bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765

Analysis

max time kernel
150s
max time network
134s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765N.exe
Size

3.0MB
MD5

7d4a6c4214a6d05d394ca3c03e47f560
SHA1

04992f0fb9673fee971efad7dc66fe525f2ff131
SHA256

bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765
SHA512

ad84a05c4f7031bb45a3e47a056db418bb14adabb049ae23ea2630c9f010f13c2d7633bdf12a2b77fa5a2406f858e795f5d2fbe2a7fbd3a14ae5a602ef95be27
SSDEEP

98304:tX4s991Yn2bfnLTccGEE7kc7EFZFh8e01mh:lT991O2DtQIc7EZh8Ih

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	partitionwizard.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	partitionwizard.exe

Executes dropped EXE 26 IoCs

pid	Process
2000	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765n.exe
2344	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765n.tmp
2580	icsys.icn.exe
2356	explorer.exe
2816	spoolsv.exe
2736	svchost.exe
1916	spoolsv.exe
2952	SmDownloader.exe
2320	SmDownloader.exe
2020	pwfree-64bit-online.exe
316	pwfree-64bit-online.tmp
2208	updatechecker.exe
1916	pw_sm_setup_x64.exe
2664	pw_sm_setup_x64.tmp
2348	testOpenGL.exe
1052	initsrv.exe
1944	BootTrigger.exe
1584	experience.exe
1708	AgentService.exe
2800	AgentService.exe
2820	AgentService.exe
2292	SchedulerService.exe
2620	SchedulerService.exe
2224	SchedulerService.exe
1496	experience.exe
956	partitionwizard.exe

Loads dropped DLL 64 IoCs

pid	Process
292	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765N.exe
2000	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765n.exe
292	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765N.exe
2580	icsys.icn.exe
2356	explorer.exe
2816	spoolsv.exe
2736	svchost.exe
2344	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765n.tmp
2344	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765n.tmp
2344	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765n.tmp
2344	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765n.tmp
2344	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765n.tmp
2344	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765n.tmp
2952	SmDownloader.exe
2320	SmDownloader.exe
2320	SmDownloader.exe
2952	SmDownloader.exe
2320	SmDownloader.exe
2952	SmDownloader.exe
2952	SmDownloader.exe
2020	pwfree-64bit-online.exe
316	pwfree-64bit-online.tmp
316	pwfree-64bit-online.tmp
316	pwfree-64bit-online.tmp
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
316	pwfree-64bit-online.tmp
2208	updatechecker.exe
2208	updatechecker.exe
2208	updatechecker.exe
2208	updatechecker.exe
2208	updatechecker.exe
2208	updatechecker.exe
2320	SmDownloader.exe
1916	pw_sm_setup_x64.exe
2664	pw_sm_setup_x64.tmp
2664	pw_sm_setup_x64.tmp
2664	pw_sm_setup_x64.tmp
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
2664	pw_sm_setup_x64.tmp
288	Process not Found
2348	testOpenGL.exe
2348	testOpenGL.exe
2348	testOpenGL.exe
2348	testOpenGL.exe
2348	testOpenGL.exe
2348	testOpenGL.exe
2348	testOpenGL.exe
2348	testOpenGL.exe
2348	testOpenGL.exe
2348	testOpenGL.exe
2348	testOpenGL.exe
2348	testOpenGL.exe
2348	testOpenGL.exe
2348	testOpenGL.exe
2348	testOpenGL.exe
2348	testOpenGL.exe
2348	testOpenGL.exe
2348	testOpenGL.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MTPW = "\"C:\\Program Files\\MiniTool Partition Wizard 12\\updatechecker.exe\""	pwfree-64bit-online.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32\pwdrvio.sys	partitionwizard.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File created	C:\Windows\system32\pwdspio.sys	partitionwizard.exe
File opened for modification	C:\Windows\system32\pwdspio.sys	partitionwizard.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\MiniTool ShadowMaker\QtQuick\Controls\Styles\Base\images\is-3HK12.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\QtQuick\Controls.2\Fusion\is-I8S30.tmp	pw_sm_setup_x64.tmp
File opened for modification	C:\Program Files\MiniTool Partition Wizard 12\diskspd\diskspd64.exe	pwfree-64bit-online.tmp
File opened for modification	C:\Program Files\MiniTool Partition Wizard 12\7z.exe	pwfree-64bit-online.tmp
File opened for modification	C:\Program Files\MiniTool ShadowMaker\WinPE\SchedulerService.exe	pw_sm_setup_x64.tmp
File opened for modification	C:\Program Files\MiniTool ShadowMaker\DISM5_x86\compatprovider.dll	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\QtGraphicalEffects\is-HF7QS.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\QtQuick\Controls\Styles\Base\is-4HFIP.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\WinPE\is-NNRAR.tmp	pw_sm_setup_x64.tmp
File opened for modification	C:\Program Files\MiniTool ShadowMaker\WinPE\DISM5_x64\api-ms-win-downlevel-shlwapi-l1-1-1.dll	pw_sm_setup_x64.tmp
File opened for modification	C:\Program Files\MiniTool ShadowMaker\DISM5_x64\wimgapi.dll	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\DISM5_x86\is-HVT5R.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\QtQuick3D\Materials\maps\is-NADL5.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\QtWebEngine\Controls1Delegates\is-MABID.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\Resources\is-EB6M4.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool Partition Wizard 12\is-9E3B5.tmp	pwfree-64bit-online.tmp
File opened for modification	C:\Program Files\MiniTool ShadowMaker\DISM5_x86\api-ms-win-downlevel-advapi32-l1-1-1.dll	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\is-8S3HJ.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\is-EVQP3.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\QtQuick3D\Materials\maps\is-N5P6R.tmp	pw_sm_setup_x64.tmp
File opened for modification	C:\Program Files\MiniTool ShadowMaker\api-ms-win-core-sysinfo-l1-1-0.dll	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\QtQuick3D\Helpers\is-846JN.tmp	pw_sm_setup_x64.tmp
File opened for modification	C:\Program Files\MiniTool ShadowMaker\WinPE\DISM5_x64\api-ms-win-downlevel-kernel32-l2-1-0.dll	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\QtQuick\Controls\is-TR9KA.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\QtQuick\Controls\is-FSE9V.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\QtQuick\Controls\Styles\Desktop\is-2FQDM.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\Resources\is-D0L67.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\WinPE\translations\is-PIOPK.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\QtWebEngine\Controls1Delegates\is-BSQ49.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\translations\qtwebengine_locales\is-2PASO.tmp	pw_sm_setup_x64.tmp
File opened for modification	C:\Program Files\MiniTool ShadowMaker\WinPE\qtservice.dll	pw_sm_setup_x64.tmp
File opened for modification	C:\Program Files\MiniTool ShadowMaker\WinPE\x86\wimserv.exe	pw_sm_setup_x64.tmp
File opened for modification	C:\Program Files\MiniTool ShadowMaker\QtWinExtras\qml_winextras.dll	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\is-ILSDP.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\QtQuick\Controls.2\Universal\is-P6EPL.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\QtQuick\Extras\is-RUAEI.tmp	pw_sm_setup_x64.tmp
File opened for modification	C:\Program Files\MiniTool ShadowMaker\imageformats\qico.dll	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\QtQuick\Controls\Styles\Desktop\is-HDVVV.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\QtQuick\Controls.2\Material\is-L9BVE.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\QtQuick3D\Materials\is-88GIC.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\QtQuick3D\Materials\maps\is-RETIS.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool Partition Wizard 12\is-4HJIH.tmp	pwfree-64bit-online.tmp
File created	C:\Program Files\MiniTool ShadowMaker\QtQml\WorkerScript.2\is-4JV2N.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\QtQuick\Controls\Styles\Desktop\is-AS2D2.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\WinPE\is-KB7HD.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\WinPE\is-06OLD.tmp	pw_sm_setup_x64.tmp
File opened for modification	C:\Program Files\MiniTool ShadowMaker\WinPE\DISM5_x86\api-ms-win-downlevel-advapi32-l2-1-0.dll	pw_sm_setup_x64.tmp
File opened for modification	C:\Program Files\MiniTool ShadowMaker\WinPE\system_backup_cmd.exe	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\PETools\x86\boot\is-QPRRA.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\Qt\labs\folderlistmodel\is-Q4D05.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\WinPE\bearer\is-5Q8HV.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\WinPE\translations\qtwebengine_locales\is-HLKJU.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\is-DB9M0.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\is-UACQO.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\DISM5_x64\is-N9J57.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\QtQuick\Controls\Styles\Base\is-81TNO.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\WinPE\is-0702R.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\WinPE\translations\qtwebengine_locales\is-HU066.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\en-us\x64\is-FOH9L.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\is-2021M.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\qmltooling\is-QLRKB.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\WinPE\is-K325P.tmp	pw_sm_setup_x64.tmp
File created	C:\Program Files\MiniTool ShadowMaker\WinPE\translations\qtwebengine_locales\is-N1AV0.tmp	pw_sm_setup_x64.tmp
File opened for modification	C:\Program Files\MiniTool ShadowMaker\MTMediaBuilder.exe	pw_sm_setup_x64.tmp

