46f1b058c6469b7a0b8b442a264975a5d701f8fb35be207f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI48B8.tmp

Filesize
575KB

MD5
130fceb436a50494f250ab51d52e8127

SHA1
4f6b454d8a80b50cca638455c30556a8939ecccb

SHA256
b7fc4698ad82f682a41f96a7ebb5b9340977796b5d11cdd603b84a4e6bf55060

SHA512
3a17792e58a6de13129ce99824d8dbf9c30854c60df4a64114e28154f4b192ecb02e126d4569450a63d6dffd77e61b9c23cb3bc7f529d2fc75a5a011bf9fdf24

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI48B8.tmp

Filesize
274KB

MD5
f97b694439439dee79749589b3d03db9

SHA1
505d5b374ab7705a46a3b5abe500ae45f0a339c4

SHA256
1a9b255c311d6588478ea0a15295c31909559e4e6affea06ff4268f456fbfda5

SHA512
d06c4f1e5c38e633648a6094f2bfb40ef84d735b05cda75a116b271c4d6aef9b7feedfc9b6e941ec93fd2bd251cf9cb1e8ff195e0790bfbc11c300021f4ead66

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI48C9.tmp

Filesize
292KB

MD5
aeafe5358616f28a3840e9cde5b3db43

SHA1
105359641094b4a0c47c39b9ccedbe468bc787c1

SHA256
e21e8cb96949c5bdd61ca68be091428c3d903c56f3e14833b77971d66dec5d7b

SHA512
41a6b783ce6ca13a0029fad7474e9f23d090202f7306d9c7380524f423aba574360291c35c1e61067ea58661c9d3d8d571496bc438ba8af6e0a22fca864297cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI48C9.tmp

Filesize
396KB

MD5
c3f90aa25de6ad101929571b3b21696e

SHA1
75445fbb0f5289a4424344354a696e8dcc6f21ef

SHA256
23780cd0e51170ebd6a2f985d0e0ba0d74abf9f3ee3320f8974231d01a722c46

SHA512
a3420387ee47b583a47e37b8ffc81b194c41a70e2c3f6f1919c69f8f48a352192c29ad8b9fddb348e318cb9e7925d06b5c32fa72dcc2184aa9d18deb5bb0ff90

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI48D9.tmp

Filesize
227KB

MD5
874005cdd6a2c5edccab1c8e4fb2420b

SHA1
d32f52fdd422dac099917dd79ca1b2e6985bbcdd

SHA256
d2d639154c1996acce403d99f4180086d6f38b69029fd97cf8d357108334cec4

SHA512
e0ff014c2512b92228c7e2d9dec9195b947f54bc46ff480f6a04a9d9686282108580926e758624fb5e466f0298ed3db17ba2100f63c12f965dd16fb7779ae94b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI48D9.tmp

Filesize
293KB

MD5
074d37b966bc60d2eeb60170c92f225c

SHA1
1255c89819c8ba5b8b935d5438b8ee30547b099f

SHA256
78ca50cc97b44e60ae54ddd31778be4afd1668aec4f2f5ff00ff2c004e06a82f

SHA512
bfc306be74d39ea6565165d4210de44b6a28519884e621125a46c3c3494e01151a44ae0ba60ba8058aac2e96129012a3f1c473da23d7f99ce52ddca424ba0382

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI48DA.tmp

Filesize
322KB

MD5
d05efc4f7bc547a075f4bb4b5156c12a

SHA1
c4ce43e601c728137221632e196548f4dd8a59cd

SHA256
3353e4cd2bcbd268d9431eec9f82ed549c3d314020f72d58a90fd8ee20938977

SHA512
4f039ce50e954497dec8bf8a7586b84ce7f968bd4d29f23704197a3d87e7c887866e9651ef67ba6323a4d6212dba3e7bc5930c539c258864fc1f77425004eef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\shi82D7.tmp

Filesize
4.8MB

MD5
77d6c08c6448071b47f02b41fa18ed37

SHA1
e7fdb62abdb6d4131c00398f92bc72a3b9b34668

SHA256
047e2df9ccf0ce298508ee7f0db0abcb2ff9cff9916b6e8a1fbd806b7a9d064b

SHA512
e1aeb8e8b441d755a119f45a465ca5660678f4131984322252bfb6d2cec52e7ee54d65a64b98429b23915eb5707b04b5cd62a85446c60de8842314130a926dbd

