Malware Analysis Report

2024-09-22 16:40

Sample ID 230213-lyc7macd83
Target 8fef3a062676cda862c7a3281f7c672f.exe
SHA256 9d2321341dc5804543514a81cab9aac8dbc52466c77bad98a3835819cb9d9c7d
Tags
aurora babadeda crypter discovery loader spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9d2321341dc5804543514a81cab9aac8dbc52466c77bad98a3835819cb9d9c7d

Threat Level: Known bad

The file 8fef3a062676cda862c7a3281f7c672f.exe was found to be: Known bad.

Malicious Activity Summary

aurora babadeda crypter discovery loader spyware stealer

Babadeda

Babadeda Crypter

Aurora

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Checks installed software on the system

Maps connected drives based on registry

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates connected drives

Drops file in Windows directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2023-02-13 09:56

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-13 09:56

Reported

2023-02-13 09:58

Platform

win7-20220812-en

Max time kernel

117s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe"

Signatures

Aurora

stealer aurora

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Magic Desktop\SUMo.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Users\Admin\AppData\Local\Magic Desktop\SUMo.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Magic Desktop\SUMo.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI126B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1327.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\6c0f8e.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\6c0f8c.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1037.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI11FD.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1F0A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\6c0f8e.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\6c0f8c.msi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 932 wrote to memory of 2008 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 932 wrote to memory of 2008 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 932 wrote to memory of 2008 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 932 wrote to memory of 2008 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 932 wrote to memory of 2008 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 932 wrote to memory of 2008 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 932 wrote to memory of 2008 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1612 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe C:\Windows\SysWOW64\msiexec.exe
PID 1612 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe C:\Windows\SysWOW64\msiexec.exe
PID 1612 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe C:\Windows\SysWOW64\msiexec.exe
PID 1612 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe C:\Windows\SysWOW64\msiexec.exe
PID 1612 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe C:\Windows\SysWOW64\msiexec.exe
PID 1612 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe C:\Windows\SysWOW64\msiexec.exe
PID 1612 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe C:\Windows\SysWOW64\msiexec.exe
PID 932 wrote to memory of 1756 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 932 wrote to memory of 1756 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 932 wrote to memory of 1756 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 932 wrote to memory of 1756 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 932 wrote to memory of 1756 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 932 wrote to memory of 1756 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 932 wrote to memory of 1756 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 932 wrote to memory of 556 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Magic Desktop\SUMo.exe
PID 932 wrote to memory of 556 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Magic Desktop\SUMo.exe
PID 932 wrote to memory of 556 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Magic Desktop\SUMo.exe
PID 932 wrote to memory of 556 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Magic Desktop\SUMo.exe
PID 556 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Magic Desktop\SUMo.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 556 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Magic Desktop\SUMo.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 556 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Magic Desktop\SUMo.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 556 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Magic Desktop\SUMo.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 556 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Magic Desktop\SUMo.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Magic Desktop\SUMo.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Magic Desktop\SUMo.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Magic Desktop\SUMo.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1912 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1912 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1912 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 556 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Magic Desktop\SUMo.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Magic Desktop\SUMo.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Magic Desktop\SUMo.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Magic Desktop\SUMo.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 1184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 680 wrote to memory of 1184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 680 wrote to memory of 1184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 680 wrote to memory of 1184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe

"C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding CEDF51F47134245C91C012D0C181A403 C

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\md.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1676278695 " AI_EUIMSI=""

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 05B281C227F5A3A4FCF129A84DC1814A

C:\Users\Admin\AppData\Local\Magic Desktop\SUMo.exe

"C:\Users\Admin\AppData\Local\Magic Desktop\SUMo.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.kcsoftwares.com udp
FR 46.105.204.2:443 www.kcsoftwares.com tcp
RU 185.106.93.247:8081 tcp

Files

memory/1612-54-0x0000000075091000-0x0000000075093000-memory.dmp

memory/1612-55-0x0000000073AC1000-0x0000000073AC3000-memory.dmp

memory/932-56-0x000007FEFB751000-0x000007FEFB753000-memory.dmp

memory/2008-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MSIC51.tmp

MD5 7380aa7a4eafd17c21cf315ae35fe288
SHA1 886747c7526627898bd36ff8b85869c9bf6718fc
SHA256 dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88
SHA512 c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

\Users\Admin\AppData\Local\Temp\MSIC51.tmp

MD5 7380aa7a4eafd17c21cf315ae35fe288
SHA1 886747c7526627898bd36ff8b85869c9bf6718fc
SHA256 dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88
SHA512 c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

memory/1968-61-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\md.msi

MD5 6518026d73f6ca85100ed4cb3b2dc8b9
SHA1 8e04e3e501f70a1bb892ac1b92a90de546f52932
SHA256 5c614872ba056279e939b90b29412ae179ab9058d0b7b00dfccc2cc64ffc50e3
SHA512 5819c02e579eda16b478436bffc0f799935b28a34de4591863ef08be7f0732144f439b6377fb65712c25a2f9fb013ca9e2701cb6c801a75fcf355157a5723bb5

memory/1756-64-0x0000000000000000-mapping.dmp

C:\Windows\Installer\MSI1037.tmp

MD5 7380aa7a4eafd17c21cf315ae35fe288
SHA1 886747c7526627898bd36ff8b85869c9bf6718fc
SHA256 dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88
SHA512 c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

\Windows\Installer\MSI1037.tmp

MD5 7380aa7a4eafd17c21cf315ae35fe288
SHA1 886747c7526627898bd36ff8b85869c9bf6718fc
SHA256 dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88
SHA512 c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

C:\Windows\Installer\MSI11FD.tmp

MD5 7380aa7a4eafd17c21cf315ae35fe288
SHA1 886747c7526627898bd36ff8b85869c9bf6718fc
SHA256 dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88
SHA512 c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

\Windows\Installer\MSI11FD.tmp

MD5 7380aa7a4eafd17c21cf315ae35fe288
SHA1 886747c7526627898bd36ff8b85869c9bf6718fc
SHA256 dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88
SHA512 c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

C:\Windows\Installer\MSI126B.tmp

MD5 7380aa7a4eafd17c21cf315ae35fe288
SHA1 886747c7526627898bd36ff8b85869c9bf6718fc
SHA256 dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88
SHA512 c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

\Windows\Installer\MSI126B.tmp

MD5 7380aa7a4eafd17c21cf315ae35fe288
SHA1 886747c7526627898bd36ff8b85869c9bf6718fc
SHA256 dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88
SHA512 c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

C:\Windows\Installer\MSI1327.tmp

MD5 ae585caebd7faece019342026b304129
SHA1 8c512e6db9b0c9547fc0a6d3f3d1216e373d924e
SHA256 92dd2c1f1d19e1d96411d8afc81c29696d76abe6469a2d75200dd82a8fc164b4
SHA512 dbafd2b28356139f886ed7af3813bf7ee1e95709549b8bdbb3c52e17a213694af45096f369668e674a3295a1ba6ce3232dc8c213b29f24442a3c9e68e0d87313

\Windows\Installer\MSI1327.tmp

MD5 ae585caebd7faece019342026b304129
SHA1 8c512e6db9b0c9547fc0a6d3f3d1216e373d924e
SHA256 92dd2c1f1d19e1d96411d8afc81c29696d76abe6469a2d75200dd82a8fc164b4
SHA512 dbafd2b28356139f886ed7af3813bf7ee1e95709549b8bdbb3c52e17a213694af45096f369668e674a3295a1ba6ce3232dc8c213b29f24442a3c9e68e0d87313

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\SUMo_00000411.SPK

MD5 a0cd0621342dcd89f0a07bf0f0b43497
SHA1 43d120e9ed7d77879823d31fb30c492b9aad7cdf
SHA256 1cca56735fc3b085641bd4a4ca39d8538eef28889827936fd1be3f1664859202
SHA512 c253ac805bef8eb6c81b056df93ea5250dacf703e5c96c861649351dafb8dc7d61a07290f20eac64191f6e9369adc06208ab14aa4b23b8689c55c822462cf917

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\SUMo_00000412.SPK

MD5 b2c2252e465425ed73985675e92d4736
SHA1 4ef054acc17cfd748da8256d09bcba937c98ac72
SHA256 8757f0801c5f6cc0fc81e69254922623f891729c74422d0e34d334f48545cb38
SHA512 5692b280ac6b650a87fda1c3bcc9a398c3225e76cefb261292a35760e26851eb654441f51140848a136fd1775f3f03fe6b7ed9779db3e7b05d8df67e145263a1