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765N.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pw_sm_setup_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pw_sm_setup_x64.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765n.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SmDownloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SmDownloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pwfree-64bit-online.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pwfree-64bit-online.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\44	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\11	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\19	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\22	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\24	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\46	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\9	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\10	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\39	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\55	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\52	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\56	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\61	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\33	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\40	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\48	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\23	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\30	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\53	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\18	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\42	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\20	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\26	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\35	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\43	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\6	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\17	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\29	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\37	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\38	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\4	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\14	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\28	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\41	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\25	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\32	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\50	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\15	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\16	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\27	partitionwizard.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	partitionwizard.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\36	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\60	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\62	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\31	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\34	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\58	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\5	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\57	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\12	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\51	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\8	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\13	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\49	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\54	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\7	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\47	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\59	partitionwizard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\63	partitionwizard.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2776	taskkill.exe
2672	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 45 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea22000000000200000000001066000000010000200000009f700dc22f81b20c33491654f5022688a319d5d0399ed836e8a49410249992f5000000000e8000000002000020000000f989921b0e501b1e4ca85407acc6af1284fa1303d7119433808d498778a9d294200000002d2a022a8d97331377281331969bb3e456d0fbda396831102050925fdb8ac9a3400000004952dafe576f5402c743511efb6f098e148ab352e0a3e6fa13a9d23859c9f7e2699e93fd0627d3c95da2804d6116a25032d7e5e61205e208ac59dea1d25fa7a9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	experience.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e035c0b31015db01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea22000000000200000000001066000000010000200000000233168c59a122d34c5826977f5799bdb6ccb4ea63f82d03c7bb1cb00d314686000000000e8000000002000020000000dd1ff4962f8b5c732d29aa0091524bff8e480ffb2597ce8ea9985dc1df24d3ed90000000d10232e4708265ce19e9aba94623fc3a7ac0ba144c227080d3edb76a425d479c547b3e6bcfd1f39179319e15a04c6415aab9dc44b6bd55c003ae62634b0ab9b658ee10051dc82177f5f268ebcf13d11ed541e16f5ba586c0e752b7308d64f62bc75362a3a19e29f7afb00968452430b29d1ed37262d4af9caea4328628cdbd16f34e08aec48f171fdecad4f6026fff5f400000005e5fd51c2df4b208ac0a7741b1651a79d8410dead47dae781eb7737751d3eec9cb26afbe145515ec4fb776951bea29f7ed1ca83720e1dc4a10885fcd3c839399	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\experience.exe = "11000"	pw_sm_setup_x64.tmp
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DE4520A1-8103-11EF-8AE4-465533733A50} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	experience.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\partitionwizard.exe = "11000"	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765n.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\updatechecker.exe = "11000"	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765n.tmp
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	experience.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	experience.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	experience.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	pw_sm_setup_x64.tmp
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765n.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	experience.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\system_backup_gui.exe = "11000"	pw_sm_setup_x64.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\experience.exe = "11000"	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765n.tmp
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\MTSoft\SM	AgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	AgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\MTSoft	AgentService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\MTSoft\SM	AgentService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\MTSoft\SM\TASK_COUNT = "0"	AgentService.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2632	schtasks.exe
2216	schtasks.exe
3024	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
2208	updatechecker.exe
1584	experience.exe
1496	experience.exe
956	partitionwizard.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
292	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765N.exe
292	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765N.exe
292	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765N.exe
292	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765N.exe
292	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765N.exe
292	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765N.exe
292	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765N.exe
292	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765N.exe
292	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765N.exe
292	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765N.exe
292	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765N.exe
292	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765N.exe
292	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765N.exe
292	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765N.exe
292	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765N.exe
292	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765N.exe
2580	icsys.icn.exe
2580	icsys.icn.exe
2580	icsys.icn.exe
2580	icsys.icn.exe
2580	icsys.icn.exe
2580	icsys.icn.exe
2580	icsys.icn.exe
2580	icsys.icn.exe
2580	icsys.icn.exe
2580	icsys.icn.exe
2580	icsys.icn.exe
2580	icsys.icn.exe
2580	icsys.icn.exe
2580	icsys.icn.exe
2580	icsys.icn.exe
2580	icsys.icn.exe
2580	icsys.icn.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2356	explorer.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
2356	explorer.exe
2736	svchost.exe
956	partitionwizard.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
480	Process not Found
480	Process not Found

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2776	taskkill.exe
Token: SeDebugPrivilege	2672	taskkill.exe
Token: 33	592	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	592	AUDIODG.EXE
Token: 33	592	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	592	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
316	pwfree-64bit-online.tmp
2664	pw_sm_setup_x64.tmp
2344	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765n.tmp
2232	iexplore.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
292	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765N.exe
292	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765N.exe
2580	icsys.icn.exe
2580	icsys.icn.exe
2356	explorer.exe
2356	explorer.exe
2816	spoolsv.exe
2816	spoolsv.exe
2736	svchost.exe
2736	svchost.exe
1916	spoolsv.exe
1916	spoolsv.exe
2208	updatechecker.exe
2348	testOpenGL.exe
1584	experience.exe
1584	experience.exe
1584	experience.exe
2820	AgentService.exe
2224	SchedulerService.exe
2224	SchedulerService.exe
2224	SchedulerService.exe
2224	SchedulerService.exe
2820	AgentService.exe
2820	AgentService.exe
2820	AgentService.exe
2820	AgentService.exe
2820	AgentService.exe
2820	AgentService.exe
1496	experience.exe
1496	experience.exe
1496	experience.exe
2232	iexplore.exe
2232	iexplore.exe
2932	IEXPLORE.EXE
2932	IEXPLORE.EXE
956	partitionwizard.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 292 wrote to memory of 2000	292	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765N.exe	30
PID 292 wrote to memory of 2000	292	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765N.exe	30
PID 292 wrote to memory of 2000	292	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765N.exe	30
PID 292 wrote to memory of 2000	292	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765N.exe	30
PID 292 wrote to memory of 2000	292	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765N.exe	30
PID 292 wrote to memory of 2000	292	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765N.exe	30
PID 292 wrote to memory of 2000	292	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765N.exe	30
PID 2000 wrote to memory of 2344	2000	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765n.exe	31
PID 2000 wrote to memory of 2344	2000	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765n.exe	31
PID 2000 wrote to memory of 2344	2000	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765n.exe	31
PID 2000 wrote to memory of 2344	2000	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765n.exe	31
PID 2000 wrote to memory of 2344	2000	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765n.exe	31
PID 2000 wrote to memory of 2344	2000	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765n.exe	31
PID 2000 wrote to memory of 2344	2000	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765n.exe	31
PID 292 wrote to memory of 2580	292	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765N.exe	32
PID 292 wrote to memory of 2580	292	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765N.exe	32
PID 292 wrote to memory of 2580	292	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765N.exe	32
PID 292 wrote to memory of 2580	292	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765N.exe	32
PID 2580 wrote to memory of 2356	2580	icsys.icn.exe	33
PID 2580 wrote to memory of 2356	2580	icsys.icn.exe	33
PID 2580 wrote to memory of 2356	2580	icsys.icn.exe	33
PID 2580 wrote to memory of 2356	2580	icsys.icn.exe	33
PID 2356 wrote to memory of 2816	2356	explorer.exe	34
PID 2356 wrote to memory of 2816	2356	explorer.exe	34
PID 2356 wrote to memory of 2816	2356	explorer.exe	34
PID 2356 wrote to memory of 2816	2356	explorer.exe	34
PID 2816 wrote to memory of 2736	2816	spoolsv.exe	35
PID 2816 wrote to memory of 2736	2816	spoolsv.exe	35
PID 2816 wrote to memory of 2736	2816	spoolsv.exe	35
PID 2816 wrote to memory of 2736	2816	spoolsv.exe	35
PID 2736 wrote to memory of 1916	2736	svchost.exe	36
PID 2736 wrote to memory of 1916	2736	svchost.exe	36
PID 2736 wrote to memory of 1916	2736	svchost.exe	36
PID 2736 wrote to memory of 1916	2736	svchost.exe	36
PID 2356 wrote to memory of 2972	2356	explorer.exe	37
PID 2356 wrote to memory of 2972	2356	explorer.exe	37
PID 2356 wrote to memory of 2972	2356	explorer.exe	37
PID 2356 wrote to memory of 2972	2356	explorer.exe	37
PID 2736 wrote to memory of 2632	2736	svchost.exe	38
PID 2736 wrote to memory of 2632	2736	svchost.exe	38
PID 2736 wrote to memory of 2632	2736	svchost.exe	38
PID 2736 wrote to memory of 2632	2736	svchost.exe	38
PID 2344 wrote to memory of 2952	2344	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765n.tmp	42
PID 2344 wrote to memory of 2952	2344	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765n.tmp	42
PID 2344 wrote to memory of 2952	2344	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765n.tmp	42
PID 2344 wrote to memory of 2952	2344	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765n.tmp	42
PID 2344 wrote to memory of 2320	2344	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765n.tmp	43
PID 2344 wrote to memory of 2320	2344	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765n.tmp	43
PID 2344 wrote to memory of 2320	2344	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765n.tmp	43
PID 2344 wrote to memory of 2320	2344	bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765n.tmp	43
PID 2952 wrote to memory of 2020	2952	SmDownloader.exe	44
PID 2952 wrote to memory of 2020	2952	SmDownloader.exe	44
PID 2952 wrote to memory of 2020	2952	SmDownloader.exe	44
PID 2952 wrote to memory of 2020	2952	SmDownloader.exe	44
PID 2952 wrote to memory of 2020	2952	SmDownloader.exe	44
PID 2952 wrote to memory of 2020	2952	SmDownloader.exe	44
PID 2952 wrote to memory of 2020	2952	SmDownloader.exe	44
PID 2020 wrote to memory of 316	2020	pwfree-64bit-online.exe	45
PID 2020 wrote to memory of 316	2020	pwfree-64bit-online.exe	45
PID 2020 wrote to memory of 316	2020	pwfree-64bit-online.exe	45
PID 2020 wrote to memory of 316	2020	pwfree-64bit-online.exe	45
PID 2020 wrote to memory of 316	2020	pwfree-64bit-online.exe	45
PID 2020 wrote to memory of 316	2020	pwfree-64bit-online.exe	45
PID 2020 wrote to memory of 316	2020	pwfree-64bit-online.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765N.exe
"C:\Users\Admin\AppData\Local\Temp\bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765N.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:292
- \??\c:\users\admin\appdata\local\temp\bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765n.exe
  c:\users\admin\appdata\local\temp\bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765n.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Users\Admin\AppData\Local\Temp\is-2OH9B.tmp\bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765n.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-2OH9B.tmp\bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765n.tmp" /SL5="$90216,2234831,1089536,c:\users\admin\appdata\local\temp\bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765n.exe "
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Users\Admin\AppData\Local\Temp\is-LVFNG.tmp\SmDownloader.exe
      "C:\Users\Admin\AppData\Local\Temp\is-LVFNG.tmp\SmDownloader.exe" /HWND:524798 /PATH:"C:\Program Files\MiniTool Partition Wizard 12" /URL:https://www.partitionwizard.com/download/online-setup-config/pwfree-v12.ini /VERYSILENT /USERMSG:1450 /LANG:english
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2952
    - - C:\Users\Admin\AppData\Local\Temp\pwfree-64bit-online.exe
        
