8441698a613ccd49f87eb7a36bb299a15b31eedb693e7217ac5010d0e480ca5d

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
16-04-2024 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe
Size

2.7MB
MD5

a0e20035b9d89faac54ca18ac7d8a5c6
SHA1

b16a3a3eedf15c35c8432b5507e89baa99b820f0
SHA256

8441698a613ccd49f87eb7a36bb299a15b31eedb693e7217ac5010d0e480ca5d
SHA512

bd63ab50fca6ffa227b73be34c7f6d47b797d13d44b6479558961452af958a52bff796cdb4aea66ae1202b7976c7318d13979e9d43d1814338ff71b2c23adf13
SSDEEP

49152:k7CwwwwseiiO9CqrNVhE94ioMv4EZWs3mf0czLWus1m7l3YI6ZeiHD6DWsLV6H:NihrNzEWiVv9mf0cfPs1mB356ZeiHDak

Score

7^/10

evasion trojan

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2700	cmd.exe

Executes dropped EXE 4 IoCs

pid	Process
2224	Logo1_.exe
2572	2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe
1348	Au_.exe
2688	Au_.exe

Loads dropped DLL 3 IoCs

pid	Process
2700	cmd.exe
2572	2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe
1348	Au_.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Au_.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\3082\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\Icons\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am_ET\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\logger\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pa\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Mail\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bs\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe
File created	C:\Windows\Logo1_.exe	2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2224	Logo1_.exe
2224	Logo1_.exe
2224	Logo1_.exe
2224	Logo1_.exe
2224	Logo1_.exe
2224	Logo1_.exe
2572	2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe
2572	2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe
2224	Logo1_.exe
2224	Logo1_.exe
2224	Logo1_.exe
2224	Logo1_.exe
1348	Au_.exe
1348	Au_.exe
1348	Au_.exe
1348	Au_.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1348	Au_.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1348	Au_.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1348	Au_.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2700	2204	2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe	28
PID 2204 wrote to memory of 2700	2204	2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe	28
PID 2204 wrote to memory of 2700	2204	2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe	28
PID 2204 wrote to memory of 2700	2204	2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe	28
PID 2204 wrote to memory of 2224	2204	2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe	29
PID 2204 wrote to memory of 2224	2204	2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe	29
PID 2204 wrote to memory of 2224	2204	2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe	29
PID 2204 wrote to memory of 2224	2204	2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe	29
PID 2224 wrote to memory of 2604	2224	Logo1_.exe	31
PID 2224 wrote to memory of 2604	2224	Logo1_.exe	31
PID 2224 wrote to memory of 2604	2224	Logo1_.exe	31
PID 2224 wrote to memory of 2604	2224	Logo1_.exe	31
PID 2700 wrote to memory of 2572	2700	cmd.exe	34
PID 2700 wrote to memory of 2572	2700	cmd.exe	34
PID 2700 wrote to memory of 2572	2700	cmd.exe	34
PID 2700 wrote to memory of 2572	2700	cmd.exe	34
PID 2700 wrote to memory of 2572	2700	cmd.exe	34
PID 2700 wrote to memory of 2572	2700	cmd.exe	34
PID 2700 wrote to memory of 2572	2700	cmd.exe	34
PID 2604 wrote to memory of 2528	2604	net.exe	33
PID 2604 wrote to memory of 2528	2604	net.exe	33
PID 2604 wrote to memory of 2528	2604	net.exe	33
PID 2604 wrote to memory of 2528	2604	net.exe	33
PID 2572 wrote to memory of 1348	2572	2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe	35
PID 2572 wrote to memory of 1348	2572	2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe	35
PID 2572 wrote to memory of 1348	2572	2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe	35
PID 2572 wrote to memory of 1348	2572	2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe	35
PID 2572 wrote to memory of 1348	2572	2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe	35
PID 2572 wrote to memory of 1348	2572	2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe	35
PID 2572 wrote to memory of 1348	2572	2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe	35
PID 2224 wrote to memory of 1260	2224	Logo1_.exe	21
PID 2224 wrote to memory of 1260	2224	Logo1_.exe	21
PID 1348 wrote to memory of 2688	1348	Au_.exe	36
PID 1348 wrote to memory of 2688	1348	Au_.exe	36
PID 1348 wrote to memory of 2688	1348	Au_.exe	36
PID 1348 wrote to memory of 2688	1348	Au_.exe	36
PID 1348 wrote to memory of 2688	1348	Au_.exe	36
PID 1348 wrote to memory of 2688	1348	Au_.exe	36
PID 1348 wrote to memory of 2688	1348	Au_.exe	36