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\SUMo_00000413.SPK

MD5 7a60015341a6e25a4da8f2513399a735
SHA1 957cc8d715c3892200b7eb7a5fc8df0adbb58efb
SHA256 434ed013e46ea5a7c05c7481ad8cf45e0eb5908cdd94ed863ea6fe405cce129d
SHA512 e2cfccc8eb77d819ee7ca3677198ca79a0129f3ac0e63c94314a11266f1514917969047020500eba14b281bc3825aa022727e99063b550e14a5d772e256d72aa

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\SUMo_00000415.SPK

MD5 042a26f0347aa7206779d81b2912bc6f
SHA1 1dbf0c0c4b1bb9e5985b0b137251dd6aabcfa43b
SHA256 cbcf617f7c0b3af2b8ebdf76ba51ff55d956bc97eeee05c9aed25ed027d61cfa
SHA512 e70737832ec3bc347f84023f69b3842b790bfa9fa3f5e7f783236d873bfc53db6608299b995fc0a92ee0cb9116412adad18c159a4c046f0d1a93bbcaec401c3c

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\SUMo_00000416.SPK

MD5 02639c0b531caede2b2072fc6826edad
SHA1 0530750bf3a4a951725eea2d644c30dca6132dfb
SHA256 2201e0453240ba3cebeb5be37d9aa15517b51ad04acde6b5ebb148383cd7c443
SHA512 440095237eeb07ffbf5cb9787be0285ed1baba1b48ad845b3be29435b9b46c28a4febddf3c1539c4df8004d471e216839421b2496ae33193622eee8a18c748ef

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\SUMo_00000418.SPK

MD5 b388d2cfd162ba73d75d5f44042ccb1d
SHA1 0258c34a2017d163f388cec88b349c35c7a0cff8
SHA256 64255df648940ab13a3bd55d7fbc1448f5a1abb1d1cd1ecd890d73f17f3635e1
SHA512 e85ffda3074471f0775708f96cb478a93cf630611593b0c0c5f4df2745214ee897ab83ce830db2da192e88f8822562e4a02d4a03f9662886a91607fc2d6a0ea1

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\SUMo_00000419.SPK

MD5 1160933a76e0ec4fd23447423540380b
SHA1 bf94e5777b0d85b864cc0e2349823c96132e202d
SHA256 e89895bad4ebc80c1a063fb34632720f0cb5aed88833e146ab9c2e547a8cd33c
SHA512 55ca2d98686591c9de5ddcb435c2f9eaf8a76dec288857c3f06c42def02f0c3aeab65f0657f400a8d08f5b2a2a7880ddd7ee345e3cd3250b2b07e9d76db2e210

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\SUMo_00000422.SPK

MD5 913b77afdf0717a7092a5203842fb477
SHA1 5e0fe351338f066508b3c2387fe9202bcf3859bf
SHA256 649a5425c79e1e6aadea0971222638cedf99c522595fa30528a8860d32a88fbf
SHA512 0340efb89431cd803a642f3ea8b81e4e882d9d33aedd30329db08214118de6f489fd87a35ef8a70cdfabcae6b0cec234b86687e16a6b56a15e38024b72b8788b

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\SUMo_00000424.SPK

MD5 dbed70e56af564a37603f16d32951dff
SHA1 7ad82597da16b01f1f76fd134b7d0f5082b2c805
SHA256 47ec8a1365bc0d8eec441923734b8123d6cd9df37b168a9eb706714480a56f51
SHA512 1b393f570a6ecacc2fb42b50d8b267b7eda0d307e9ccfaa572ca0080b44d55d1b8b3350263ac73cb21d3f8f27c019809d15b474b2901a60fbc6ef465b8b22120

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\SUMo_00000425.SPK

MD5 fabd351c936c7a6b757779f13f5707b5
SHA1 1c6defb61d9efeea665d12bebeebdf36017871ea
SHA256 7d984899c467bb13b4057d1f96db88a182d9f24b3693c534304caff0446b8be2
SHA512 5acfa822acce5b8bf70de1380eb2b1e39a18c4139eca06c6521007e33c31653532fc4a7bba7eedf70bf00ec5795e18f2628739c713a97df4b146459641fb6297

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\SUMo_00000427.SPK

MD5 953853724b9db696dc2eadd9e4cb2126
SHA1 ca5c486c5e8aaa982281e3b203f0ffc8e5749de3
SHA256 6cadeaab7b52fa31d19d5b4a1959da631da92ee5f88bc3e8284bee7a3967cd33
SHA512 3b8d91d7d0980a0b2af0540a73c0c342547dde38f8466d87c57fa14f8a23117cd4cfd87a49b99bea33bff76fd3d96a74737b4a787a074a93c7a1d14f3a4e34c8

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\SUMo_00000804.SPK

MD5 a0a6d9285e19f4643796dcb91fd900dc
SHA1 0e4e689226b37ead2b24af1512ba6546b39b40fe
SHA256 a4e53483b8dc4cf2b247e73a33fb01d9f312ec61f69d32c4b4c01a0512760bfb
SHA512 d031c7ce25bdd856ef83f7d52ab83cf2aea171b0a18a8584274f517a795c098aba00de548d23015c5584d31c4e22669073dd78afa45e775862ff34a79c4aa25f

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\SUMo_00000814.SPK

MD5 da9df95dda95e1fe352bd7b854a33890
SHA1 06634a8f3a0176e6d7b934cdf4752cc4012c775e
SHA256 ebba5750cef9a457023f4e8713c85174497751ea7c65bf5d8d80fb55375dfbd7
SHA512 7ae49f97153d898399d4a51eab4c700d7522ec1d72c0ff680f2c2bb5213d77ae1a810db8db7105c24b5b57b0084a2dd723d24c70b40568bebdaaa856f986fd26

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\SUMo_00000816.SPK

MD5 6340816924e9894eab687c2f5ae35b5f
SHA1 482e6672f417d418938d8d8385ceea04b373a6fe
SHA256 a881dc695a24fef491364a0126531e3480e0ea7bd73429e8092c9eea6dd5d107
SHA512 933e210e84dfdf776730b1914e52fe1fb696963bb0f34cd576f90341577e3c29f90a733d98fa2c1e469c029bc1c8eea30a300724ffb4188387fc23617bdc1405

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\SUMo_ORIGINAL.SPK

MD5 9a4512ee5dbc43f3743c285ee22ae8f6
SHA1 6462674328fb9e21f3320eaa5d70c167dd36f8ef
SHA256 dd6acc6ca924732a0b0190ae362fd7830aa45648b5eb6a64e3a5a58871c26347
SHA512 5624b78a8c24f7aa07b96994cb761330a723a4a989b8e7d9083326f9e149ca42de802985d94afb99039a2046ed15ea28ab54af0ef9a09397870dd342910256e1

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Screen Savers\ezScrSvr.dat

MD5 c853406876edc4af968c0fe8ac389a84
SHA1 2ac07a682faded4e19fa53c1071abfbbe94aa1e0
SHA256 0173034a264ccbefe4855731da222c0e7c58a633c37dfabbee70338b48835801
SHA512 20d51300a852648b2b59327c41955145bcfe0b60c0b8db70fafa63c31819eb7cea0db775dc769fc74217619dc8a80b45ea3605b85d89cadc14d804260e6302b5

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Screen Savers\Magic Castle\default.htm

MD5 e26e4f2be744fa3ba2f72a3fda255b4a
SHA1 8f2adba630472e1036bd8d5360288fd1495e0cf7
SHA256 55708b223808f4ffc6ec49249a52bff5d249b683c0dd9d292c248c25a51b2981
SHA512 21f8f2df2e488224384b448f6424da3822ca411598e04e31ea0c298cf4eac0f6cd160ff31782d2f1e609aa8b0a7f3efe1d194b5d9f8eb4b99f20f8f5730f2118

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Screen Savers\Magic Castle\ezScreenSaver.swf

MD5 38d62a9224eff28cb611ae65711f1c85
SHA1 851054986feb04fdb34d578b93ba3a866a882c77
SHA256 6d8506499a169dc20d83a34313eeb437ccee7ca973366cad8f072aed0e442576
SHA512 a10082c8ff28343467ca27c4d53d0161b73c0b6f77d2db141a751f748c1dce9f96dc93470998abd0d4cf999f91f10d2eeeb8f9f2273880092484f2cd2d5bca9d

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Screen Savers\Magic Castle\WizardScr_1.swf

MD5 f613ec2dcc859061eb73e05728c4ce04
SHA1 0445dbb0d000ebb8917d23ed267d4e2d9f94e980
SHA256 95ed0f6c585e8cb95f0223300741c4c3e4d2f953dca5782456c4129233d58234
SHA512 ce79e1679eeecb7fce7a6b1d0c750a8f5d1e1a66525e41b432c6631ac5580d0a79d4eb07741f1a82fe9d559cdd0346b997140fcac879503dcaecb9fc98d4339a

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Screen Savers\Magic Castle\WizardScr_2.swf