        C:\Users\Admin\AppData\Local\Temp\pwfree-64bit-online.exe /VERYSILENT /DIR="C:\Program Files\MiniTool Partition Wizard 12" /LANG=english
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2020
      - C:\Users\Admin\AppData\Local\Temp\is-41TN4.tmp\pwfree-64bit-online.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-41TN4.tmp\pwfree-64bit-online.tmp" /SL5="$1028A,20098929,488960,C:\Users\Admin\AppData\Local\Temp\pwfree-64bit-online.exe" /VERYSILENT /DIR="C:\Program Files\MiniTool Partition Wizard 12" /LANG=english
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:316
        
        C:\Program Files\MiniTool Partition Wizard 12\updatechecker.exe
        
        "C:\Program Files\MiniTool Partition Wizard 12\updatechecker.exe" /createtask
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of SetWindowsHookEx
        
        PID:2208
  - - C:\Users\Admin\AppData\Local\Temp\is-LVFNG.tmp\SmDownloader.exe
      "C:\Users\Admin\AppData\Local\Temp\is-LVFNG.tmp\SmDownloader.exe" /HWND:524798 /PATH:"C:\Program Files\MiniTool Partition Wizard 12\..\MiniTool ShadowMaker" /URL:https://www.partitionwizard.com/download/online-setup-config/pwfree-v12-bundle-sm.ini /VERYSILENT /USERMSG:1439 /LANG:english
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2320
    - - C:\Users\Admin\AppData\Local\Temp\pw_sm_setup_x64.exe
        
        C:\Users\Admin\AppData\Local\Temp\pw_sm_setup_x64.exe /VERYSILENT /DIR="C:\Program Files\MiniTool Partition Wizard 12\..\MiniTool ShadowMaker" /LANG=english
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1916
      - C:\Users\Admin\AppData\Local\Temp\is-LMQCS.tmp\pw_sm_setup_x64.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-LMQCS.tmp\pw_sm_setup_x64.tmp" /SL5="$302C8,208678187,268800,C:\Users\Admin\AppData\Local\Temp\pw_sm_setup_x64.exe" /VERYSILENT /DIR="C:\Program Files\MiniTool Partition Wizard 12\..\MiniTool ShadowMaker" /LANG=english
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        
        PID:2664
        
        C:\Windows\SysWOW64\taskkill.exe
        
        "taskkill.exe" /f /im "SchedulerService.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\SysWOW64\taskkill.exe
        
        "taskkill.exe" /f /im "AgentService.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
        
        C:\Program Files\MiniTool ShadowMaker\testOpenGL.exe
        
        "C:\Program Files\MiniTool ShadowMaker\testOpenGL.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2348
        
        C:\Program Files\MiniTool ShadowMaker\initsrv.exe
        
        "C:\Program Files\MiniTool ShadowMaker\initsrv.exe"
        7⤵
        Executes dropped EXE
        
        PID:1052
        
        C:\Program Files\MiniTool ShadowMaker\BootTrigger.exe
        
        "C:\Program Files\MiniTool ShadowMaker\BootTrigger.exe" "C:\Program Files\MiniTool ShadowMaker\SMMonitor.exe"
        7⤵
        Executes dropped EXE
        
        PID:1944
        
        C:\Program Files\MiniTool ShadowMaker\experience.exe
        
        "C:\Program Files\MiniTool ShadowMaker\experience.exe" http://tracking.minitool.com/backup/installation.html?mt_lang=en&mt_edition=pw-trial&mt_ver=4.5.0
        7⤵
        Executes dropped EXE
        Modifies Internet Explorer settings
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of SetWindowsHookEx
        
        PID:1584
        
        C:\Program Files\MiniTool ShadowMaker\AgentService.exe
        
        "C:\Program Files\MiniTool ShadowMaker\AgentService.exe" -i
        7⤵
        Executes dropped EXE
        
        PID:1708
        
        C:\Program Files\MiniTool ShadowMaker\AgentService.exe
        
        "C:\Program Files\MiniTool ShadowMaker\AgentService.exe" -s
        7⤵
        Executes dropped EXE
        
        PID:2800
        
        C:\Program Files\MiniTool ShadowMaker\SchedulerService.exe
        
        "C:\Program Files\MiniTool ShadowMaker\SchedulerService.exe" -i
        7⤵
        Executes dropped EXE
        
        PID:2292
        
        C:\Program Files\MiniTool ShadowMaker\SchedulerService.exe
        
        "C:\Program Files\MiniTool ShadowMaker\SchedulerService.exe" -s
        7⤵
        Executes dropped EXE
        
        PID:2620
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://www.partitionwizard.com/feedback/install-partition-wizard.html?from-free-v1206
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2232
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2232 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2932
  - - C:\Program Files\MiniTool Partition Wizard 12\experience.exe
      "C:\Program Files\MiniTool Partition Wizard 12\experience.exe" http://tracking.minitool.com/pw/installation.php?from=pwfree12
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer settings
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of SetWindowsHookEx
      PID:1496
  - - C:\Program Files\MiniTool Partition Wizard 12\partitionwizard.exe
      "C:\Program Files\MiniTool Partition Wizard 12\partitionwizard.exe"
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Drops file in System32 directory
      Checks processor information in registry
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:956
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2580
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2816
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2736
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1916
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 21:18 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2632
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 21:19 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2216
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 21:20 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3024
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:2972

C:\Program Files\MiniTool ShadowMaker\AgentService.exe
"C:\Program Files\MiniTool ShadowMaker\AgentService.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2820

C:\Program Files\MiniTool ShadowMaker\SchedulerService.exe
"C:\Program Files\MiniTool ShadowMaker\SchedulerService.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2224

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2284

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:3056

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5a0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\MiniTool Partition Wizard 12\MSVCP120.dll

Filesize
644KB

MD5
edef53778eaafe476ee523be5c2ab67f

SHA1
58c416508913045f99cdf559f31e71f88626f6de

SHA256
92faedd18a29e1bd2dd27a1d805ea5aa3e73b954a625af45a74f49d49506d20f

SHA512
7fc931c69aca6a09924c84f57a4a2bcf506859ab02f622d858e9e13d5917c5d3bdd475ba88f7a7e537bdae84ca3df9c3a7c56b2b0ca3c2d463bd7e9b905e2ef8

Download Submit
C:\Program Files\MiniTool Partition Wizard 12\MSVCR120.dll

Filesize
940KB

MD5
aeb29ccc27e16c4fd223a00189b44524

SHA1
45a6671c64f353c79c0060bdafea0ceb5ad889be

SHA256
d28c7ab34842b6149609bd4e6b566ddab8b891f0d5062480a253ef20a6a2caaa

SHA512
2ec4d768a07cfa19d7a30cbd1a94d97ba4f296194b9c725cef8e50a2078e9e593a460e4296e033a05b191dc863acf6879d50c2242e82fe00054ca1952628e006

Download Submit
C:\Program Files\MiniTool Partition Wizard 12\Qt5Core.dll

Filesize
5.3MB

MD5
a7e479e3fb8c45b4b572a301588c0de0

SHA1
a254d7e90a27196a6e40b9daacc1f72748ccc155

SHA256
a71c5a226fbb4334353cc1d0f4abacba8a509f8544f286d352e1ec29c86c0742

SHA512
92c4303df4967d48a957d258dc2502eedd50a39c7d5d2120f69233f53d67dde13be7112309dd71c0ba9b005951e59a416c5139861522c73cfba3bd49e6b370ae

Download Submit
C:\Program Files\MiniTool Partition Wizard 12\Qt5Gui.dll

Filesize
5.7MB

MD5
89c68c9d29d7c527097eb4a1317f71ad

SHA1
58add7d0d991931ac92eb144e007894412ae570a

SHA256
be00d70e40813e1a8ae4715b8e3cdbfb6470dbffc7d591459bb4afc30e77f715

SHA512
bfe224dec896857ebe32e75e52823f821b3791312d9629d63b565e2cd12e1854aff5e66cc416555dfbe08887a6171dfb6393e9084a0adaa2ee3528aaf0e2617f

Download Submit
C:\Program Files\MiniTool Partition Wizard 12\Qt5Widgets.dll

Filesize
5.3MB

MD5
d654ed44099c61cf7ddc07dabeca28d3

SHA1
1acf0f22f3cb15585fe8ec97dad00eda8ac30d51

SHA256
3bc64a69dc06e7a12442c04225630ba57c779d6e9e4e1aff9f986c3e68883f27

SHA512
9012f71a8dd27c56b46b341c97a8ac964bdf399f1f9d8740763be34bc4d179db5bb4fbee153e715990a37c2b1391b2622bcacffe32756abfaceb45183bf7f0ea

Download Submit
C:\Program Files\MiniTool Partition Wizard 12\platforms\qwindows.dll

Filesize
1.2MB

MD5
9608d1a7416a2534dee37613fb8bcb35

SHA1
c6dac2916d5740a406e784d035f7dee3e6ddb971

SHA256
d3f3f1eea7662a928cea0d9029d83e8b6a23a24d641056c3575e4b2d33b05bd1

SHA512
11fbd7751abd89354383645666a70a6ceb37ec005eb064b5307101823d900073f82631f95201cbc81b4a965f1ca2f5c180b9779778ac09bd5fc6a851ae405e0c