Download Submit
C:\Users\Admin\AppData\Roaming\Tabular Editor ApS\Tabular Editor 3 3.14.0\install\E83AFAE\ActiveDirectoryObjectPicker.dll

Filesize
45KB

MD5
39fa5cd144737aee098f48258de8dad8

SHA1
7ea40f9b33031d2aff0c2b58e69adbe8e6e8aca1

SHA256
c1e545f25e48e5f5ea3e61d55cbb7d062f8ab423ac479a9248b5b7de20c6e89f

SHA512
8ff55d9ab6f49ae1443fe733a31d86f5bfc4fcd87bf9e88adc9db0d910576b03d5700a03fb122f715b6d0a6d1a959b2d00cfa813fa9c3a67878e74cffd9f7f86

Download Submit
C:\Users\Admin\AppData\Roaming\Tabular Editor ApS\Tabular Editor 3 3.14.0\install\E83AFAE\Antlr4.Runtime.Standard.dll

Filesize
187KB

MD5
49d915161226b746c6d87dd2972fec5c

SHA1
81e790793e4a766357b8a70065e2cc004bbe6b97

SHA256
0440e3d2c5906326e04df87d6a5272192b7d29099901ba4215ca9e0f5dca7591

SHA512
b7c7b29fa8919208896ea53940b56588a8f9e22c8e480571fd6d33e376c56bbbd5f0b605a8927361f4f8934bc83bfb41828a90f23740d721b82d86656b3967ef

Download Submit
C:\Users\Admin\AppData\Roaming\Tabular Editor ApS\Tabular Editor 3 3.14.0\install\E83AFAE\Azure.Core.dll

Filesize
368KB

MD5
65af139bcad87a3463fb776f51f60530

SHA1
01fc61e3f0d31fdc4d444efaed23a22451890c24

SHA256
9fdf65a3649bd909a2ec6182ed57a871ff8cef4e17469f1ff8f057969b7d5bcc

SHA512
612ed8454cf897a55b2d1ab4a8a6f3bbe586d7f96136910c41aa62d773e926f4f2188773ca7770753b61eef9cd59c27f5ec407596aaebee7898b53c1ebc01668

Download Submit
C:\Users\Admin\AppData\Roaming\Tabular Editor ApS\Tabular Editor 3 3.14.0\install\E83AFAE\Azure.Identity.dll

Filesize
327KB

MD5
462482b966b07f3b3917f6fe6bc22f2e

SHA1
7dbbe0840e8e6d7ebd541c167b2967770773245f

SHA256
fc2a610675b1803176706e7efff8c6242da082e4df4efe3b3bf37d65e476535d

SHA512
c6fbefef1a349b4dfdb7c02eb45decf59f89aef50149bc2ee92e8dc3790e8e8b3b98e0a8c73f7b62eb715181d8946aa18b86dd79210d046f0b4278f120c9e018

Download Submit
C:\Users\Admin\AppData\Roaming\Tabular Editor ApS\Tabular Editor 3 3.14.0\install\E83AFAE\CliWrap.dll

Filesize
190KB

MD5
3fbb8c6b84d76feb14686644806c3553

SHA1
b925496a37ab83818b365f4b8c711748ad99106e

SHA256
de800fd420c11e35b2b9abadbd643eb8ce8c0ba3c6949f50d49dc364c590f211

SHA512
abed4e8da222a962b60a564bfdfc853139f34fb21743dcece10f0eff987e52d4a7a89097c0d08df1f685549e8bc0eb5470bc19fe40fd89ea11be7810d37eba99

Download Submit
C:\Users\Admin\AppData\Roaming\Tabular Editor ApS\Tabular Editor 3 3.14.0\install\E83AFAE\CommonFilesFolder\Microsoft Shared\Power BI Desktop\External Tools\tabulareditor3.pbitool.json