MD5 387737e9a0842e792cb534be6db8ae5b
SHA1 af9e9577fbad8bbd0782ef3058d02bda4e7deeca
SHA256 9a53e5649afd5ad7cff3fbf11293802decb48cc132ab28fff20813025e3fc610
SHA512 b3ba7c89ab1eb8eee9a1249733e0752a98b18a9143341833159ffb5bf47989d8b107dd4cccd9cdc11a20c32b3882919b96f8508594676796e2dad5f37843be2c

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Screen Savers\Magic Castle\WizardScr_3.swf

MD5 7d590392405c884321428692f984b1c6
SHA1 bd02f9f77efdfd96a3274f0ccddc376b3b13bdf3
SHA256 41a4d832dde594ca57a715a8bb667dc9c637f73a2a06a78f49d98970d071a5cb
SHA512 ee30ef7ea611e4d1ba746985e30ee14ecca9a2c360e39c6a5f0210d2b7dd379837cb4dd365e432d63c44e4f61a4ee48c3adaf4b77790deb429087819a61cc686

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Screen Savers\Magic Castle\WizardScr_4.swf

MD5 eb2855a5f261a2a6049e9667c08f59a0
SHA1 b6295edb29b76c2c30ae90711679cfe0e2a6b92b
SHA256 60c922307c5e214ae86b0a4ce344fcc3c1eefe13b566feae161e275b3b1616fc
SHA512 d454698f2cc7e16ede630f84a643356900ed054e449daa2c741757bb376c7ec1e3123730cf738152d38fea221d7fa6b60848a0d7fe5677d367e7316c9c13be37

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Default\Alert2.wav

MD5 bb8104f73344d925a73e12c1e78ea461
SHA1 a9c2c7d92ac2dd3a08549804dd31083c3f20b6f2
SHA256 a9f435650a3cf0a776db28085d24e9f9f59cf177567765502c32252a7ae4501a
SHA512 79b31ab3b3832b8d370799333f77b2afe8439208cbb0630e9b580d70ba55277f69e98429f9d564d9e4ed1ce2326dbe7f785aea9fc025aef0c67cc06a862413f4

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Default\BookItemHover.wav

MD5 c5663579b6ff35149786c38577c4beef
SHA1 52860c3a828016bec8416d09f50c3e3092ffd189
SHA256 e48347c77019945b3cdba802928b2fd08e72f861b7fa41bc6d49c4ec976410c0
SHA512 ccfbad08aa32825cab2818f38736ca508b4379ff5456de53d618f596c8f895c3b4aceb7c83e87480c7261d0de93efced0a5f4184f759cd2261dfb3fcd2f18f8c

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Default\CallOutInfo.wav

MD5 86427827deb4d909b56d8f5fce84686a
SHA1 02bee5114c863f20ed8a8d76fc248732f3e770b4
SHA256 2ccb80316e42435927cd71699e9e8a1bdb2d818df1900c16289566ea8ff000ad
SHA512 e5b7e51ead5c370f669a23b68f36912bd56388bda24a9adc65fd092b6f86a7eba51d3a958630a2c17ccbc14cec180d3ff87f02ff8bb6f8367df34cdfa49c5bce

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Default\ChangeTheme.wav

MD5 6d1939a28c5cb616bb0d6a7dbd5a58cf
SHA1 3d527941d16299c5355491a7aa0e7e2666b5d5f0
SHA256 57765650a33e689f4efc8d110548b6234ec4c6d44021ff392e5dbbc84d21a554
SHA512 04147b7f1ffd04501644ce176472c0a7c68b8622054e063dec248be650f540969852d03eb29797561531988d4b0545d7f8b93002cc92e18f989eb93eb503543e

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Default\CloseBook.wav

MD5 d9464a693bbbc1de2a7c39ac3bc1fcbc
SHA1 b578064d1211334e43a3063e914f70b2df502e4f
SHA256 b773e31d17b344f9c7939f97e8854e9d5b1a27996938e4659b8a2a2139582ba8
SHA512 17bbe962a4e08e50c92ca06942647a9a07374d028f137324eb66914362f430bfcb73bb7c8df32d697f692b723533abd169cb4a254e48095c3bc041519b4c9907

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Default\collapseWindow.wav

MD5 b2affea4b0b140f950407a48dada44d7
SHA1 7e6ac887ac564a3be28812aec9a844d26ba4f4f1
SHA256 1cbaccff303238482d15aa6e23a349f4e33b5a85efb9e06f34910ecfae2defb1
SHA512 6fba572ae7cfc8adb8141caff7e15d59e817abc1d2d583ab7deb97fefdf810d7da50431ee04b3cf7104d73ef3577e947323efb71a308ff25111e7285b929369a

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Default\ControlHover.wav

MD5 15485dca6038e70708089a0ef7bda328
SHA1 e7764fd673532105e7127b365eb491f0ccaa3588
SHA256 f5e3b61a2334fd2f2462d9b79f0deb660ec0bf0d41c0e272723cf01b783c68dd
SHA512 9cdcf6db3cdb96d6f3837516a7c902f4228a648038c544db77a9cb8d380ef8ae653bd2d9f35c9114b18e8bb05fcda78afdbb712ef7261a3e5185d2650ed2ce04

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Default\EnterPassword.wav

MD5 7c3c8f70dde06fedbadcb48e701e6efc
SHA1 d532d2623dc036dc5b1e540960db88fff6fceb5b
SHA256 fa73fc064267fb1b7efe57095d1c8e11e54e175381ed5e4eb09afcce9484a75a
SHA512 714d34e7f4cf229c72cbd3c9aa3e0ad831f092c7cb3630e4fbde026fade3a64d3568824484ce157296db89505c84aecaf83a5b0092bd0c6b794fd0854dcff18e

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Default\expandWindow.wav

MD5 35ecacacf989c23f558bfb497cab5a26
SHA1 5580acd583a0a87750b788bf3d70cf43c64e34e1
SHA256 80f5358fc36a0fd3a885cb9f6c5f8ad4d128f0258bc29f40877ad707a8a95e5e
SHA512 35c582efff8f210681d206e9074a7cc7f093d6bd6642eefbcc6957aff8aa337fbcfb0771e245537baa444aa39f031e4205167c9785ec4042ca38244f6333fec6

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Default\FlipBookPage.wav

MD5 ed87eff4ed9d267906eb89421d5c086c
SHA1 b4a0b09ace19b6928dcd91750d883bef858397f4
SHA256 13ef4c4e9d6aa1ddd6e7150688295650a7c3fa4f858e4d1068e2263af50be683
SHA512 3a6eb83ca1aef367bc1477cae92200cd86967f6c4f2c74781814b11bb58d67937af8b33872a326d5cf830c641bb4973df2da967dcf8b627a03f6e44b51705023

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Default\iconClick.wav

MD5 eda655cc99b9a1464e1399300667a1b1
SHA1 45938a2f2196eb87a8d58f0854889d5dcc284acd
SHA256 29fb653a396667c8588dbec4fad51659700e95a16345a7f501570a0e7bfe3283
SHA512 827c1003f27ee0b11a5721fd8cfa2ed4f8e76244668ff0688b9997b3e0f3a57c9bc531f8d20e1264c78ee8b23fc8617bc704a476f2dd091fa0224f8c50e1881f

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Default\Logoff.wav

MD5 614e553567e79aa1c19631f971972c38
SHA1 62c7e8f10fd4e6a4e3477d541e9339a50f9221ba
SHA256 fdde2ff9ba355bad92de0b23957c422987c44d6ad75de2f4116ac25981ae29ff
SHA512 b409469d6dc12dd08c18b60d2a116af696f2ed74704cc5897b733412f4e10e5d86df1a4a7b1700bfb4228946d1396a44efe34f39eb29479d27f0bf8052852968

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Default\Logon.wav

MD5 a824beee2910d5ffb6f036c0bcb35d04
SHA1 f0c90276ed1216cc37e80e80b121fca70603fdbf
SHA256 aaff0be8e11512ad6131a4b15a7b3ed85e4ff008ded48985c75b21c5580fc79c
SHA512 39451238929c375b4f0872d5f1e3c513d2cf9fabfa741ef5b9999c226e27abf6553bcba3feda4639230ddf1ec1eecfb7705e3bf4cfa012574bf6070485230437

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Default\OpenBook.wav

MD5 dc3f6c7b307f91504e38cf0b32e757d1
SHA1 81f57454cea45927d70435796e783d080f35dd2f
SHA256 92623395bd284cf788b6e2e8eaf6515b99f4e26160c77752b5beb512862b836c
SHA512 98611be70727f8be8d1a04ca98dc810753d256520dcc9a1ca6182a4f1b58fd3d4665ea42ccba6a815216e74c11ebdd83c983abe5f6734508af6d1aac42177799