Download Submit
C:\Program Files\MiniTool Partition Wizard 12\qt.conf

Filesize
46B

MD5
ed54ff3a93486892b6a41c877df944d8

SHA1
c9a359103ff7bd26b4a74daeef24476e3fb95232

SHA256
3e25ea931f3228cae2b0138b66aeddb90cf73e93c108621e431c89c87f3fd594

SHA512
5821dfaf8a09fb2783b9b670fd984d07af8bbbc5e219aa73b8187b052b947475cda2cc59cdfd2556ad1805ee5081323749a3f196a397ffbf641846a302be98d9

Download Submit
C:\Program Files\MiniTool Partition Wizard 12\updatechecker.exe

Filesize
214KB

MD5
5f150ea19c59d9604f7d4e77b0b24d7a

SHA1
d60dfb51a34272321559b74944e9a217215f56db

SHA256
bf3fab722c2bb8ff3f8bc7cbe00c107098ae371999e4269abf97a13e200a5bf3

SHA512
5fcd8c73c5cb6eee8091a7298e2041f1277dfb49ae8010e5981e04677097c85ea8d3d85299df152db37c34061e246ea36dc33885490eebaa9b9d13edebac36a4

Download Submit
C:\Program Files\MiniTool ShadowMaker\PETools\amd64\boot\is-7VS2Q.tmp

Filesize
1024B

MD5
eb145d5f87ddf43c8bd6f27e97db8bf2

SHA1
2021c98f81b177d17543ebd34004891183fa3dd4

SHA256
a7a0edaf85f70e833fac02d0a416ae56ae2a3593e787f39c25dbb12830ca737c

SHA512
b85ff5a038173898b7f96890cb3998034bbcc50301cb31db112eeb04c3a1ed3c6b6d7905e48fc8cfe1fbb058b32e61349653b345bfe25fbfaa2ccffffda031ab

Download Submit
C:\Program Files\MiniTool ShadowMaker\PETools\amd64\boot\is-J7EPC.tmp

Filesize
4KB

MD5
d4befebf3cef129ac087422b9e912788

SHA1
62313ec73f381c052f2513ca6279cfb5107e98c0

SHA256
f425e135aac26b55e2bac655e62e2ce0b16255226c583d9ab43b2e93e8a6d932

SHA512
3814e4682cad2ef40061d3d5e8142c964cc73a6c6dfc72ba59cbab0922dd0c7e279703450e3a1f4fcfde3498565bf6ef28a30e7de53a0eda75b3fea76d03929b

Download Submit
C:\Program Files\MiniTool ShadowMaker\PETools\amd64\is-8AQF6.tmp

Filesize
388KB

MD5
21bf183c15afe62a8d1137bb9007b2a3

SHA1
d656dd1e85d7e8acffdefa9ced5d74bf0b978e39

SHA256
2fc3d311969b63a258446488ec75c275d736ded13d74624e1c541f43a72ab483

SHA512
8a67833d502edaba077c783dab69a7d8c9155971c409f78cb87948bd4415b7a58410517aced73d6ed7d13a6b975af769aa0623b9dffd9537f5a1ce0248308291

Download Submit
C:\Program Files\MiniTool ShadowMaker\PETools\x86\boot\is-S0516.tmp

Filesize
3.0MB

MD5
22d9945b4aae36dd59620a918f2e65f4

SHA1
bb025cedca07887916c4b7e5fa7a641ed3e30c14

SHA256
cd2c00ce027687ce4a8bdc967f26a8ab82f651c9becd703658ba282ec49702bd

SHA512
dd2d0ea7d5cf98064838ce0b74711f77534e1a2a14c7f74d44ed4b83acdb6f413d74671d2c6a8574aee88afb456b53a6b8452419a3bdddf2f7e9095c9d1d272e

Download Submit
C:\Program Files\MiniTool ShadowMaker\QtQuick3D\Materials\maps\is-35EFI.tmp

Filesize
334B

MD5
882310febbcd112f6416015145fd8c6d

SHA1
e142d0ba597a2c773e6354673bbc4a760f8d963f

SHA256
03003aa01026e944b75447078f5758d0ffab854d03e9ce80780a174411073f7f

SHA512
b21d8a189123c3019b5c99c1927d9eb10293cbe9321cb54d1fe183bf57efd22f778a61e47be27afb8f54d731ce17f96a6c6452dc76c3a8596b1bf1fdd532d4c4

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\PEDrivers\x86\f6flpy-x86\is-197I6.tmp

Filesize
8KB

MD5
729c3403f7fa48350383c17fee0ab05e

SHA1
4835887831dcb4996297f4276acb376b431b8e85

SHA256
171f983572a751a861298aef3ab3b0d82ad0f3cc087a8987c308e008479af7bd

SHA512
397a93eb25ab7b66b74bab38773cf1fb030b611b53bc024e9e2778436868bad212f6c8a842a6c54e58d15066730384443e7c1ce059c70051ab47f5c99bdf83e4

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\PEDrivers\x86\f6flpy-x86\is-3BO4D.tmp

Filesize
27KB

MD5
d5d3a570934ebb25bf6076c4347b6e8e

SHA1
e7c4c16670fd26f98c70832936b6279e4c42b170

SHA256
12b663de499ac95f43283b93e93d814ff529ea14da3313ab0345685829d01eb2

SHA512
42f94cee044eb5a0f5e53c461f411edfc723957cf374ad82cdaefe4bd9e7993db51545e9d21d5169f9862280d2d5b93b420937f8b4b448f777e1120e785852fa

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\PEDrivers\x86\f6flpy-x86\is-EASFB.tmp

Filesize
608KB

MD5
b4a4eed72dda932bf19020d1af6ebe16

SHA1
f83ae8045654e9fc23909ceab60e6638d43a5d46

SHA256
fb0dc7d25e596ee14d0bfef1933e204f07db9bbd2ce284b9df824d4c3aa56818

SHA512
ff27c35a7e1626033d8f52ef5514868b548adbef7015df99ebe4b786057345b6e15cbd59aed5bac952415e3a58e58e289551a0110114a27889a137278f648a37

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\PEDrivers\x86\f6flpy-x86\is-F1F2R.tmp

Filesize
11KB

MD5
a7652c278fc0f1d99653bbf1b5ef0796

SHA1
8bbe33d7f5eb8619fd3dc464ec522a0c97be69b2

SHA256
d5a0e0f60d23369f2dbe7929c79db4d2b0c4f76da1f039229918577647e51309

SHA512
f18bc23113eb9d208c87f8770ac39bac5329cc251a2b0fa34ba34b3c93f94934e95f5033e4f0c46995eebc3140a1235e7832976de4ddd651a2f958bf65983b5e

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\PEDrivers\x86\f6flpy-x86\is-G3QU6.tmp

Filesize
12KB

MD5
524aed2e8bf6db6dafcba00123c5f62b

SHA1
749852a2a94d9fbea4f6cfaa269b932d790e4b7c

SHA256
91ba645003fe189ca0c2fbd98dfa8ad0ee8fc69140c5a69a52b1a5adf4223200

SHA512
2a9196aaa125e7178289647ea7abcbce407965d1e7b109cc25fb2fea9f5076d4fe2c3fb590b7ec7fd4e79a67e872eba4c5f890931880f479fbbe8f1b836364bb

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\PEDrivers\x86\f6flpy-x86\is-JLFFC.tmp

Filesize
8KB

MD5
e9065bfa9f88f01266914355016d91c3

SHA1
11e8e296c46037b5dc47e05be04fef703a9664df

SHA256
3b2f5365e919d3512106c334e32def5b7984c67f353a51fd8b5f1aa659302129

SHA512
8fc6e5de9a90a819336667598106ceb944219d55170db92982aa409193d525787eb2f41234ffab25663beac58254fb13b8fce12d1daf052963ecdd4f4c3b4d4f

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\PETools\amd64\boot\is-3GGUV.tmp

Filesize
1.4MB

MD5
8d6bdcc0269dfe01c4c0296dd62b585d

SHA1
90e9d250461385af451c14bf3fdd2c6bdc288b13

SHA256
f083e7d85d1389d0700478a7a109a404bbb1c6a8cea4c7fa49dd6d03f11c35c4

SHA512
f9c31f90987010aaabeffc386550bb43eb214f2d8269af3111da61d707a667f6948a98d02f7663c294a2036c0c5c95a3211374b93dd1fce64117710ea2157fae

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\PETools\amd64\boot\is-ON012.tmp

Filesize
256KB

MD5
4e6397849461b037c91e6914fdc4976f

SHA1
4bc15aed32c60ab7722abd7ccb7404b15bc8a98f

SHA256
3be6f02df7395ee9df212e7b421feb38cf98ff301335df82a0ccab322c51cc05

SHA512
d6e3b3c86ff18e35197a812df1005f82c36068c52a2a1a3d8d8e808ea7bd80e21e9f0de19b3b33226d8aff97fcf52a54017be98fd9ab28b1e22f7c49a18e48d1

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\PETools\amd64\efi\boot\is-UOL5K.tmp

Filesize
1.3MB

MD5
ff6d345785671fbcea9561a3cbc47702

SHA1
0963edbc8d3486017c7a65168ffd515ab5bed968

SHA256
bea5931767dca4c46ef7d6ad73e6913a592860138d3fc82056289b8dff337940

SHA512
80925852082dc97e8986291374138eef10b1f56dcde7b3a456165226c6e38966d5e0d73b6c7ef6d67419f66637a7e8a1cb2352008be883b0ff862d18c0469b5b

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\PETools\amd64\efi\microsoft\boot\is-V6588.tmp

Filesize
256KB

MD5
a29ba030a801aa62c25fd028166c8ee7

SHA1
ab8c61f76874a29095297767d6e49697ef079bc6

SHA256
a0ab68982229efade615050c93903e125446d3efe1dc08d26a864dc7431991d1

SHA512
606ab1c88ae77db387368340679886659ed22484a47317982ca6e3dce631df8c09ff561db61e77341df0cdb916c5d2580384cfe37890274c8415869011ba92a9