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260
- C:\Users\Admin\AppData\Local\Temp\2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a495F.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Users\Admin\AppData\Local\Temp\2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Users\Admin\AppData\Local\Temp\wps\~f764d46\Au_.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wps\~f764d46\Au_.exe" /from="cmd.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1348
      - C:\Users\Admin\AppData\Local\Temp\wps\~f764d46\Au_.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wps\~f764d46\Au_.exe" -downpower /from=cmd.exe -msgwndname=uninstallsend_message_F765206
        6⤵
        Executes dropped EXE
        
        PID:2688
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2604
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
36041519366ab508f645352d7c4095ad

SHA1
a33cbfd3a554a2b216a820e55cad52177c6bbd34

SHA256
242f6ebe3bbac27367298cd98621bfc326be49b68fee9ae21cd339689b7368ce

SHA512
054d1c1835ab5f54ce1054cdd98d37aecf215e0f3086b3912a988c399b0c874b316f768cc90c6cd95799b9566f657bdce292c90633dc849598a18230411db0fb

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a495F.bat

Filesize
650B

MD5
d6de2ce28f28611d95448e0ec2fb61dd

SHA1
416b557d11c2066c9b11b2012a2b88a499386053

SHA256
2919077dfbdd8041f79f515a415be7a6eaa6dea0c304d11aafc1babab4cf89b7

SHA512
0e8740f1a63af3e50bb7d20533ac830bccb33fbee69c0e0bdbfd7c51b13b05933b325ed9f3c4e9bc17c7205467940912f1a1066b5457f6d941d9f93045d0bcde

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe.exe

Filesize
2.7MB

MD5
d4788bc0a52c196bb92b4484e89c4e43

SHA1
ce3e194acc80f9c83e8fff5433b677f4697baada

SHA256
dc772fb07223b79c3a63e3358b5a467523f895ba18c0a51b4bcb1dac92ac5f33

SHA512
cfa71d44c9f8de3ab6014901e44853659224e51e35d9f2dce5121ea8c29f9651c8d8b43791b29339461607ab69ba9e6febcfedcb0cbdc6f38477cc9e50fc3c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~f765419\uninstall_res\cgpb_bg.png

Filesize
1016B

MD5
315125d6cb7705306ace3dd71ce50e8e

SHA1
67f4e13ee507ccfa2df855bcf5ebbcdb0aff5d7f

SHA256
f76ec3175357ab52752a09a344278f167ac672da8aa0dad179ef4a8ee9038db9

SHA512
b37eb1d4274eddd8a11854f5cf02f72dad45fa71bc7ca8091ed4f44e423bbb2d023e2f68cc0d6cba1dcacc4e9e34fb280b0147218ec019fff31ebf447e91a259

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~f765419\uninstall_res\cgpb_fg.png

Filesize
984B

MD5
364888aa1329fb55f8377c34bc5b29d3

SHA1
6550c415a349c4df242aa219045cc184ba8d65ab

SHA256
28e85a601be919c96086c0ca2e056acd8184ec6f3cb1e35b2b15179b20e9d501

SHA512
8375b365f4e84c6b765213611dcc18eaca2f2a9e75a7d4e187fae3d0d2152d0323bf2922fb9a1ad4f8fcaad2a6d57e8345ce0828762b553fb6473468d08bb445

Download Submit
C:\Users\Admin\AppData\Local\tempuninstall.ini

Filesize
317B

MD5
db40ec764b2e435da14c92b72308ed6e

SHA1
7e95a22b15d20f736d7298bf545e0a73b08e6633

SHA256
859f1c7a7143c049084f7033a6da8bc94d519ec439d668520654f0a4073ed910

SHA512
4ec66c8febce5574dadeaddadec76256a3dd26f9e9dfca40fb57f8fada1e53e05ad2aa8ed743ff6704a5ec2b5cc4238636ee8241f3e04cdbf99a092b09a0ef91