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Default\ShowGuide.wav

MD5 1abbb64fe5bab5e9f8f70d04be0584cb
SHA1 02a8403fa736cedc6d21390e83796c6ef03a1d40
SHA256 99fe8d09d5e221c214b8594d6bccdb7e0768bc406a12a8d44850f19c247bd10a
SHA512 17a3a065a10359548cd099ae172fda666e5e8b9b484c5a741fb29303781f83b0d62c212d8f2ba3a3883f3e6cedb6547b046244be9d93d7edce2bc68b4e9dc9b1

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Default\Sounds.dat

MD5 69ad2b481cc0251d62a3e414ac9ef8be
SHA1 78a45c86089d532d288edab98ec417d80847b190
SHA256 fe4f2e6655192969973d68be317e2e0d7fcedf1c9e346c5a85fb33c9953b31ca
SHA512 0de90092e65c2a7fc212d7e290982191fe501eb2a91b6026fd04b3f52e2bb34c81d41d7cca56794a421a265bfdc3b35e0322c2a9abd546821a3977c90b5bd8f6

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Default.dat

MD5 aea1e024bb478d3ea6dcac03f7c620a3
SHA1 bb2934faa925700418a76b6ffa0d1c28da3fb7fa
SHA256 9eda6d6c394f6ec73e886bf9d12c4b86ab9cd0296acc6c28f299f465e4bf01d8
SHA512 f66e1ca73988b57fcb10cea3515bfce5f37964f86072435e07e0a70e47641f9beca3fd351523124b1e72025fa744c1aa836c7862c0c56eaaf8e12a88a1c6f81b

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Sound Names.dan

MD5 be6ec692ef9415b61e292b42a6cf69ef
SHA1 11ced8957f98947e736cacc25007d1a4e68fe275
SHA256 c94990617fb26c4d630bd1422f815635d6cdd6115d7d32b4cb65df24f12f445b
SHA512 93c31c2f66966080f08b032bef25c6d2fefa2e65e122eab3337f695a9703a0ff4fbd943cfb003c4b3258bed5d5fc3288b7a235b56515c312bb0b3a41838448ad

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Sound Names.dea

MD5 b6bd2cd2b6634e1d15b1e2cd25ea01fb
SHA1 e95479efedb99ed08dd4bd7a1f3c34f2157fb8c1
SHA256 ce08d8d7b56b5702848412d2da7e6db508ee9b795c565b80ef0ef4f027228501
SHA512 db8b64ac0d7b769e3e9380b026c5428e4c6b403eff25a908ef8e6a42daae5e89f5c92fd890386dce0acf32ca6f323f550a45e07715aa27f8614bfe1a10a39abd

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Sound Names.des

MD5 f361a99ac212194ce77d674e655f82b3
SHA1 2972497183f46ead9f48b67c8f00b8564dc22556
SHA256 09dcc61e60fa23bb1a23a737620cf6cb9deba3d7f1b3cab96872789dbe890f83
SHA512 c2dab2fc83aa1fe066d2b833c8d8719b9e4ad51d7a1c92e76a08f68ccfa0fc90d07350f2bad9ea4d499997079f828bd1b4ef9abe85cbc6178273dc50ad89d02b

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Sound Names.deu

MD5 b6bd2cd2b6634e1d15b1e2cd25ea01fb
SHA1 e95479efedb99ed08dd4bd7a1f3c34f2157fb8c1
SHA256 ce08d8d7b56b5702848412d2da7e6db508ee9b795c565b80ef0ef4f027228501
SHA512 db8b64ac0d7b769e3e9380b026c5428e4c6b403eff25a908ef8e6a42daae5e89f5c92fd890386dce0acf32ca6f323f550a45e07715aa27f8614bfe1a10a39abd

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Sound Names.ell

MD5 f7e4d171255173be9934023c611e492e
SHA1 c8c94ef8f52b0e406c4dccf72c23b2d2ea09539f
SHA256 7a306b356e04a2e2e738bc0ea5757e5316a7be457dc572bb5a74f6a307fdeabd
SHA512 835262013ccd6bf2c40f6b386de77313d892920e32d64db8ebdafeb65e2acd3716a9d37ea58ba5e3419e9fa03d305d3704411b4dfafa4b238c81aaef85cbcab6

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Sound Names.eng

MD5 27aded172141e533386de3bff0935e38
SHA1 ecb87f653ffcccf146cd22223abbbfdc9daf40a3
SHA256 c4f7c4d4c97288a55ef3f7ab0dcb6f2b9d0c0a0908145f4848dbc1b504e1e17e
SHA512 0b176a24c03ce524dedc55b8e4bbf820fea9399400ef91e15c52700c77903b08ebcb74c2f63fd8bd74d9bc260d38d7b2c1c73250d1c9631332d2551a46fbe0e0

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Sound Names.enu

MD5 fdba395854ffce8938f2eacc086e6dec
SHA1 a0d7538b59573313d517a9114699ce945f56aadd
SHA256 da83c4f0fa62f332f5c134b85aed1a7d79a5af1f3bf4a07de3c2522ebf82588b
SHA512 e4bdb45ac5b50dc28528e6cd19ed90d982c5f92aa969fc9963d70bbce9cfea63638d29d5165c81b6b6373d7b88732b4f70fc6eac796cd901c54a39663e1218cb

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Sound Names.esm

MD5 0a71778bc75a567f0eb6af7330ada498
SHA1 1b7ea7ae160c642077abc3eb00d97abfa75064b8
SHA256 f62f316ce0d6ea5318ca43c1f45d49ccda6db7fe016c137d6d24192ec32f3cde
SHA512 b165f168960de75692e7dc454a0985f082a3dc9af0af412d6ef3c21cfc6a10f202faadd2b3b60f9fd06165534a6db28b7cbc05faf652b3a20c8a11b96df15949

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Sound Names.fin

MD5 ea8927ac5171df3ba482f5f5c9001182
SHA1 d7361dbf96e732b6c0f0353e2ff180d2f0e5e86a
SHA256 70a4992eb912cd85bae4fa04569b8ab77af9862c7fb1ec702f3afbbde7ddb1cb
SHA512 ae2d0812fc391303289b37e6d171648f1920a9b040f36be3977af9d1ff152e4883ac643fbce4ea1bb5df40a272deeefccb24a86537cfc32bdff38ae99fd25592

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Sound Names.fra

MD5 2583af779c1e638b5a5e7c19915e015d
SHA1 5446a3b72625e43ab6b75ecb247f66e9e053d1ab
SHA256 3302a57be1aa084c89b79330091722e894907ab8c7d95caf3c32742714c25af7
SHA512 44d5afd129d3bfff1f29069f26360251910dae0a37fd83b34c45574e5a95676a3fd47c2f614dd4b8eb89183fc1ff53f323060e41b17588821974d43d03706d77

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Sound Names.hun

MD5 a2a1ca494344bae8abcf364ee2878f4a
SHA1 b316ce8f43cc7018c6d1fc79f305b4e7ff685e32
SHA256 59127983fa0b9795b3ae2ac7afb9161c36120754c1b5f5894ce686d019f1200e
SHA512 cf3cc570f887c72f5620be99b6dda1f3858b4ac5ad5a046c24edf08d4f10aa9c2269b12f173e98906ea0f09e1d8ddb2ec44e8dde91d215d1f8ca8eed0e225edf

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Sound Names.ita

MD5 7faffef2dcfb186ccc3f3392ab03d3f0
SHA1 0d091273e18b14da1e2cc4c9fba7085daa7a1add
SHA256 095b0a5b2a07fba56b7eba4e8628aba2095a0b36aac6ef8f2fc9755c3efb345c
SHA512 5c6fed7ef3f1ff859bffe2a033ddd47142f68f584bcdb55c8ee1015ed5bef10e9df586b2ebf7e7ff7e9cc5152d35312057e0b24cafa94f1b4cdc84323f30b60b

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Sound Names.jpn

MD5 5e33e5d96cf91c3e5dec9b719159e09a
SHA1 8ee140c62d2ab6e0a4508be665077120680c4ce6
SHA256 0a8d2e42a4e41c87385fcb6701bd70251ecfefef0f8c5a6f12f955dd5861cd67
SHA512 93bf45d67b61920dd4b8d3af924f4b674a73584fcb275fd0a617592505dc6fb5ef85b647dc5bcfa16e86c7088bc81698cf69947b0a0013d1d6a77c1d2df83744