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\PETools\amd64\is-MP50Q.tmp

Filesize
1.3MB

MD5
75d0032ae18e04a1254448f3fef14a6a

SHA1
67bf3587febf3c60fc2db86cfd5cc3abf510b8bd

SHA256
708a5e2b9f37c099d223ff297450a697c5e0002c969a6e5ffd92349f28fdf1cc

SHA512
5464cd62a08cb9e8f8fe0243416de1926adabbfa695fdfbbbe9c666dfa509d334ab941c5e1ace6feccc266d139fea40b02e8983e34fe49e40403673c4297ff7b

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\PETools\x86\boot\is-4MBT8.tmp

Filesize
256KB

MD5
d4774c3254be80d729cec1c70d737ff0

SHA1
6d8ebc1ddd27703689770b68131d5b3ea3f2b717

SHA256
18bbceb1150adea8ca3958e409821b3ae155c82fab2098ef79eb3f6bc9ecf3fa

SHA512
44000cd6ab7b0fd15e4edf22fa23ce350dfcde382752e8f70052ee78978d8dc9068d5eee784a7e4843fe4b4a03327e0d90f61b7486f83a810c6f83e6f827057d

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\PETools\x86\boot\is-G8PNO.tmp

Filesize
1.4MB

MD5
247f53d01ca3024505e86e8e266d4e46

SHA1
416331400a46addfd7952be6ffc5af391f2921e0

SHA256
68050e999473b9587535e3c03cd8ed25e62547b85b088645ec8c59e962a697e9

SHA512
03b13889f6f631250e1b8ba1a20d1d8a6b9c3bc115c14855c5a7b5f3b66c29b58dbbc58a616b3b3ee6b70a675345f4aad40c3024cb03936ef29a451b45456891

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\PETools\x86\efi\Microsoft\Boot\is-5QLNQ.tmp

Filesize
256KB

MD5
10647fde0b2a53d88230682d6b66fc4e

SHA1
08b5704d282305d50618e0e748ce7ae1d66353a3

SHA256
050aff6c0ed8015ec81fbf54ec47625e2d436db7d1495c53ea943f3f11b8e950

SHA512
bf59b1f005d075661b33e18a1ec869d8b04975be69aaa7f7a0393615ea5259eac5eec0a20e27605e2d32433d6cd29c9c90df6a354821a8b98a1a36538439c064

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\PETools\x86\efi\boot\is-817DM.tmp

Filesize
1.1MB

MD5
32643b08ef8162247c4f02d28b91aea7

SHA1
b55f48a499b53a8e5b535505b49be437d4de677f

SHA256
91c628e8059b35f450e5ba27a9fe1cee44b52df2a2d10a037fb0a8c04d176028

SHA512
925616abbb7526c2dff8ecabd638d298489142b007c9854a4ee31a04c2e1e37e92915dc91e3413f705fcc302ce01adf0cab8202a337ea78fa70719878f90d9b2

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\PETools\x86\is-8QBD8.tmp

Filesize
1.1MB

MD5
639234efee7d49adb5e9429c3f23dbd8

SHA1
f98687c887bb70233e28df4b93cb174514663f90

SHA256
30f0570e65a79f60128d99bf7d65ac4be571c77b744358dfd71341eb1b82f98f

SHA512
9f2ad6a44eac5bdc786d63291100246f74305a4776c9db25275afd01b66c203c01fd02af0ff31ff0d69274e07fce4196a571e31b1ae559565fb07082b5e1889d

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\en-us\win8_x64\is-9AOIJ.tmp

Filesize
45KB

MD5
9291d6a107b7f2cf676ec2394ea5829a

SHA1
59329d5b141af32f7a7dec2d33547291a728b2e1

SHA256
7415e90f75702e79ab64620a5143ca09c47166e9cf9de497bbbb9ca911aea930

SHA512
1f51cfdd4c929d1903e5889a82378bb7443a679cbaec94667ba2aa38450a05c3616482a7d4f422e0301287dc1cdc4eb1ef5468ee57cef969d40968758f653b5b

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\en-us\win8_x64\is-D76UG.tmp

Filesize
16KB

MD5
5efdc1c1b1187efe3021121275d46852

SHA1
8b83a5d6f8511e759d20a152f720ab5f584945ca

SHA256
de26e6f1093ae186615d9dbbe73e872e7bf97981ca216281afff86c77a73cdb7

SHA512
d2c356f61fcfb425d3623a94f586419a8d18ffc1196a84a1b612b01804d46d1eac24231a8800ee563dd6c5d629ed582ba26ff85c9a5eb0d3257385b7b1fa89b3

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\en-us\win8_x64\is-UU43S.tmp

Filesize
2KB

MD5
0a0aa027d5f35d900444d66c5fb5043b

SHA1
2182e346edc3d894edc912deddd8bbe129c10418

SHA256
c3090f85c627aa7849afe5622e8dc211cb873e86cde41d2d2ba7b73a475108e1

SHA512
273137ad3be5ecd2a738b6d66576adff4c732bab05461fea6cd954b4b624f85314e508e8f33e7fdd24a82718169c6a49073b5d57fd074ef59bef39b467f312a9

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\en-us\win8_x86\is-C452S.tmp

Filesize
16KB

MD5
443d4a687a8fcea51aea02c2bf3e7583

SHA1
08b6ef2e35608ed571b9c6f44c789e7d21572789

SHA256
0882fa66c7a4fd317c2474352adae7f09badacefed38fa1900ecc7fc5e2e4afe

SHA512
866175fc28c64f21f90a2672e0b8941f502c8b1473c32dd5ff95445dfb651cad41e75754b406257532af7ad076d362032e65532dcc0d9b021e0feb590b523594

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\en-us\win8_x86\is-HAAOU.tmp

Filesize
46KB

MD5
7b771326d0973ff2c92d1375c1e7ba23

SHA1
23f1072409f29f81b68f44a7a7b00ab6eb78c8c2

SHA256
29b09d71d1512aee316e47255ab07c09097e7ea9b9b7418833114555047f20d9

SHA512
7078d4d1acb1c6e722c0ead3bee1b3cb5dd0a11afb012e1c31d21b3faf3671952dabbeb92ede587d23e203b446d3017e449f6ce5ea80c4d6ade405699c593e25

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\en-us\win8_x86\is-K3I7C.tmp

Filesize
2KB

MD5
3a27fe065699a6acf2e42a64411c3a5c

SHA1
42666174100eb307c5d36a2e612654a798f0eaa9

SHA256
943d73cd5983797f8b71a9b05b1a4c71fc6f89a319f619b0e4f5063ea60cb04d

SHA512
038a1aa8c8f98fa6853e6d9594bce07fb64cd536421ab1ddfa4fc72603d8df26f3293d61ba33a57d89dd2bc25edd92b24417d73e32b438874560a65d2cb43a1a

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\en-us\x64\is-BEFCJ.tmp

Filesize
46KB

MD5
22d39a881eac214bb7a523bcc627c084

SHA1
a8c39858c9e71e89fa40d9b791e7f11a32b610cd

SHA256
491b11dbea8d2c2433db01eab51ed4b87c87ff4692f8d1c074c322ccb64274fa

SHA512
bf6a91357ec7a27c41575fe6711f6cdb0bbda33ec2b48f9955d93920f1015fda11af28be04c2f2c4673d1d0bd9481f2e8424008b6a29a6195296a3c74cf20d26

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\en-us\x64\is-GTOTN.tmp

Filesize
16KB

MD5
f49c0e3cbe4b20fba47bfcf09398a033

SHA1
f2a4da1854913f2eac1d1679cc64b13533a361a9

SHA256
dc601b9937956c7e47993293bcbf1bac5b2f60654e0b06eb203f389eac168f7a

SHA512
6906983db78d14bcd769e5ead47bc60ce6bf913c3ebb207e4a8161cb3fe98ea652cf6f8ebee5f0e125b82b38228d94db25ca00d63f297d5b3210355ecd15e89e

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\en-us\x64\is-SF6UD.tmp

Filesize
2KB

MD5
2984c2c7102f412d159f0b9221fd574f

SHA1
9dc24e331812088cbca5c52f1d31988137115887

SHA256
9edbfb670e0fc5e4d23967678a02aa729f78bf0ecf03317f4d497b621eab914c

SHA512
c2147f1366379f35f58da3b6f52f7afe09502e5ede78d3c0ba2ed2afbbcb6aa40400f0bf5ea8de53d9fbd17d536d49896924850ca1684ec297a738bfc5bf0dc7

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\en-us\x86\is-1D30I.tmp

Filesize
2KB

MD5
91ac2fc716e62b20df481ae4703b4c9e

SHA1
1a2f0b8b42e9d58d7a73043b08b6719dc30a71d7

SHA256
7ee191a9594f014847325a1b8614457c6ff071019d1ed5a72d3cc1fb496696e7

SHA512
6864b3662bbfe7267f790dc02279969a15d5792850de7ee59fe8902e1959c48618102abe3b14dcce1b66b87150b4be7046518cbe46ca792344e97e25c5e4d6ec

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\en-us\x86\is-DJ7HA.tmp

Filesize
16KB

MD5
2d58f98ad022e2afe56c0f3a452610ec

SHA1
476533d30698ae918a19933e590a856761f4738c

SHA256
d13064abca4361f9ca54a675f361f6c4d1c723beb9eff1301b5061d5abc3ede5

SHA512
1e0f785659bf3fbe46c29ebd8679d7fdc4661c81fe966b917db470370cfe2ad207a27ca1a07c5d02d887f2791a1d1d91dc6f83a0f0c9818c39af960530f1d9d1

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\en-us\x86\is-QB7PF.tmp

Filesize
46KB

MD5
fd88596392f3e4fd8a8965273597accd

SHA1
b3e448a40fc0f2b2267f3bdf4046be6dc91a9b96

SHA256
3aa7ebdb1134afeb28aedf41b3584808ab81c7ba82ac2f54e198f75b6213384b

SHA512
d21761283ea026367c2f8ee65bfdd10882c46f84e0831ca867c59beee047fee016bbcf0ad68fda3cee8a580f8570b3a548dce0ee25fdf38cdcd2253d24406078