Filesize
1KB

MD5
1364cf6a363b4eda89aa34d96cea9613

SHA1
53ab33a7c0fadc9843752da5b85befb2f463e257

SHA256
7aa74334f6518f38760d30512877989f8f0b9992c194f20380a69fef012018f3

SHA512
c3d657ab00226c3a34f3c9cdb837dc20390fe16a6b0d6aba62b3a4b261e35193cc984c697058d52f4d23144bcc9bcc65a1ee9e622de79c503e473827c03816c7

Download Submit
C:\Users\Admin\AppData\Roaming\Tabular Editor ApS\Tabular Editor 3 3.14.0\install\E83AFAE\Dax.Analyzer.dll

Filesize
767KB

MD5
bea73ff5cd7f07e572429c6f34b6cefc

SHA1
0ad4704d26271929a5bd12223fdaf23bd46eee60

SHA256
34625653a3e9b0f06f35400b0fd8dd9a3f4cabe8b2bf3bdb4547fff1f0ac79af

SHA512
279f2d8c52065d08d428e705fea2bac21379f5fda7d3be5f09f1444313f4e44bb66364ab13c9389acbe6782acccf234468578e64623f016f985f02ab97393050

Download Submit
C:\Users\Admin\AppData\Roaming\Tabular Editor ApS\Tabular Editor 3 3.14.0\install\E83AFAE\Dax.Debugger.dll

Filesize
154KB

MD5
a4fad9e875353dbb5a14e238f6140071

SHA1
ee446fb4f764409a272976b0c7306057d5966a27

SHA256
12a11e2afc7bf393291e36fddfe236790133b66c27bb1173d4be00e03cfd9af2

SHA512
e2dcc7e48d52d6f60033fe9743f2dfde9ca986b71c7beab5746ebf3e2418bfc729df890f498235a484b86a786fc3d3ac86c5989d64bb86942b768fbebee7870d

Download Submit
C:\Users\Admin\AppData\Roaming\Tabular Editor ApS\Tabular Editor 3 3.14.0\install\E83AFAE\Dax.Formatter.dll

Filesize
43KB

MD5
604b66ca5a16d21aff367c4d66b6698f

SHA1
977ea0e78dcf8a16fd288511bba05fa7e8b0c816

SHA256
c38817182547ec34a6d3ad943254c269f0b2a1674ae0e94776296fed552602b3

SHA512
397f25dfaeda059208474d1a507c281c269ee1c63076b372e3559d340670490e7e5827be3d459520581504bda5bd9fc9db4c1526cacc793784ac6944e9ccad55

Download Submit
C:\Users\Admin\AppData\Roaming\Tabular Editor ApS\Tabular Editor 3 3.14.0\install\E83AFAE\Dax.Metadata.dll

Filesize
40KB

MD5
f443e639f18a1f2aa8729f9dfe1e48aa

SHA1
c82f91f8c04a8fcbc6074f6f9eb9cc4cdf78e9b6

SHA256
0b62d717e5267d23185fe9f0926e8ed053fb7d98f32ffe5dbd94cf1c0a68341a

SHA512
4176438c3c8fd54683bfb1625b4a8012d76eec0aa60c4b046672fd17c964ab39537820e7cbbd0ddca832f4e64d50096d3d1e8f88a2655311a960322c2a03a8f5

Download Submit
C:\Users\Admin\AppData\Roaming\Tabular Editor ApS\Tabular Editor 3 3.14.0\install\E83AFAE\Dax.Model.Extractor.dll

Filesize
62KB

MD5
2a0cf556cecf1d4d2367f3f2c5e0c401

SHA1
63466905f01fb913b1bdc244ab23409bebb3f3ae

SHA256
9d7226ffd30349502ca70c0a31f9c3db620656532f9cb4bd6172e052fad81049

SHA512
355a90db3eb0c5ddc36d008cdf745aad5c78bcd88d06d173c98481ee77725d66cc082d52f2ca1c4c6632a49fdb2e34d7bc07f827fedc9279a1b3d40cad26dedd

Download Submit
C:\Users\Admin\AppData\Roaming\Tabular Editor ApS\Tabular Editor 3 3.14.0\install\E83AFAE\Dax.ViewVpaExport.dll