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Sound Names.nld

MD5 4bea7130cf937f42aa697c604367d7b6
SHA1 be6de6b1cd21da2b3a932962f5119002cc438d7f
SHA256 3fb606205b7b661582e0e4ad35a0bb115bc2f6d0f7ed8b0679b304968251f126
SHA512 ccdb1145fda72bdafaf94b2cfaf3427614aa4d52aa1b4a692956ac7219db17f779594864a85ffaa6b7782386d32e5c9a983ca9d4347df6283bd645178b0a9094

memory/556-127-0x0000000000000000-mapping.dmp

memory/556-129-0x0000000074891000-0x0000000074893000-memory.dmp

memory/556-130-0x0000000073140000-0x00000000734B1000-memory.dmp

memory/556-131-0x0000000004800000-0x00000000048BB000-memory.dmp

memory/556-137-0x0000000006360000-0x00000000067D6000-memory.dmp

memory/1144-138-0x0000000000000000-mapping.dmp

memory/1912-139-0x0000000000000000-mapping.dmp

memory/1896-140-0x0000000000000000-mapping.dmp

memory/680-141-0x0000000000000000-mapping.dmp

memory/1184-142-0x0000000000000000-mapping.dmp

memory/556-143-0x0000000006360000-0x00000000067D6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-13 09:56

Reported

2023-02-13 09:58

Platform

win10v2004-20221111-en

Max time kernel

117s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe"

Signatures

Aurora

stealer aurora

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Magic Desktop\SUMo.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Users\Admin\AppData\Local\Magic Desktop\SUMo.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Magic Desktop\SUMo.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\e566db3.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{DE95392E-B226-44A8-ACAF-B122805E29F0} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6F2B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6FE7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7056.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7102.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e566db3.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6E8D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7D29.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4872 wrote to memory of 2644 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4872 wrote to memory of 2644 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4872 wrote to memory of 2644 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4612 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe C:\Windows\SysWOW64\msiexec.exe
PID 4612 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe C:\Windows\SysWOW64\msiexec.exe
PID 4612 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe C:\Windows\SysWOW64\msiexec.exe
PID 4872 wrote to memory of 3396 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4872 wrote to memory of 3396 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4872 wrote to memory of 3396 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4872 wrote to memory of 240 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Magic Desktop\SUMo.exe
PID 4872 wrote to memory of 240 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Magic Desktop\SUMo.exe
PID 4872 wrote to memory of 240 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Magic Desktop\SUMo.exe
PID 240 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Magic Desktop\SUMo.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 240 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Magic Desktop\SUMo.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 240 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Magic Desktop\SUMo.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 240 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Magic Desktop\SUMo.exe C:\Windows\SysWOW64\cmd.exe
PID 240 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Magic Desktop\SUMo.exe C:\Windows\SysWOW64\cmd.exe
PID 240 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Magic Desktop\SUMo.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 3176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1696 wrote to memory of 3176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1696 wrote to memory of 3176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 240 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Magic Desktop\SUMo.exe C:\Windows\SysWOW64\cmd.exe
PID 240 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Magic Desktop\SUMo.exe C:\Windows\SysWOW64\cmd.exe
PID 240 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Magic Desktop\SUMo.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 3148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4560 wrote to memory of 3148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4560 wrote to memory of 3148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe

"C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 4E35C3C6C19FAE0CBF1BFC4A4A8C2497 C

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\md.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\8fef3a062676cda862c7a3281f7c672f.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1676045232 " AI_EUIMSI=""

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding D312056A75758FB7A2E09A62EBCA7C74

C:\Users\Admin\AppData\Local\Magic Desktop\SUMo.exe

"C:\Users\Admin\AppData\Local\Magic Desktop\SUMo.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 8.8.8.8:53 www.kcsoftwares.com udp
FR 46.105.204.2:443 www.kcsoftwares.com tcp
RU 185.106.93.247:8081 tcp
US 93.184.221.240:80 tcp

Files

memory/2644-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MSI6AB6.tmp

MD5 7380aa7a4eafd17c21cf315ae35fe288
SHA1 886747c7526627898bd36ff8b85869c9bf6718fc
SHA256 dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88
SHA512 c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

C:\Users\Admin\AppData\Local\Temp\MSI6AB6.tmp

MD5 7380aa7a4eafd17c21cf315ae35fe288
SHA1 886747c7526627898bd36ff8b85869c9bf6718fc
SHA256 dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88
SHA512 c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

memory/4128-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\md.msi

MD5 6518026d73f6ca85100ed4cb3b2dc8b9
SHA1 8e04e3e501f70a1bb892ac1b92a90de546f52932
SHA256 5c614872ba056279e939b90b29412ae179ab9058d0b7b00dfccc2cc64ffc50e3
SHA512 5819c02e579eda16b478436bffc0f799935b28a34de4591863ef08be7f0732144f439b6377fb65712c25a2f9fb013ca9e2701cb6c801a75fcf355157a5723bb5

memory/3396-137-0x0000000000000000-mapping.dmp

C:\Windows\Installer\MSI6E8D.tmp

MD5 7380aa7a4eafd17c21cf315ae35fe288
SHA1 886747c7526627898bd36ff8b85869c9bf6718fc
SHA256 dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88
SHA512 c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

C:\Windows\Installer\MSI6E8D.tmp

MD5 7380aa7a4eafd17c21cf315ae35fe288
SHA1 886747c7526627898bd36ff8b85869c9bf6718fc
SHA256 dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88
SHA512 c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

C:\Windows\Installer\MSI6F2B.tmp

MD5 7380aa7a4eafd17c21cf315ae35fe288
SHA1 886747c7526627898bd36ff8b85869c9bf6718fc
SHA256 dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88
SHA512 c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

C:\Windows\Installer\MSI6F2B.tmp

MD5 7380aa7a4eafd17c21cf315ae35fe288
SHA1 886747c7526627898bd36ff8b85869c9bf6718fc
SHA256 dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88
SHA512 c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

C:\Windows\Installer\MSI6FE7.tmp

MD5 7380aa7a4eafd17c21cf315ae35fe288
SHA1 886747c7526627898bd36ff8b85869c9bf6718fc
SHA256 dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88
SHA512 c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

C:\Windows\Installer\MSI6FE7.tmp

MD5 7380aa7a4eafd17c21cf315ae35fe288
SHA1 886747c7526627898bd36ff8b85869c9bf6718fc
SHA256 dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88
SHA512 c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

C:\Windows\Installer\MSI7056.tmp

MD5 7380aa7a4eafd17c21cf315ae35fe288
SHA1 886747c7526627898bd36ff8b85869c9bf6718fc
SHA256 dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88
SHA512 c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

C:\Windows\Installer\MSI7056.tmp

MD5 7380aa7a4eafd17c21cf315ae35fe288
SHA1 886747c7526627898bd36ff8b85869c9bf6718fc
SHA256 dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88
SHA512 c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

C:\Windows\Installer\MSI7102.tmp

MD5 ae585caebd7faece019342026b304129
SHA1 8c512e6db9b0c9547fc0a6d3f3d1216e373d924e
SHA256 92dd2c1f1d19e1d96411d8afc81c29696d76abe6469a2d75200dd82a8fc164b4
SHA512 dbafd2b28356139f886ed7af3813bf7ee1e95709549b8bdbb3c52e17a213694af45096f369668e674a3295a1ba6ce3232dc8c213b29f24442a3c9e68e0d87313

C:\Windows\Installer\MSI7102.tmp

MD5 ae585caebd7faece019342026b304129
SHA1 8c512e6db9b0c9547fc0a6d3f3d1216e373d924e
SHA256 92dd2c1f1d19e1d96411d8afc81c29696d76abe6469a2d75200dd82a8fc164b4
SHA512 dbafd2b28356139f886ed7af3813bf7ee1e95709549b8bdbb3c52e17a213694af45096f369668e674a3295a1ba6ce3232dc8c213b29f24442a3c9e68e0d87313

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\SUMo_00000411.SPK

MD5 a0cd0621342dcd89f0a07bf0f0b43497
SHA1 43d120e9ed7d77879823d31fb30c492b9aad7cdf
SHA256 1cca56735fc3b085641bd4a4ca39d8538eef28889827936fd1be3f1664859202
SHA512 c253ac805bef8eb6c81b056df93ea5250dacf703e5c96c861649351dafb8dc7d61a07290f20eac64191f6e9369adc06208ab14aa4b23b8689c55c822462cf917

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Screen Savers\ezScrSvr.dat

MD5 c853406876edc4af968c0fe8ac389a84
SHA1 2ac07a682faded4e19fa53c1071abfbbe94aa1e0
SHA256 0173034a264ccbefe4855731da222c0e7c58a633c37dfabbee70338b48835801
SHA512 20d51300a852648b2b59327c41955145bcfe0b60c0b8db70fafa63c31819eb7cea0db775dc769fc74217619dc8a80b45ea3605b85d89cadc14d804260e6302b5

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Themes\Caribbean\Caribbean.DesktopTheme