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\is-021TH.tmp

Filesize
126KB

MD5
1c0ab06b3388e79a2206cbfd28e374a2

SHA1
fb94c71ee606c6cf5181840b4a6122eefd93770b

SHA256
f0ee03c9936b459cc9bdf184df9b7efad98d40ab7b99e89166a42e019a0ec0ea

SHA512
1e90991d22b0c34e7947edbc5864f662ad01b2da7888fbe3a6e814607ea5abb6fc0b34a7ee0accede471d7442755f00fe99c4a8b029244bf034189cd00d74d07

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\is-2KPKA.tmp

Filesize
168KB

MD5
91899280efb4496c8ac0a004cd1469e2

SHA1
aa9a223cedc82f3ce8e9080bd6273062a9b56958

SHA256
cd711e09012f37003af75e982e2e40df14445aca2800a3702a18612074ad660b

SHA512
5fd1c76157a0abc7e477c26a52d3e6a037a36b31a91e0958163a3b2337214a4d018b8880ea6f763c3812a37bc08917f0d9ea947f988dfec88720146e5783f251

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\is-3AQ54.tmp

Filesize
203KB

MD5
c1a2bd41b8d539c92b2bc34f1b6bd2a9

SHA1
9d03499e707a351f5fa8163c7cb00a593d2fa70b

SHA256
712fe9cd3cd3abecf2f3ee2dcf848ec06b62bc27c83a993667d095989c9ce873

SHA512
dbf772879aee19959f1c72134f7299239e20453368f507dd57a9e97df2c4b959ebdbb24a133d35d486ae2814a69a77c843ce102bebc2693a898b32ec0a919cc5

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\is-865PK.tmp

Filesize
497KB

MD5
6bb403f6c388f87ace8a7450393a2c51

SHA1
790f67879ff62932801da287b81078be3ac59076

SHA256
e2faaaab8c7254bc281757a19c6c0fed1da171a9f6c8f408cf1687e662a723c6

SHA512
ad364c1bc08002c587a20e9373f036665782b01d7fe6126024edfb0f67101526456370a4c76e346e974afb5047338b7f6ed87d508f687873daaecc891ded1ac5

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\is-DM6AM.tmp

Filesize
100KB

MD5
7bdff6235a8c7a9e3f9c3915f4d95197

SHA1
af38ce3946b37c84eda3d8f9f278f84336004384

SHA256
330995487dcac57ea57a53cb0f447e32099e6f63d190effaf6c28dba23c38b7d

SHA512
c555a1950a0ef6ef4df852ded8f983dd72d04c927bda770212335d0d7fd9ac668bff05f8e9ed81347e43520a92d764cf55b4c9a5d31ac3851950f1da08ff5318

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\is-FATPP.tmp

Filesize
121KB

MD5
37f0bc9593d1f3aa4a0f45a841784f8c

SHA1
c8bf7ddc8be8b868ac47d91be0ebd10a8f162099

SHA256
1ad6f2ad63f3846fb07fb991df21c5e7587b438bfb1e15bc43acfdaa7e6bfc1e

SHA512
5c170bb6fe263a819256f0760ec702a5ac50c4ac0790ec1edbebe21b14d9c43a07374384b4c1b2cef482446807bdfbfe51f6abfec6d4951c9966e6d3fca4d254

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\is-GG2O2.tmp

Filesize
549B

MD5
a864f7143f9dd47906454977b9f4edbc

SHA1
72d4d5359678d9062ca14a0cb85d381cc7cc589c

SHA256
64cccb16f7eb203d7d3858e51f62e3beb8c3d7811935cb06a5db53614515d582

SHA512
289a8f9ce0eaf3c1626fca16263470e16ede13224d90cf40dd50dc1cc326e5ce2bc7595f37ed772c8b07605652a652ed1e3457b66bacd67c66ffac79d98f78c0

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\is-HV5Q5.tmp

Filesize
103B

MD5
d0e5f187217e796e9d33107e12db9bf8

SHA1
b6ff6f997c8221121f8980f894e27167570694ea

SHA256
f93c41584626e0c4f4abf54572d25d3e01e96cf99802049b8d9706743e283d61

SHA512
d379f6ca31dde8bcfe5894ce689ce16ab5f043cdf00111547c64b276cc4b231c6c6ab9ade3b9359020493008fb847a05a7c509205a4f16d0489cc694199965d0

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\is-O034U.tmp

Filesize
406B

MD5
7cb71b006fcdcf8ade80e31fd5ab8060

SHA1
655380fb2cca01b0ca707f748fc7dcf006732518

SHA256
be8918559280a2e74748bf8f6238b568ed7cbf75183b2180a6a8a979a1ebf243

SHA512
ce095bb84dbf2e72304471f97e80799185fab42b843f95bd84df4b97764786687807f057dc4434287c8982937329e664f7de476445ff6e2cbf298d7a44b48d55

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\is-R27R6.tmp

Filesize
172B

MD5
9db4e733cb93ba9ff2e8f72f042fcda8

SHA1
2810dcdd7e56bf498ae3c1ec5ce8b23838c33413

SHA256
55bbd5c1b2a56a2e6ce92d3b59b460c30c56798ccd7804ec2790a5869f2b850b

SHA512
7b08f399d342b65ea13d5ebb19de1f4fe1dcdaaec4fdfe29e17cb365c7a9b47718fb5ad189df854397f691a492e451dad4ad7460f69150161b4cb7bd73c6e0e4

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\is-U97QB.tmp

Filesize
165B

MD5
ff2308e976215e0bb4d82a6a28ccdaad

SHA1
d438b2711f4e90d92f9ef183438a20ea87d78c69

SHA256
c8ac2d7e987ee422dc2743826882ee52285296681e58a5ae8232acef0866c64a

SHA512
7f912293df38067fd06b1ba73698b274a7110a0e20dfb7131d08fd5638f1c7bfce1d7984c4b70a28599b0208a055c53ad63eb4d6628dd7640acaca585bd5a95e

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\pxeBoot\is-0D523.tmp

Filesize
256KB

MD5
3ff0e1c7e264d70358f21db2198cb524

SHA1
f9a11da016f506881e2b46151d1842b75433f16c

SHA256
caef57205444357498da40ea4cc9efaffc9e4ae8eeb6c070ebf803bf304ba8d6

SHA512
fcfe38cffbba8ebffc91af54bf4b04ebf9598fa7e545c5ecd2c082ee26e65dda80803ee6e76a7199faabc1380e62512cf46f8efcf4f48712ab16255894535932

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\translations\is-G5PDC.tmp

Filesize
68KB

MD5
712c274cdc4e39651e8b518f66dc7dec

SHA1
7ff61f4b8da29b686e3d3b3274da0a03b8cc95c8

SHA256
c847943855a39bb6539c34e4a23ec6a4888c79f687d08020df5b73eec877993a

SHA512
dcde669cc4681dfdcd48cf1610e842a0abb879fc40d039478a151985f7413b419ee0c6aa3e31e632971b999f552a2fcf887c6eb34ea34a641d0ab6398f2b5f63

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\translations\is-PIOPK.tmp

Filesize
16B

MD5
bcebcf42735c6849bdecbb77451021dd

SHA1
4884fd9af6890647b7af1aefa57f38cca49ad899

SHA256
9959b510b15d18937848ad13007e30459d2e993c67e564badbfc18f935695c85

SHA512
f951b511ffb1a6b94b1bcae9df26b41b2ff829560583d7c83e70279d1b5304bde299b3679d863cad6bb79d0beda524fc195b7f054ecf11d2090037526b451b78

Download Submit
C:\Program Files\MiniTool ShadowMaker\WinPE\x64\is-HJP03.tmp

Filesize
2KB

MD5
39b7adfd0f84457da41fe73b807cc780

SHA1
4984249e447f6cf697be2b980ca9d8f155c4a407

SHA256
04f7aaa54815fb794e2cde30e0b63b8da9a984f2ff635fa63c5f693a89f08eb8

SHA512
cab93d6c21cc1f8d2f0b2feb395cfa0a2276f3c9f5bb6a913b63bab3fdc33680974a7c1520b38993b4ad992cb8e66c417c56c485f9fba4938b12a9c65a2e4531

Download Submit
C:\Program Files\MiniTool ShadowMaker\help.chm

Filesize
6.1MB

MD5
cbaf08243eb6c7ce4183a1e35afb049d

SHA1
9e3dacf61ffb9dd7ebf9fca694698baed14f5e9a

SHA256
ad1d641b22b8629c4515cbe1eac136040f290631b23fc72627f03002caaa0301

SHA512
c7a97e356da16b4a26c33ffea9ff0b0e0f07bea7a4d09a001b5396c4ab8a1b8d144b01ffbcd7d7526adac2ab5086e7c5729aa61fca14593073ffebae86e6cec3

Download Submit
C:\Program Files\MiniTool ShadowMaker\is-39A8R.tmp

Filesize
2.3MB

MD5
a932841a7be9c114828b26b322979bb8

SHA1
e29afb43c3a5e629cf9202a9750b1bb16d1f2d9f

SHA256
2a7efe3b2cd9fe6b99d03a98881e702915c0ca5a7be40d0d6239359d50208d08

SHA512
eef46e2e2f4caa73fe341f2c6e736f921e7866692368f50d8ce24c9d325f81a781e14156f74903a2b71f3cc790b1dd0071912e8f6254d5f29621d5a459e2a04f

Download Submit
C:\Program Files\MiniTool ShadowMaker\is-NIB5R.tmp

Filesize
169KB

MD5
dbdbaa2ba083a61d79840461cd267c89

SHA1
62de8be6046c8ceea52a8be62fbee2d540782dc5

SHA256
cea2e299584f3cabd374492b3430d622662e658289fcc25cc0392ef1854cdadd

SHA512
8cdaab99640e52506f089d6130d2cf9bd8dabe63d39792e27fad7a51c1e045a4a3e611b447404db7b3a4a73827db7ef303d5aa5271c51b167bf11077fb19a172

