8441698a613ccd49f87eb7a36bb299a15b31eedb693e7217ac5010d0e480ca5d

Analysis

max time kernel
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe
Size

2.7MB
MD5

a0e20035b9d89faac54ca18ac7d8a5c6
SHA1

b16a3a3eedf15c35c8432b5507e89baa99b820f0
SHA256

8441698a613ccd49f87eb7a36bb299a15b31eedb693e7217ac5010d0e480ca5d
SHA512

bd63ab50fca6ffa227b73be34c7f6d47b797d13d44b6479558961452af958a52bff796cdb4aea66ae1202b7976c7318d13979e9d43d1814338ff71b2c23adf13
SSDEEP

49152:k7CwwwwseiiO9CqrNVhE94ioMv4EZWs3mf0czLWus1m7l3YI6ZeiHD6DWsLV6H:NihrNzEWiVv9mf0cfPs1mB356ZeiHDak

Score

7^/10

evasion trojan

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	Au_.exe

Executes dropped EXE 4 IoCs

pid	Process
2164	Logo1_.exe
3384	2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe
1784	Au_.exe
700	Au_.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Au_.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_~_kzf8qxf38zg5c\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\id-ID\View3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\MovedPackages\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\setup_wm.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\reader\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\hi-IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\Simple\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\en-US\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe
File created	C:\Windows\Logo1_.exe	2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2164	Logo1_.exe
2164	Logo1_.exe
2164	Logo1_.exe
2164	Logo1_.exe
2164	Logo1_.exe
2164	Logo1_.exe
2164	Logo1_.exe
2164	Logo1_.exe
2164	Logo1_.exe
2164	Logo1_.exe
2164	Logo1_.exe
2164	Logo1_.exe
3384	2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe
3384	2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe
3384	2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe
3384	2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe
1784	Au_.exe
1784	Au_.exe
1784	Au_.exe
1784	Au_.exe
1784	Au_.exe
1784	Au_.exe
1784	Au_.exe
1784	Au_.exe
2164	Logo1_.exe
2164	Logo1_.exe
2164	Logo1_.exe
2164	Logo1_.exe
2164	Logo1_.exe
2164	Logo1_.exe
2164	Logo1_.exe
2164	Logo1_.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1784	Au_.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1784	Au_.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1784	Au_.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 4532	2140	2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe	81
PID 2140 wrote to memory of 4532	2140	2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe	81
PID 2140 wrote to memory of 4532	2140	2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe	81
PID 2140 wrote to memory of 2164	2140	2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe	82
PID 2140 wrote to memory of 2164	2140	2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe	82
PID 2140 wrote to memory of 2164	2140	2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe	82
PID 2164 wrote to memory of 452	2164	Logo1_.exe	84
PID 2164 wrote to memory of 452	2164	Logo1_.exe	84
PID 2164 wrote to memory of 452	2164	Logo1_.exe	84
PID 452 wrote to memory of 4248	452	net.exe	86
PID 452 wrote to memory of 4248	452	net.exe	86
PID 452 wrote to memory of 4248	452	net.exe	86
PID 4532 wrote to memory of 3384	4532	cmd.exe	87
PID 4532 wrote to memory of 3384	4532	cmd.exe	87
PID 4532 wrote to memory of 3384	4532	cmd.exe	87
PID 3384 wrote to memory of 1784	3384	2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe	88
PID 3384 wrote to memory of 1784	3384	2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe	88
PID 3384 wrote to memory of 1784	3384	2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe	88
PID 1784 wrote to memory of 700	1784	Au_.exe	90
PID 1784 wrote to memory of 700	1784	Au_.exe	90
PID 1784 wrote to memory of 700	1784	Au_.exe	90
PID 2164 wrote to memory of 3436	2164	Logo1_.exe	56
PID 2164 wrote to memory of 3436	2164	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3436
- C:\Users\Admin\AppData\Local\Temp\2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a2606.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4532
  - - C:\Users\Admin\AppData\Local\Temp\2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3384
    - - C:\Users\Admin\AppData\Local\Temp\wps\~e57275e\Au_.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wps\~e57275e\Au_.exe" /from="cmd.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1784
      - C:\Users\Admin\AppData\Local\Temp\wps\~e57275e\Au_.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wps\~e57275e\Au_.exe" -downpower /from=cmd.exe -msgwndname=uninstallsend_message_E5728B6
        6⤵
        Executes dropped EXE
        
        PID:700
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:452
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
36041519366ab508f645352d7c4095ad

SHA1
a33cbfd3a554a2b216a820e55cad52177c6bbd34

SHA256
242f6ebe3bbac27367298cd98621bfc326be49b68fee9ae21cd339689b7368ce

SHA512
054d1c1835ab5f54ce1054cdd98d37aecf215e0f3086b3912a988c399b0c874b316f768cc90c6cd95799b9566f657bdce292c90633dc849598a18230411db0fb

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
570KB

MD5
1549a4bdc2c50ebbbb0eedaa6327ea86

SHA1
6c8292ad1c29485e176caa26612cadb01b818412

SHA256
b734e9f81415f84813857b8762c2bbfda2b3b6302dabfa88ba4ddb15170ba56f

SHA512
18dd4178e70380192a07caf3579814b11f7e57d886186c6f4813bb98f90076ac3b17a766975a62aa3ece78966d38c9f66eb2e8c7c97a3ee67a9bfb4515d6ff6d