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpsuninstall.log

Filesize
3KB

MD5
96dc6dd484cdbe694cb34a7d4942ff1f

SHA1
feea22f47ad3a52566bb3833cb735d7b5279d02d

SHA256
50fb41b21f9f0e8b7801546fd564db24abf2761282379e38dbe56277b5cc9347

SHA512
5ffd2a68ec0265dd9abd3aad7db773df3f4d1f4f95bb45d8a58576c08a94750c429fadb33b291a2a8d040cbab6506a2d4d3ec61e27331ce79c4cc4a0da9c7172

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpsuninstall.log

Filesize
16KB

MD5
bdcb4c271c969d5eb2b36a00b67cd737

SHA1
01c46160216212f9b636f7464599dfd6a28c79c4

SHA256
e5801aec603034852919a3eb81d7ef175309f2ee674d74285e42d351afeb0a64

SHA512
6871b41d1bab2ddda494866d6471bc247c7da2ee8f9eee708dbf2cd3e65bf6eb211939272cc582ea35c57ac21d250b4b7ad2a756fef1808294353c03be0ea412

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpsuninstall.log

Filesize
1KB

MD5
33a8e83da3f0ec291e748c4e44cdb171

SHA1
2a614d0f7b4838c8ae6638a12332a52a9288b5d0

SHA256
5e1221359c19b434d803ffb118c54bc9ce032c6734a8146c5a8255cb07fe3d10

SHA512
4c37f09c164a8ae7d517351d9e024337cc035ffc496141e0c9af26f4c130bcfea0bb75e848c297e1577208c8dbe0b7d74d41da2c23ed7a309e88256676fa8683

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpsuninstall.log

Filesize
1KB

MD5
fab362710ce89aa6ce10d063ffda8e0d

SHA1
8a94787293d290f0636483b0e55cc356d2344152

SHA256
26c76166dd03cc51202665d0a93bb73cb1ce01d3d20da6e2cea763b568b0c734

SHA512
206ff4e29c413c52e58e2adae817960fffe6f0ce02ce6d322b5372484f2e44216a709d5f07fc031207cb163d255768726a290f77a9f75a86b0114e431e9fd896

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpsuninstall.log

Filesize
2KB

MD5
365266df56de93b06dd5e46214197ac6

SHA1
7836209542643d3ce32c216a30a4793b94589e3f

SHA256
acaf3f1265125b4db9de94b958ad1dacc388ca5b0897d88fe79318cc718204b0

SHA512
d68512c15adfca2284fe594d6dcff4f8f48c49675fc85e3a0280d94ec40127491e862820923d8a5fc04fb0ac1fccd1e40bbf2367b52a3f13043fdd18921c82e8

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
111cf05043f7e2167709e32cf4cbb9f6

SHA1
08e30a56078bb7f9b09709212848397e325458a4

SHA256
8aadbbf032420ba38402e5c280b0b2aaeadd1a38d6d4539c9ac6222de98a6553

SHA512
7fca5fefb9a074177057dd4704fa28057ccc68e517795e2acc099cb7ea7cf96c4ae89cc306cae3ea0cc00bd0258c1e0952e550468a608014b225576c038a9c84

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2610426812-2871295383-373749122-1000\_desktop.ini

Filesize
9B

MD5
02ced53ce3f5b175c3bbec378047e7a7

SHA1
dafdf07efa697ec99b3d7b9f7512439a52ea618d

SHA256
485bb2341321a2837fd015a36963ea549c7c6f40985e165fd56c8a1e89b3f331

SHA512
669dde3ea8628704d40681a7f8974cf52985385c92a61a540c97c18c13eb4d451207ae171b2a56cd061cadbc90e672a84eb55111b1f5016846918d73fb075c99

Download Submit
memory/1260-47-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/1348-196-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/1348-215-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/2204-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2204-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2204-12-0x00000000003C0000-0x00000000003F4000-memory.dmp

Filesize
208KB

Download
memory/2224-214-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-221-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-713-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-2043-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-3503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2688-66-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download