Download Submit
C:\Program Files\MiniTool ShadowMaker\lang.ini

Filesize
24B

MD5
5a84ea18562126a5738abfd2ee4f618f

SHA1
e21662bd256fa3b9edd6eef876d3e68bd12a6903

SHA256
209c59557c8be210b3c32d283c9df8654dcaa09fb9c5677ba071da1634735643

SHA512
eefecf1a91123e231a4e0d82e0a5318c497e809d9767961ed439f86a867a81f3e7d7bca2894eed8f4d05cb112c1835c4f2da4170fc3aea96662dc556a0067824

Download Submit
C:\Program Files\MiniTool ShadowMaker\system_backup_gui.exe

Filesize
3.1MB

MD5
eeb2d92adaa531ba0743adec2550f46d

SHA1
171c22299666d6acc0d68f5deaf9f7279e682e6b

SHA256
4751841cc34ba51c231e550f002fac3cca358aef8c770bdc0c869606518ab0cc

SHA512
01c16ef8c26c0cc23592eddabf692367f3e3ff28ab50feb4f104c80b8ab0689e0bc6de6e4652ef56f8a2a6e330e972aeeca33ec5e3abb3cb11e4279104ae91c9

Download Submit
C:\Program Files\MiniTool ShadowMaker\unins000.exe

Filesize
1.3MB

MD5
43eec1e4214f8159a4af8615e4db51d3

SHA1
e4d9663a8b5da6b7856a6abf376ce57286a49345

SHA256
233307a9b8d3e54c445b6ad7dfe1dee14fbef69d21884216931e4485a14dd087

SHA512
3b171a4b5a9b293e49dd7cb9ee12bc22d72a527e67f7354f625e280cb5cbee2a0a443a14954583349f39c5bd8f2360a9e724d754d8a073ada8dc9bb2d1e7affc

Download Submit
C:\Program Files\MiniTool ShadowMaker\x64\is-5DRI4.tmp

Filesize
21KB

MD5
17291a612431d3e8b731a932dd88e8db

SHA1
98994cc4da47e298d6d1e2baf2bd702c09242ae2

SHA256
4ab325db9871344c23f523c5fe10d351df4cef61e450180c34b95141f038a4a0

SHA512
a4b5ed6c53008c3f8a8ec8589588b54214fcc33c6bc825d7dada99899f0d1208510e94bc58dc6a8519d918628559b5a80361d9859868e93998bbfbc5a2e8cfb6

Download Submit
C:\Program Files\MiniTool ShadowMaker\x64\is-KOG54.tmp

Filesize
400KB

MD5
1ed06edc10b4333f66ba61ea97075831

SHA1
c0eb3e5204b4ca27fee60ae707151fc1b85baf8f

SHA256
89ea54b4f5b6ccb9b0d5083ef8acc6855d1915d41c0d6902834f6970ee2c2736

SHA512
7270be77363755e1846c155f6c5c555ad84741e13d917d7090b4dad0cae51ce669bc1a4e5f0b061da7b2b2296f4ca4f2cf0f63159731ec6fc1935dbfae9bb90b

Download Submit
C:\Program Files\MiniTool ShadowMaker\x86\is-73N77.tmp

Filesize
18KB

MD5
05fb36a51e04a6c6b3a5f125fa692e6b

SHA1
1d5c8a6766e54a81b75f1df4a397100c9b42b149

SHA256
2ec85cea38c19cb8ff369565074a6a261804aae016337ab193943162ae270d2d

SHA512
4ba03b2addb6c870baf4671239461d329e126d829006aa27483dbf91291687c69afb86cad148965b8fa199081fdf65afad14108b4192840c1825d1c604c722a5

Download Submit
C:\Program Files\MiniTool ShadowMaker\x86\is-MCN4A.tmp

Filesize
325KB

MD5
7bc0c0c439b4ffc39e27180dbad146bc

SHA1
b6f63718453a325b5563fe83937d0d42b4adefd6

SHA256
9b64c14ecc89594cb89c6a76da6fbcc94ee9a52506969b238403bfbf17f49712

SHA512
92adb6e8477716c1e792f87a0a3c67db43d62f8a725ac10cd55b0aa989acc07ae0ee5b6ca04a60e4c356c6537055d345b6eb79edc5ea50afe1f4e957a9de68ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90e7d4ae931129f54363a01ded963f6e

SHA1
10b6d0d9173bc1362f1e267a63c77df26174fb31

SHA256
764c882179727c5b5be1902750af377b67600773694865d47a97b26625a60f37

SHA512
d1c8ba46cf82c003cdd3e6066f61d7d81e83a4e2f4260bc72770bd7d7e3a9057aaa5e575fc27cc4b15a29d95f0c40cb1a8f8c54ee2be2cb98bc33662beeddff8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1145d6d1b1bc66a1c70184b4de6f8c29

SHA1
e3175f947e2bcbaf779a68f07a956514be1d5062

SHA256
b2053a38925fb921f42de21604b2259f8c2773a46bfbccf0ccbbccf14b99a517

SHA512
a6e85e92ac5439b816d2caa41648bdcad5e0de50a9739a1146f3e4a7c371122ea560b1ea70dc6251f7ce13fd4b44dcac6beafba5c97d1ad4581c241925f6a796

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f17a02a88a93cddcec6036aad63cd1f6

SHA1
d882d2c3dcfb8182264b730c3fa3b6c228128bf8

SHA256
56a1af1c3624c4e79c96cf8a4e8f3af1b4e663d3eb9b7f9b44f538c404b081c5

SHA512
60f0dac837c7086a59ba4ddaf528cd82837a1d4ddbf0938eb48fba6302321e5895d13da4ea0dbcafbc45aa041b43f774389e4ffb1cfb5e8b110ed397796248c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e7c2d62246a9f55d88853a3c73e920d

SHA1
df9492f7383f0d041c3d68c96f9448def087a5f0

SHA256
7dd5e834b18709f8a5431bd4c63a129c26ac26f676132e71689dd5babcdf5b3e

SHA512
37fa7a0f56076a7a0fbdad5b796f5ecc66e9400cbb8ac860d4f0cd08da0473d3a8ad2360202c5bace1805d163294ef0aaa0f01f6af1ee89be71c226e1f760bfc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2b45ba234f4c908843cc6a86c37ed57a

SHA1
9571b84e14e3eec93f328bbbbf807ec143522b0b

SHA256
981759e577715f0a2f6fa47ba91b55f5b58386a7d040d5e4a14783b9ecb4ed80

SHA512
6f75930cfc8f719125c86df500c0ce6a69749237c5e472ad8a1fc34fe6f9032fdb71d0c887af148b57970855a7befd141f068562c1e70c5b135520f676895e38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1f10a674121d51da19f7862db6c62de

SHA1
703c9815f5c53c2454809a727ad869cc1eed3bb9

SHA256
d994c5572974b4f47d960685e7b9d3b06aba7fa8ab16ebc9ab296cf7d3fd7f77

SHA512
c5fd3ed86126e645bb877bb8b0d9d4dd902e28f9fa59e5cd6e5df9cfc3bff8bab3031a7be1b894249a97888557d5571ba2b6b5b7968d1631fd6ac8915dd2acd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3b458cbbad5e8fff7a660dca1e371ea

SHA1
f4d652de57bc0089649f73ef2afd34430bec3905

SHA256
b339e1dff14dfef06b842a9527af1e871de8b7c67d50ca8245eb7b55571a0cef

SHA512
30ff4414fd9b4e80501b2ea6c1a3541058da4b7d2a3f8e21bb7b2ddd7fd30e9397e926ac1594e5caf395bb1c5290dcff7230eaa938ed0ccf953e04e84945a2c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f90d2006c4e16be1069152b612b57093

SHA1
4e81924f103d8e30ed3d5be18a22e08e84ac53d0

SHA256
d152ec902e19908de7fb93f61fbabc0fa54fe57ef0fa11c03e82e4d767c42fe4

SHA512
b9b78d2d5ea43b8c640ec7637cf9c161ebff6f4e8b93fb7a6ce6144ac6c70168203bf1503151eb4ee1d7f04405f1fd7685e37ed04f87f87194d3a47ec0dce8de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de5f85b4c468103f04366cda8fe2d51d

SHA1
a10eb4ee32c8b18eaf4495c5551b889126a4d883

SHA256
fda14a2842024166054aa786025a7081666b8b899fb6dfaea4abb7b569e05f1e

SHA512
6cab591948b3f8d5246fcd8d9f86e55f26f47c563dc94d1f444ccad8cf98cc5cd73b612259bfd0c4171d410baae6814a8449641cc667c675eb0ac257bc4e13ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3FA1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3FB4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LVFNG.tmp\MSVCR120.dll

Filesize
948KB

MD5
2fb20c782c237f8b23df112326048479

SHA1
b2d5a8b5c0fd735038267914b5080aab57b78243

SHA256
e0305aa54823e6f39d847f8b651b7bd08c085f1dbbcb5c3c1ce1942c0fa1e9fa

SHA512
4c1a67da2a56bc910436f9e339203d939f0bf854b589e26d3f4086277f2bec3dfce8b1f60193418c2544ef0c55713c90f6997df2bfb43f1429f3d00ba46b39b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LVFNG.tmp\libcurl.dll

Filesize
317KB

MD5
56f4c7d613927081e8311bc46ee0ec92

SHA1
b6aed1f136b7ebc94f5246d7d1518a5747998ed4

SHA256
f959786d18020a9ded99dc668e1f576cac8dd364e22d773d40e4fc693264555c

SHA512
5b4f1aa6db8bde8eb4b76ac036520fba09fe31958b0b74d3c17e0064cecc0f3995dc8b1a479b690c28831173328a0821f62cdc72ab26d3be575c6afc98544243

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LVFNG.tmp\line.bmp

Filesize
6KB

MD5
9dc5bf6e4b2cad053d12ad24260d9327

SHA1
84b7d911b8d8002ff95edb523d108038b6ea3bf0

SHA256
efb22f0b990c4ed4a8d36868c7d9d3793b61f0728343306caeae0ae5f0751447

SHA512
25c3b183d96ee5ef9f5fe35ce898e718baf894dcb0a82049dde59b0779a7ede88907f1d1f44ff155cb1ea178c296aaf36975341679f7289920e615d4c01844f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LVFNG.tmp\support.bmp