Filesize
22KB

MD5
1c4f95fee7930c0916c53db8bf41d843

SHA1
768f14a40185c745e45df20867c21fdb10eee9d1

SHA256
960613bbed6bcada35b68183350f041e2743fc82854cd6a44f884c5a0c157137

SHA512
16b9cbc54208fdf988ca5ad1afcb852c922ae60081ea27c4e21d00f4802c7616747b2cb70695af8bff809496d4dd015fdcb1605dd991600f3480e93d0bd3621b

Download Submit
C:\Users\Admin\AppData\Roaming\Tabular Editor ApS\Tabular Editor 3 3.14.0\install\E83AFAE\Dax.Vpax.dll

Filesize
11KB

MD5
fa53a0f93fabf75d4e375331c279f375

SHA1
10f00db5171db94ec9707838f81062f2ac32cfc2

SHA256
81669b1d9d949f8c30367f5b7e99052f9f0869987ead0b3afb314407982ff892

SHA512
7e8d574b92b43d0e61a8bf42f15a21421010cb29403a185fa75a3d251e3533a2aa9b6e849e19cf8c061c01a771578b2cff3fffa7bf7647a5a8d5bec5db705f6e

Download Submit
C:\Users\Admin\AppData\Roaming\Tabular Editor ApS\Tabular Editor 3 3.14.0\install\E83AFAE\Daxscilla.dll

Filesize
157KB

MD5
a9fbd6d69b925016b649ef9289718dd8

SHA1
598b38919ab2f8c07adcc325b33c7665af1213d1

SHA256
d0052ce1312dbccdef512ea2d49ddb0b148d3d115e5b86f5cf831e011b76d0b5

SHA512
b6b8c6a9f2f96fec629bccc0e946cf86943f6c13b5b0c65268dff9aae476426b64a09e4bb944719ce48110e179305a6965f406e951d4bb09d7e1708f1a97eb57

Download Submit
C:\Users\Admin\AppData\Roaming\Tabular Editor ApS\Tabular Editor 3 3.14.0\install\E83AFAE\TabularEditor.3.Installer.x64.msi

Filesize
2.9MB

MD5
e01ce5b01a88973f8a75439f0bfb100b

SHA1
ee2d005de59f2ecfafd3c7b90d88c9d2af9eb2f6

SHA256
4cddf97da4c1df1963a93c8261e6756a9151668ce4508d5eb54df6bcd085449c

SHA512
86f24fcd95d5433df4d26b84f398981abf97e0ad765db843ce2c5c957701cad5c9a7377460530f1721f5a311fbc74e3b90b4b4ee76e83effcdc00773b5ed16cc

Download Submit
C:\Users\Admin\AppData\Roaming\Tabular Editor ApS\Tabular Editor 3 3.14.0\install\E83AFAE\TabularEditor3.exe

Filesize
173KB

MD5
5cf05606ad7f1f7796c7dfb2e96ddde3

SHA1
1a7b24f82f03630ff8b9fd8588f31915bcb1c542

SHA256
a8a5d18404ed54f03bc6ccacabedf2408a4887c27277d5a2ab8f8ef9d7a61414

SHA512
b4beb0c778c88247cf4048bfa532da9e88da569f57288a64dd690adb2a8cf9db95de4697be74f2bd1e1940a5173c0fdb9b188611e87b12751a2aea650bd73e3a

Download Submit
C:\Windows\Installer\MSI99B3.tmp-\Newtonsoft.Json.dll

Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
memory/820-700-0x0000000002D10000-0x0000000002D3E000-memory.dmp

Filesize
184KB

Download
memory/820-702-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/820-703-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/820-705-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/820-704-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/820-707-0x0000000002D50000-0x0000000002D58000-memory.dmp

Filesize
32KB

Download
memory/820-709-0x00000000051F0000-0x00000000052A0000-memory.dmp

Filesize
704KB

Download
memory/820-713-0x0000000005170000-0x0000000005192000-memory.dmp

Filesize
136KB

Download
memory/820-724-0x000000006E870000-0x000000006F020000-memory.dmp

Filesize
7.7MB

Download
memory/820-701-0x000000006E870000-0x000000006F020000-memory.dmp

Filesize
7.7MB

Download