MD5 393f595b1b6e45e43fcb0917701bef86
SHA1 181f937cb225c5216aa201b9e7bd0a8c8d77d4b3
SHA256 2fa2b0c37c92cb4040b86ec9b80bcb688591b38ee88cece9e5a0b45c1fba293e
SHA512 280aeeca9ff1ad072297e638a8f844c653bf17ac25b2aa5d7e889fdcf4ab097add4b3c7934d6a017d900219b6adcba12abb30d72da9cb14ea7f3608798a0a26d

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Themes\SpaceShip\local_cache\alien.swf

MD5 3eb7178104990c859cd005291e9aca7a
SHA1 e5db93d086292f776e03d3e1b1a13b5b9a0d5684
SHA256 6f7d968567315a95594de3ce09934a809ffa48a26914356489eac9cf0946b735
SHA512 3de3a0c2afbc7df1327b9c82d905fd1fd16756ffb0bb069ed1f654ef1a552f75427a9e96796a7af69b7326702ad34b125de7eac24c7c9e012e4032499e01b441

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\libcrypto-3.dll

MD5 e44f1ca764da493d54064a2702dbe889
SHA1 86e1644d4466d464748b3d22a496061249ada545
SHA256 b823a3edb1d42919f7c822b4dbd5cd0cf01bf42248060c3df6ba03ff26bbe8af
SHA512 3d433caeaad900841d0ff44b89bcda4a9bd4d61f2b6296dcad0548caf1dcfecaddb2586a99214fc08b9293ec4977c63790f2ca7df0e3fdeeb340dbcef2096e88

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Themes\Caribbean\Thumb.bmp

MD5 8493f0e02348b4f845e283b14cffff76
SHA1 64eb4dcb9c3b418d453a381686be9a6918616dc0
SHA256 aa6699a1e5c018d80c0efa26b56ab13b7785de35c77198260a4ff88cc7df90d2
SHA512 39fb88bc8ae1e9c901c8ce82c1a0870057f98a39629249bde5688d07763a7d33c47d9c7398eb211fd5f76c0a0c96463ebca66f7a5198c7c998fee0f100240bd8

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Themes\SpaceShip\SpaceShip.DesktopTheme

MD5 d40fca62cd492651683bbc451a6bd433
SHA1 cbb84106dd550bd57caed0abf9df1de44f1fe74f
SHA256 5cc3b7420b80df8917e31d8257baadd490daf38b859c236ba5f8801cd58d1870
SHA512 1ff848dd965eb8cdf54dd1fbeded9fb352fbd63af50255a7fb2dd03fe6e31ae5cf5b3dff7ab5855b4fe9eed7f5c0b8d9a331aaf41ff6ea19b6fc2504c5e39a47

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Themes\Paint\pictures\pics_01.swf

MD5 12bfdd4a48120a6fdcd03edbed179765
SHA1 50cfcdaa44833366e773605248a6d259f24cf992
SHA256 545eafc1da38289eb7f154b8ac12045c466cdc85803c26b0c4045df1540277cb
SHA512 8422ef7d0dd7879b9988229008575fa01b5b86d4f482b294c528a7baec86fa58e4b50aff3cc1105e4f6f1f7a7f4211ba489b5213bf5c2ac04ba09ae1a96a7ff0

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Themes\Paint\Paint.DesktopTheme

MD5 3ec0323e17a0a61a8da89b221de5dbaf
SHA1 325ce9e76a5d745a9511d6e7c7f0c0cb97a1fb22
SHA256 fdac318e812a344a7068ded63ca355ae00ce4854545c98f3ebfc8168cfbbc51f
SHA512 a765d8e5fb075aaa09d3d42b9c6933d4fb2d1a279d73b69c573fdd04317d65c08b622e464c5552c1f38fdfcfa5c6e9ee85d7b59ad9c07da3607df088d7de5960

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Themes\Numbers\Numbers.DesktopTheme

MD5 2eb180ef6a9a061bcf9fba52ecf37714
SHA1 5f3322392654ab3e3e71fa7859a8a7c17fe9d6ad
SHA256 96eae342ecfcf8817b84dbc610605ccec0e2e76cb06cd01f1734b560027e473b
SHA512 e3a61909149d55eff299188fa44b9f2579e1918e7a4255734f11502a88b221ce72d717defc6df5c760afa6e47a4ff79fbadde273fa84f2928d581196cafce201

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Themes\MPbutton.swf

MD5 7c03ca9db06dd6eb8a68fdb7399a3d74
SHA1 2a34508d2243013385576d5e6453c052a91664ec
SHA256 fcbae6f849042b90499febe03b8695b9fe75826252a51d9ef657061d88993266
SHA512 8396598252918b8a7ff358872ff8991a513e8c39a1d7bc496a8ba778dd78320e6ba6eabbb6712e91ee11c496b88c4747ae59b9a9b9213f86a168964a0c506a33

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Themes\MagicHome\MagicHome.DesktopTheme

MD5 fdcfaff1483d441c73d5184a2353e764
SHA1 3da48e23b3a1c21bb7d5084aeae1b57b632c0afb
SHA256 2662510fab7283d4b659edb83649d0f0424381a475bdaed207455989b95d3837
SHA512 30d9af8286c1a8d4b88ab69d34503d83bf12d857bbad37739a73217aa531912651b025383a1a3d7ee536da971dd2823b2cb9ca62260fdd522f874488b5216012

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Themes\Letters\alphabet.xml

MD5 2d9b052263242ca4a3a19414b94621c9
SHA1 1880f31ae14bd506a69bf262aa54a3e727543d6b
SHA256 2d8cfdfbb57889eb4bfd496600243a466261dc76046593988e3069c273ca0411
SHA512 e535a9fd5eb18124a9532a057a749806efd07730619728b6ba2b01871b84943d0f26aa2aab4cb6f075127000ba5c9dd280c75a616efdb4927a14febee94ecc64

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Themes\Cubes\Cubes.DesktopTheme

MD5 e4ebf0bf58439afc18bdfd179ec97cfc
SHA1 f97d79e4096977901bb45a5249a1e1ed060dca2f
SHA256 84ce81c3759778c70ee88d39d86e8ed97033397ce65b68bea04d370eb4f23bd2
SHA512 d039dd6f5bb7406d50bfde319afda6cc2efdb730bd3c1139397b249a90b3427b7753fa31e526c5f3c676d8447d60c4e03de11c6ef2d008819d2e7eef73fdb191

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Default.dat

MD5 aea1e024bb478d3ea6dcac03f7c620a3
SHA1 bb2934faa925700418a76b6ffa0d1c28da3fb7fa
SHA256 9eda6d6c394f6ec73e886bf9d12c4b86ab9cd0296acc6c28f299f465e4bf01d8
SHA512 f66e1ca73988b57fcb10cea3515bfce5f37964f86072435e07e0a70e47641f9beca3fd351523124b1e72025fa744c1aa836c7862c0c56eaaf8e12a88a1c6f81b

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Default\Alert2.wav

MD5 bb8104f73344d925a73e12c1e78ea461
SHA1 a9c2c7d92ac2dd3a08549804dd31083c3f20b6f2
SHA256 a9f435650a3cf0a776db28085d24e9f9f59cf177567765502c32252a7ae4501a
SHA512 79b31ab3b3832b8d370799333f77b2afe8439208cbb0630e9b580d70ba55277f69e98429f9d564d9e4ed1ce2326dbe7f785aea9fc025aef0c67cc06a862413f4

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Screen Savers\Magic Castle\default.htm

MD5 e26e4f2be744fa3ba2f72a3fda255b4a
SHA1 8f2adba630472e1036bd8d5360288fd1495e0cf7
SHA256 55708b223808f4ffc6ec49249a52bff5d249b683c0dd9d292c248c25a51b2981
SHA512 21f8f2df2e488224384b448f6424da3822ca411598e04e31ea0c298cf4eac0f6cd160ff31782d2f1e609aa8b0a7f3efe1d194b5d9f8eb4b99f20f8f5730f2118

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\libssl-3.dll

MD5 6a92cec97792669dec4c1e06f957ed4e
SHA1 6789eb64b31fd5ab643cd91b2ba3afcfde22e7a2
SHA256 84b912710d6648269bfc96ded14c9f3fc98a45f4adab07a993e86c3defb1f65d
SHA512 bd185182334a423bec23e6931da62afd3a95bd2b93860b328f78ed2d02a811ac492f30178239d589fda0976ec3170d89b611cdccc190222bacbf1182b2ffd1d2

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\MediaInfo.dll

MD5 548cb3a857e341f9d531292b6d5a31fa
SHA1 2a1b055d5c9e26f2b9051719bf80313700726135
SHA256 aa21764eaa38f290c1002bbea5dc14ba2678ea262f5f854cf31073ee9f0006ab
SHA512 dcc2c002958da0dc648cab0a11d8447db6dc3023092ea2441a346fe9ec0842e770e63acf30c338f2c1da96facbe947c6d0accca4681d1b1bcbc1edace3e2e460