Filesize
822B

MD5
12ca16a9c8707b7f0a257e6cabbbea3a

SHA1
a0b81eb518de7eb4ee4f3ded01fdf781151ff874

SHA256
624677996b347cd36593d4a1107b265c903268086f2f548b50c0f329fd649a33

SHA512
70c595f65be3bd9d9d2f44b5240b3bf8f9e7b923c59fdf8f07dd3f89bd8731a9cb9abab2fe899b5aac1e402ec33c782974c9554584c088de9e051f99b21c9c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LVFNG.tmp\unsupport.bmp

Filesize
822B

MD5
4ac29de505cfb25bbb88d190ad379d82

SHA1
582b2a54ce52a950614ee7dc444e5d1b4c532e54

SHA256
93a93ec1f9af7118b2fb05a1abc420781130e5663b92536a23ec6a4b172a0843

SHA512
fbfd193b678c5c2fc8a1a1d17dddf832d6aee35ab3f01ddb9f44eb48ce8125cd4efde9f7816161133ec13d477a3aaae842d8ea8ffbd97653eb5bfc96fbe204b6

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
c4aaf3ed244d5e7ef4323f60c7b58dc8

SHA1
70b65193f47754b1c6ee59fbf89dc51410d63d00

SHA256
03c82b37a59907471394a1ebcc82dd9a4bacec7fc2101f3533896609cd1c220f

SHA512
962c86b694e58b5ae3a1eae6cb4388c3379e8fcdddbe758fcb16ad866f11c58d10f4a36eb246a323e04134e76a98f085eb0f5b9f050fbae27828c7a7ff80b649

Download Submit
\Program Files\MiniTool Partition Wizard 12\partitionwizard.exe

Filesize
437KB

MD5
91090465ee5404063b278d495b2f946c

SHA1
94bc1b122af8b6578093fb927279c4c9f81c7abd

SHA256
c84ed7b59adc67d09b623a2243915bc89a18e929646ce6eae892992cb7cf5baf

SHA512
181ef507964bd5a8f07bdfb43a15c0d708f22947337881e3245e0233c63899acf1ec631e878440624f71887f0be1c7d49b06008d6daa4c81978d8d37106ac7ec

Download Submit
\Users\Admin\AppData\Local\Temp\bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765n.exe

Filesize
2.9MB

MD5
1f50970690296f81bb9fd32e6b1f4395

SHA1
00c58d00edbe97b3a045680e1d65b975c483261f

SHA256
76b0cb7ee0862f5dd10cc59740d9dc19de80bc0581e0e72bd24c5021e7f504a8

SHA512
14684a6cbddfa35b3b3e9625f804c061dfecd49a2328a66015242efba304d2e557b27c322451f182bb445df73861fed796d078aa520a8ee592f32c68c594e4f4

Download Submit
\Users\Admin\AppData\Local\Temp\is-2OH9B.tmp\bc5279c15d0c9b8cc1583bf81ae78a19adcbf0abb06b59c7b7a7c2687982b765n.tmp

Filesize
2.8MB

MD5
e056652f7a4cef26553f05e3f52f8797

SHA1
bc1bf291d7383ad80182f10a59ceae0aef3c6487

SHA256
9234c1509f22265a5fa10a87fd141c7eabd95d1e7c3dd1c1037dc1c9a2b1a404

SHA512
dee2140d1a2e0aeb197a4f98b97dd54be9091e5a76ad8ef601b8eedd5b8495b563cd34114578f2fc6b4f58875e9aea06bdaedac926f30c9f18852013661adaa8

Download Submit
\Users\Admin\AppData\Local\Temp\is-41TN4.tmp\pwfree-64bit-online.tmp

Filesize
1.5MB

MD5
0ffb244cd63f44b50ba573ae841a2d01

SHA1
e1b88b0a95ea7e0eb3da8d94b1297d4b88a96196

SHA256
6948125034370d9ef171880bb6ab29fba176b200902c453530505f7b5013db5c

SHA512
98978a59b27c535fb731718bd21dc6f14143dca7d5dc633530f5c64d708fa47f4839268304061bd9aa84121b62138d2c13b80a0a594beee6c7ed64a8bc09b1bd

Download Submit
\Users\Admin\AppData\Local\Temp\is-LVFNG.tmp\SmDownloader.exe

Filesize
66KB

MD5
0bb1be1cee6bc878acbb41b1af7cfc88

SHA1
e8769d43088d5800bc169455077329bb8cf973b7

SHA256
166960f92a85a33207dad124fea1938740a82809c05dd449fd19f39c2c029038

SHA512
91a7c4f634ff2becf934fa04fcaf8e0f27173394428dd08b90050cc0685f1fc403234c09cf3b20308a91e952f2023875ff2fd9d6386c783eb966ec5a71931056

Download Submit
\Users\Admin\AppData\Local\Temp\is-LVFNG.tmp\msvcp120.dll

Filesize
444KB

MD5
a883c95684eff25e71c3b644912c73a5

SHA1
3f541023690680d002a22f64153ea4e000e5561b

SHA256
d672fb07a05fb53cc821da0fde823fdfd46071854fe8c6c5ea83d7450b978ecb

SHA512
5a47c138d50690828303b1a01b28e6ef67cfe48215d16ed8a70f2bc8dbb4a73a42c37d02ccae416dc5bd12b7ed14ff692369bc294259b46dbf02dc1073f0cb52

Download Submit
\Users\Admin\AppData\Local\Temp\pwfree-64bit-online.exe

Filesize
19.7MB

MD5
7e96c8c3e1b65128192b4f51b196304e

SHA1
837d473933c8001ed80355828e57c006e5cc3064

SHA256
42df723a33b6475544a5c522d88d48a992163d9e83bff27791fcc4da09ef8be5

SHA512
af4a06046d722b4a243fa19f089590b571d2e9af2946659c72be8ca4063df71030b28b8d139feefa38d1b03c95e83395c8806f4a19c36e1fcf1480208f8e27e7

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
cc5715dd881c68a160aec4b48bf72630

SHA1
4cf337accb652bc4f070ee63527263acac37b476

SHA256
04db49757a3f6d1f646bae5044fdf856ee9089c2697910d890b2547e01b6851f

SHA512
88835a741f2731eda5d14a1f98b146dc9e22cd41c56eadd9758bf1be497b39c18285b5d683ee4fa23122541c28ed8798a1a75a730222fe6cbd962339bd778b88

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
31fa626ddb766018f2afaea815809f65

SHA1
b5e7ab7433e370f339bb22e4645a75bcfc64637e

SHA256
85980b0be9401adace42ae9f69b612cccd0bfda27afc369172b9fd94f6f2b62d

SHA512
422aa448d0853c154607e2319443338efb7fea97678e24debec75608aec27533f15223652acf35f313c1fcee27544c450b698fb93c7cadf245ff4411c2c40261

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
0882cd9f17954c29673362ffb5a7a2bc

SHA1
e27ab76290755d31aa993659e36871a2acddc5f3

SHA256
90f230d6ebc1d5f68f3a4095ef9bdfc6eb58bee9a09e9ff1c842a6b9f13e36b3

SHA512
68dedaf886ee2f8161efce8efff4c81a9c64afa173235a854fc533db5944614b3b6d322cc5dc5b13706fca2f3a6b52a017554b894c8a87a236e2accd7a9dbabf

Download Submit
memory/292-67-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/292-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/292-23-0x0000000000290000-0x00000000002AF000-memory.dmp

Filesize
124KB

Download
memory/316-497-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/956-4001-0x000007FEEF380000-0x000007FEEF89B000-memory.dmp

Filesize
5.1MB

Download
memory/956-4000-0x000007FEECF80000-0x000007FEED5D4000-memory.dmp

Filesize
6.3MB

Download
memory/1496-3989-0x0000000073E70000-0x00000000743BA000-memory.dmp

Filesize
5.3MB

Download
memory/1584-4454-0x00000000004C0000-0x00000000004CA000-memory.dmp

Filesize
40KB

Download
memory/1584-3848-0x000007FEF42C0000-0x000007FEF4806000-memory.dmp

Filesize
5.3MB

Download
memory/1584-3851-0x00000000004C0000-0x00000000004CA000-memory.dmp

Filesize
40KB

Download
memory/1584-3850-0x00000000004C0000-0x00000000004CA000-memory.dmp

Filesize
40KB

Download
memory/1916-65-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1916-3868-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1916-528-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1916-3292-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2000-4057-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2000-13-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/2000-10-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2000-104-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2020-153-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2020-498-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2208-508-0x0000000073210000-0x000000007375A000-memory.dmp

Filesize
5.3MB

Download
memory/2344-4055-0x0000000000400000-0x00000000006D2000-memory.dmp

Filesize
2.8MB

Download
memory/2344-152-0x0000000000400000-0x00000000006D2000-memory.dmp

Filesize
2.8MB

Download
memory/2344-108-0x0000000000400000-0x00000000006D2000-memory.dmp

Filesize
2.8MB

Download
memory/2344-24-0x0000000000400000-0x00000000006D2000-memory.dmp

Filesize
2.8MB

Download
memory/2344-69-0x0000000000400000-0x00000000006D2000-memory.dmp

Filesize
2.8MB

Download
memory/2344-513-0x0000000000400000-0x00000000006D2000-memory.dmp

Filesize
2.8MB

Download
memory/2344-105-0x0000000000400000-0x00000000006D2000-memory.dmp

Filesize
2.8MB

Download
memory/2356-520-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2580-68-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2664-3293-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/2664-3867-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/2736-523-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2736-524-0x00000000003D0000-0x00000000003EF000-memory.dmp

Filesize
124KB

Download
memory/2736-60-0x00000000003D0000-0x00000000003EF000-memory.dmp

Filesize
124KB

Download
memory/2736-4076-0x00000000002C0000-0x00000000002C2000-memory.dmp

Filesize
8KB

Download
memory/2816-66-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download