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
636KB

MD5
2500f702e2b9632127c14e4eaae5d424

SHA1
8726fef12958265214eeb58001c995629834b13a

SHA256
82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

SHA512
f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a2606.bat

Filesize
650B

MD5
ad9bad8f5a39ccb8d9e9cdf7fd018e9c

SHA1
063ea2882e3d7d3960ca0becba8021e99a7d23a9

SHA256
9c9ce4611b02771f96fdfdfdad7a4b0d08560d06f7b1085cb2b053bd43d9e096

SHA512
ddf7d7f3e84faaf7f1d9caffd5d2ffd845246721c2de9410662b1e0021c7bfb1ebead1e96af000521ad21a44522e5da83a2acbb630252e84b52898b7b4c99368

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-04-16_a0e20035b9d89faac54ca18ac7d8a5c6_magniber.exe.exe

Filesize
2.7MB

MD5
d4788bc0a52c196bb92b4484e89c4e43

SHA1
ce3e194acc80f9c83e8fff5433b677f4697baada

SHA256
dc772fb07223b79c3a63e3358b5a467523f895ba18c0a51b4bcb1dac92ac5f33

SHA512
cfa71d44c9f8de3ab6014901e44853659224e51e35d9f2dce5121ea8c29f9651c8d8b43791b29339461607ab69ba9e6febcfedcb0cbdc6f38477cc9e50fc3c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e5729fe\uninstall_res\cgpb_bg.png

Filesize
1016B

MD5
315125d6cb7705306ace3dd71ce50e8e

SHA1
67f4e13ee507ccfa2df855bcf5ebbcdb0aff5d7f

SHA256
f76ec3175357ab52752a09a344278f167ac672da8aa0dad179ef4a8ee9038db9

SHA512
b37eb1d4274eddd8a11854f5cf02f72dad45fa71bc7ca8091ed4f44e423bbb2d023e2f68cc0d6cba1dcacc4e9e34fb280b0147218ec019fff31ebf447e91a259

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e5729fe\uninstall_res\cgpb_fg.png

Filesize
984B

MD5
364888aa1329fb55f8377c34bc5b29d3

SHA1
6550c415a349c4df242aa219045cc184ba8d65ab

SHA256
28e85a601be919c96086c0ca2e056acd8184ec6f3cb1e35b2b15179b20e9d501

SHA512
8375b365f4e84c6b765213611dcc18eaca2f2a9e75a7d4e187fae3d0d2152d0323bf2922fb9a1ad4f8fcaad2a6d57e8345ce0828762b553fb6473468d08bb445

Download Submit
C:\Users\Admin\AppData\Local\tempuninstall.ini

Filesize
317B

MD5
db40ec764b2e435da14c92b72308ed6e

SHA1
7e95a22b15d20f736d7298bf545e0a73b08e6633

SHA256
859f1c7a7143c049084f7033a6da8bc94d519ec439d668520654f0a4073ed910

SHA512
4ec66c8febce5574dadeaddadec76256a3dd26f9e9dfca40fb57f8fada1e53e05ad2aa8ed743ff6704a5ec2b5cc4238636ee8241f3e04cdbf99a092b09a0ef91

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpsuninstall.log

Filesize
17KB

MD5
5231872b0a45d433bebfbc49339ed511

SHA1
861b74047d75dd528ea60d7a6a43750d0920f40c

SHA256
83ca89475391462e8a6a549d6b2d8ffb146fdf47603857316cfddf290c2586ba

SHA512
5c95aa487d1ff745b2ccc71e51bb5bb362518235d173c92da39638942d9f03ef9039dcb919b2131d5299fcf05edb25cb00ae099fe0be5e5a70d53ce692c6c6db

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpsuninstall.log

Filesize
1KB

MD5
d2c063aa733dc7f33ca8132fb00fd8e4

SHA1
dab65249a3422b75033d2288c0e65a90a1ff0a40

SHA256
19deb27dfb4d5b53726859d3b09c815a379b3f13b567a09e777119dae2eb19af

SHA512
8faf588c200dcba88c6dbc6a9e046f74a3c328771f96cfc37b62a2892546edad8f448c369b97f9e15b8133899a62d50a8c1029e40cc636c72ef122d743ac7027

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpsuninstall.log

Filesize
1KB

MD5
70c018837e89dc3776c4adcfa76d5842

SHA1
51dad4be7d1de2779fc89fd8f7dc7599f3758bdf

SHA256
8bc7049f82bc344cfeb8730c996a46703b88d2f8c44ed2c3988bfef75db1a8a4

SHA512
2fbb568217e7de6afb896b3b5def72bc2af9c20557d69480b9cbc0e877886f75eb602af6bdc11c3cfd7d42a8bc7d63438296da2078ff989ec74317c1f9a42e94

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
111cf05043f7e2167709e32cf4cbb9f6

SHA1
08e30a56078bb7f9b09709212848397e325458a4

SHA256
8aadbbf032420ba38402e5c280b0b2aaeadd1a38d6d4539c9ac6222de98a6553

SHA512
7fca5fefb9a074177057dd4704fa28057ccc68e517795e2acc099cb7ea7cf96c4ae89cc306cae3ea0cc00bd0258c1e0952e550468a608014b225576c038a9c84

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-355664440-2199602304-1223909400-1000\_desktop.ini

Filesize
9B

MD5
02ced53ce3f5b175c3bbec378047e7a7

SHA1
dafdf07efa697ec99b3d7b9f7512439a52ea618d

SHA256
485bb2341321a2837fd015a36963ea549c7c6f40985e165fd56c8a1e89b3f331

SHA512
669dde3ea8628704d40681a7f8974cf52985385c92a61a540c97c18c13eb4d451207ae171b2a56cd061cadbc90e672a84eb55111b1f5016846918d73fb075c99

Download Submit
memory/2140-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2140-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2164-190-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2164-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2164-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2164-10-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2164-1391-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2164-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2164-4956-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2164-5395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download