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\libunmap.dll

MD5 53634bc76f19ea065981ac1b02225df9
SHA1 7d1cb4ae535c30d2443c4b8f14927300c8449839
SHA256 e9053b628bf89440e0ad4874a5c234fe058539f20f9bf02d36c7492fed70857a
SHA512 3b46f34b4d370f44f219f0a404ae1f9a53897ddaabfb7665197dc16b538a13d9ee89af7053fd74998dc38321af8f076759f535d5a855f6ff5212d88704c79d3a

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\soxr.dll

MD5 c8b8e48d19d1219f3a7c05610365cb4e
SHA1 688d9206775a17a2afae2d5042054d7fa41a29ba
SHA256 edafc54a4eca340353560bc43936fbbc59e6ac363a514e73b94d8628016b6736
SHA512 847694d63473d8a636269b6855bb10b4ac848949a7f4cce1c796732e377f6ed37c9a89f60fb497e0119514d299e9ba7ee0ead7f607e304760f1f7a2407543cfd

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\SUMo.exe

MD5 85a5c9a3435594fb7e0d40d1289d4e5b
SHA1 d841701a46fa6fa9444501ff3774f808758924b4
SHA256 fa1e530b966af389f22bc95b0b45ebecf3975e29d4346fd9f3af7bd9e2b3f9e6
SHA512 74e65bf3b76ce36268ef432750280b95050a2512d047369d2cbb8d26f5cddbceb67cacc9043ab90238d2c8d2f65dded1c599425e96c4045c517709c83ff2ee6c

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\StarBurn.dll

MD5 7483c0b27eaa26de3d30e08dcb72c984
SHA1 2620ee8474db3b977cfee0cc16a14adf63f16512
SHA256 95e2ca8582e27ad29acaae8422472e901e206f975f7e124c563a9b8c3a1b65e0
SHA512 c339ad729eae62ea968f65e2de98376e0e31e827af8c8b34f8cbcd2d931e712c763b3fc53c8b4b57da1b49ad150887aee8e217077d1ec097551789e146bc8540

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Themes\Caribbean\Caribbean.swf

MD5 4a50b4cd0f87d7b2a8273ff74604ad9d
SHA1 17caa11e846a90b9a43e43de0b9d0e0a23581a81
SHA256 4fcc5ede1811e0c970a297efe23a2094a306b42064ffe43f4ad9a6dfb0ed987a
SHA512 bcb8136c680f7e9ad6362404635657c71720860dd0b814ffaf383268190a27f900413084f7d76d4a3af5be61745e0f313aae7254d779d30e20c60e7db8a4e610

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Sound Names.enu

MD5 fdba395854ffce8938f2eacc086e6dec
SHA1 a0d7538b59573313d517a9114699ce945f56aadd
SHA256 da83c4f0fa62f332f5c134b85aed1a7d79a5af1f3bf4a07de3c2522ebf82588b
SHA512 e4bdb45ac5b50dc28528e6cd19ed90d982c5f92aa969fc9963d70bbce9cfea63638d29d5165c81b6b6373d7b88732b4f70fc6eac796cd901c54a39663e1218cb

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\SUMo_00000418.SPK

MD5 b388d2cfd162ba73d75d5f44042ccb1d
SHA1 0258c34a2017d163f388cec88b349c35c7a0cff8
SHA256 64255df648940ab13a3bd55d7fbc1448f5a1abb1d1cd1ecd890d73f17f3635e1
SHA512 e85ffda3074471f0775708f96cb478a93cf630611593b0c0c5f4df2745214ee897ab83ce830db2da192e88f8822562e4a02d4a03f9662886a91607fc2d6a0ea1

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Screen Savers\Magic Castle\WizardScr_2.swf

MD5 387737e9a0842e792cb534be6db8ae5b
SHA1 af9e9577fbad8bbd0782ef3058d02bda4e7deeca
SHA256 9a53e5649afd5ad7cff3fbf11293802decb48cc132ab28fff20813025e3fc610
SHA512 b3ba7c89ab1eb8eee9a1249733e0752a98b18a9143341833159ffb5bf47989d8b107dd4cccd9cdc11a20c32b3882919b96f8508594676796e2dad5f37843be2c

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\SUMo_00000416.SPK

MD5 02639c0b531caede2b2072fc6826edad
SHA1 0530750bf3a4a951725eea2d644c30dca6132dfb
SHA256 2201e0453240ba3cebeb5be37d9aa15517b51ad04acde6b5ebb148383cd7c443
SHA512 440095237eeb07ffbf5cb9787be0285ed1baba1b48ad845b3be29435b9b46c28a4febddf3c1539c4df8004d471e216839421b2496ae33193622eee8a18c748ef

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\SUMo_00000415.SPK

MD5 042a26f0347aa7206779d81b2912bc6f
SHA1 1dbf0c0c4b1bb9e5985b0b137251dd6aabcfa43b
SHA256 cbcf617f7c0b3af2b8ebdf76ba51ff55d956bc97eeee05c9aed25ed027d61cfa
SHA512 e70737832ec3bc347f84023f69b3842b790bfa9fa3f5e7f783236d873bfc53db6608299b995fc0a92ee0cb9116412adad18c159a4c046f0d1a93bbcaec401c3c

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Default\iconClick.wav

MD5 eda655cc99b9a1464e1399300667a1b1
SHA1 45938a2f2196eb87a8d58f0854889d5dcc284acd
SHA256 29fb653a396667c8588dbec4fad51659700e95a16345a7f501570a0e7bfe3283
SHA512 827c1003f27ee0b11a5721fd8cfa2ed4f8e76244668ff0688b9997b3e0f3a57c9bc531f8d20e1264c78ee8b23fc8617bc704a476f2dd091fa0224f8c50e1881f

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Default\Logon.wav

MD5 a824beee2910d5ffb6f036c0bcb35d04
SHA1 f0c90276ed1216cc37e80e80b121fca70603fdbf
SHA256 aaff0be8e11512ad6131a4b15a7b3ed85e4ff008ded48985c75b21c5580fc79c
SHA512 39451238929c375b4f0872d5f1e3c513d2cf9fabfa741ef5b9999c226e27abf6553bcba3feda4639230ddf1ec1eecfb7705e3bf4cfa012574bf6070485230437

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\SUMo_00000413.SPK

MD5 7a60015341a6e25a4da8f2513399a735
SHA1 957cc8d715c3892200b7eb7a5fc8df0adbb58efb
SHA256 434ed013e46ea5a7c05c7481ad8cf45e0eb5908cdd94ed863ea6fe405cce129d
SHA512 e2cfccc8eb77d819ee7ca3677198ca79a0129f3ac0e63c94314a11266f1514917969047020500eba14b281bc3825aa022727e99063b550e14a5d772e256d72aa

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\SUMo_00000412.SPK

MD5 b2c2252e465425ed73985675e92d4736
SHA1 4ef054acc17cfd748da8256d09bcba937c98ac72
SHA256 8757f0801c5f6cc0fc81e69254922623f891729c74422d0e34d334f48545cb38
SHA512 5692b280ac6b650a87fda1c3bcc9a398c3225e76cefb261292a35760e26851eb654441f51140848a136fd1775f3f03fe6b7ed9779db3e7b05d8df67e145263a1

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Default\collapseWindow.wav

MD5 b2affea4b0b140f950407a48dada44d7
SHA1 7e6ac887ac564a3be28812aec9a844d26ba4f4f1
SHA256 1cbaccff303238482d15aa6e23a349f4e33b5a85efb9e06f34910ecfae2defb1
SHA512 6fba572ae7cfc8adb8141caff7e15d59e817abc1d2d583ab7deb97fefdf810d7da50431ee04b3cf7104d73ef3577e947323efb71a308ff25111e7285b929369a

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\SUMo_00000422.SPK

MD5 913b77afdf0717a7092a5203842fb477
SHA1 5e0fe351338f066508b3c2387fe9202bcf3859bf
SHA256 649a5425c79e1e6aadea0971222638cedf99c522595fa30528a8860d32a88fbf
SHA512 0340efb89431cd803a642f3ea8b81e4e882d9d33aedd30329db08214118de6f489fd87a35ef8a70cdfabcae6b0cec234b86687e16a6b56a15e38024b72b8788b

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\SUMo_00000427.SPK

MD5 953853724b9db696dc2eadd9e4cb2126
SHA1 ca5c486c5e8aaa982281e3b203f0ffc8e5749de3
SHA256 6cadeaab7b52fa31d19d5b4a1959da631da92ee5f88bc3e8284bee7a3967cd33
SHA512 3b8d91d7d0980a0b2af0540a73c0c342547dde38f8466d87c57fa14f8a23117cd4cfd87a49b99bea33bff76fd3d96a74737b4a787a074a93c7a1d14f3a4e34c8

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Screen Savers\Magic Castle\ezScreenSaver.swf

MD5 38d62a9224eff28cb611ae65711f1c85
SHA1 851054986feb04fdb34d578b93ba3a866a882c77
SHA256 6d8506499a169dc20d83a34313eeb437ccee7ca973366cad8f072aed0e442576
SHA512 a10082c8ff28343467ca27c4d53d0161b73c0b6f77d2db141a751f748c1dce9f96dc93470998abd0d4cf999f91f10d2eeeb8f9f2273880092484f2cd2d5bca9d

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Sound Names.fra

MD5 2583af779c1e638b5a5e7c19915e015d
SHA1 5446a3b72625e43ab6b75ecb247f66e9e053d1ab
SHA256 3302a57be1aa084c89b79330091722e894907ab8c7d95caf3c32742714c25af7
SHA512 44d5afd129d3bfff1f29069f26360251910dae0a37fd83b34c45574e5a95676a3fd47c2f614dd4b8eb89183fc1ff53f323060e41b17588821974d43d03706d77

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Default\BookItemHover.wav

MD5 c5663579b6ff35149786c38577c4beef
SHA1 52860c3a828016bec8416d09f50c3e3092ffd189
SHA256 e48347c77019945b3cdba802928b2fd08e72f861b7fa41bc6d49c4ec976410c0
SHA512 ccfbad08aa32825cab2818f38736ca508b4379ff5456de53d618f596c8f895c3b4aceb7c83e87480c7261d0de93efced0a5f4184f759cd2261dfb3fcd2f18f8c

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\SUMo_ORIGINAL.SPK

MD5 9a4512ee5dbc43f3743c285ee22ae8f6
SHA1 6462674328fb9e21f3320eaa5d70c167dd36f8ef
SHA256 dd6acc6ca924732a0b0190ae362fd7830aa45648b5eb6a64e3a5a58871c26347
SHA512 5624b78a8c24f7aa07b96994cb761330a723a4a989b8e7d9083326f9e149ca42de802985d94afb99039a2046ed15ea28ab54af0ef9a09397870dd342910256e1

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Sound Names.ell

MD5 f7e4d171255173be9934023c611e492e
SHA1 c8c94ef8f52b0e406c4dccf72c23b2d2ea09539f
SHA256 7a306b356e04a2e2e738bc0ea5757e5316a7be457dc572bb5a74f6a307fdeabd
SHA512 835262013ccd6bf2c40f6b386de77313d892920e32d64db8ebdafeb65e2acd3716a9d37ea58ba5e3419e9fa03d305d3704411b4dfafa4b238c81aaef85cbcab6

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\SUMo_00000816.SPK

MD5 6340816924e9894eab687c2f5ae35b5f
SHA1 482e6672f417d418938d8d8385ceea04b373a6fe
SHA256 a881dc695a24fef491364a0126531e3480e0ea7bd73429e8092c9eea6dd5d107
SHA512 933e210e84dfdf776730b1914e52fe1fb696963bb0f34cd576f90341577e3c29f90a733d98fa2c1e469c029bc1c8eea30a300724ffb4188387fc23617bdc1405

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Sound Names.nor

MD5 760fb4c11c6e761eef9650198dbd5f96
SHA1 b481257978ba759198f77643f11fc9d57b565413
SHA256 07b98984f12cd4720f44389a033c44f5c104aefe170a9d12f608e638173e9b66
SHA512 cb74aca8f06d87376411acbebda75c10358bcc7f0e6fb0b0eb89b5e70c24afe223c58bdb8eeb1cdfe1887abacdff40b36836e6670c53a04eb6ec50d6fba5f685

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\SUMo_00000814.SPK

MD5 da9df95dda95e1fe352bd7b854a33890
SHA1 06634a8f3a0176e6d7b934cdf4752cc4012c775e
SHA256 ebba5750cef9a457023f4e8713c85174497751ea7c65bf5d8d80fb55375dfbd7
SHA512 7ae49f97153d898399d4a51eab4c700d7522ec1d72c0ff680f2c2bb5213d77ae1a810db8db7105c24b5b57b0084a2dd723d24c70b40568bebdaaa856f986fd26

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\SUMo_00000804.SPK

MD5 a0a6d9285e19f4643796dcb91fd900dc
SHA1 0e4e689226b37ead2b24af1512ba6546b39b40fe
SHA256 a4e53483b8dc4cf2b247e73a33fb01d9f312ec61f69d32c4b4c01a0512760bfb
SHA512 d031c7ce25bdd856ef83f7d52ab83cf2aea171b0a18a8584274f517a795c098aba00de548d23015c5584d31c4e22669073dd78afa45e775862ff34a79c4aa25f

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Themes\Paint\pictures\pics_21.swf

MD5 cd08a1c0231df9ea93eb9f495e3cdb66
SHA1 ddf0f1eb666dedcf002c27ecf719bba077d8e09a
SHA256 dbad27361363bf0b710d279d2268bdfe871fd69545d05d19c31c4fc890610e84
SHA512 68b3c36ac11611da05aac972611b8b5e452dcd6e886e1e5b93477f2bb551d3e4798d7fafea09ac985386c06db38d9e00945ff2f9971af39e8208f83e947d4eb5

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Sounds\Default\CallOutInfo.wav

MD5 86427827deb4d909b56d8f5fce84686a
SHA1 02bee5114c863f20ed8a8d76fc248732f3e770b4
SHA256 2ccb80316e42435927cd71699e9e8a1bdb2d818df1900c16289566ea8ff000ad
SHA512 e5b7e51ead5c370f669a23b68f36912bd56388bda24a9adc65fd092b6f86a7eba51d3a958630a2c17ccbc14cec180d3ff87f02ff8bb6f8367df34cdfa49c5bce

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\SUMo_00000425.SPK

MD5 fabd351c936c7a6b757779f13f5707b5
SHA1 1c6defb61d9efeea665d12bebeebdf36017871ea
SHA256 7d984899c467bb13b4057d1f96db88a182d9f24b3693c534304caff0446b8be2
SHA512 5acfa822acce5b8bf70de1380eb2b1e39a18c4139eca06c6521007e33c31653532fc4a7bba7eedf70bf00ec5795e18f2628739c713a97df4b146459641fb6297

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\SUMo_00000424.SPK

MD5 dbed70e56af564a37603f16d32951dff
SHA1 7ad82597da16b01f1f76fd134b7d0f5082b2c805
SHA256 47ec8a1365bc0d8eec441923734b8123d6cd9df37b168a9eb706714480a56f51
SHA512 1b393f570a6ecacc2fb42b50d8b267b7eda0d307e9ccfaa572ca0080b44d55d1b8b3350263ac73cb21d3f8f27c019809d15b474b2901a60fbc6ef465b8b22120

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\SUMo_00000419.SPK

MD5 1160933a76e0ec4fd23447423540380b
SHA1 bf94e5777b0d85b864cc0e2349823c96132e202d
SHA256 e89895bad4ebc80c1a063fb34632720f0cb5aed88833e146ab9c2e547a8cd33c
SHA512 55ca2d98686591c9de5ddcb435c2f9eaf8a76dec288857c3f06c42def02f0c3aeab65f0657f400a8d08f5b2a2a7880ddd7ee345e3cd3250b2b07e9d76db2e210

C:\Users\Admin\AppData\Roaming\Easybits\Magic Desktop 11.3.0.9\install\05E29F0\Themes\UnderWater\Thumb.bmp

MD5 28497711fb2ebee5f3103748b036f054
SHA1 684d82afe1754ad624001ce4325e74efcb06f277
SHA256 81f3f724a3593cf7a992926ce7b50f3bec75ae73c63c23e04e9d3644f8b263dc
SHA512 e3df6bf80b5c6007ef034abd14ae1471112a3bea47c7f899fcb84ffcf31c584c9d99da775d70ff38d8a60a509910b0ba24bb22041af9933d3d0e528c0e55537b

memory/240-199-0x0000000000000000-mapping.dmp

memory/240-200-0x0000000072F70000-0x00000000732E1000-memory.dmp

memory/240-201-0x0000000005E30000-0x0000000005EEB000-memory.dmp

memory/240-207-0x0000000007430000-0x00000000078A6000-memory.dmp

memory/4076-208-0x0000000000000000-mapping.dmp

memory/1696-209-0x0000000000000000-mapping.dmp

memory/3176-210-0x0000000000000000-mapping.dmp

memory/4560-211-0x0000000000000000-mapping.dmp

memory/3148-212-0x0000000000000000-mapping.dmp

memory/240-213-0x0000000007430000-0x00000000078A6000-memory.dmp

memory/240-214-0x0000000072F70000-0x00000000732E1000-memory.dmp