Analysis Overview
SHA256
cc5d5bf03089c1ff3ae369c19e528f33406bfc5975c6e273c5b628f89422fbb4
Threat Level: Shows suspicious behavior
The file undertale-nmd-1.0.9b.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 13:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 13:42
Reported
2024-11-13 13:43
Platform
win7-20241010-en
Max time kernel
5s
Max time network
2s
Command Line
Signatures
Loads dropped DLL
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\undertale-nmd-1.0.9b.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\discord-719474512550166539\URL Protocol | C:\Users\Admin\AppData\Local\Temp\undertale-nmd-1.0.9b.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\discord-719474512550166539\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\undertale-nmd-1.0.9b.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\discord-719474512550166539\shell\open\command | C:\Users\Admin\AppData\Local\Temp\undertale-nmd-1.0.9b.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\discord-719474512550166539\shell\open | C:\Users\Admin\AppData\Local\Temp\undertale-nmd-1.0.9b.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\discord-719474512550166539 | C:\Users\Admin\AppData\Local\Temp\undertale-nmd-1.0.9b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\discord-719474512550166539\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\undertale-nmd-1.0.9b.exe" | C:\Users\Admin\AppData\Local\Temp\undertale-nmd-1.0.9b.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\discord-719474512550166539\shell | C:\Users\Admin\AppData\Local\Temp\undertale-nmd-1.0.9b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\discord-719474512550166539\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\undertale-nmd-1.0.9b.exe" | C:\Users\Admin\AppData\Local\Temp\undertale-nmd-1.0.9b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\discord-719474512550166539\ = "URL:Run game 719474512550166539 protocol" | C:\Users\Admin\AppData\Local\Temp\undertale-nmd-1.0.9b.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\undertale-nmd-1.0.9b.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\undertale-nmd-1.0.9b.exe
"C:\Users\Admin\AppData\Local\Temp\undertale-nmd-1.0.9b.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\mrt755F.tmp\mmfs2.dll
| MD5 | 200520e6e8b4d675b77971dfa9fb91b3 |
| SHA1 | 0c583bf4c3eda9c955fd0d0d3ba7fdc62a43bf07 |
| SHA256 | 763ef4484ba9b9e10e19268c045732515f0ac143cf075e6d1ea1f5adcc77633b |
| SHA512 | 8b7bb334b6bd83ae43e5a4fe32a92b38b1edd2c292c4a540a54c2ee16092eb30108524c1c363508f7c62617bb224d9b447f07cda97ab7de01688acbfbacec51b |
\Users\Admin\AppData\Local\Temp\mrt755F.tmp\Layer.mfx
| MD5 | 8bba7602e13f66901207e4d7bdc99ff2 |
| SHA1 | 7efda2baa3eee70df450110bb89d934417bec3e1 |
| SHA256 | 9e9d49c81e02cdef2ea10f53fee958bb750a96e7567d680f86202f0e28e267a8 |
| SHA512 | 7f31819c1ac931ff51df57b1ee0bad9a6d22c97c0e0bd6fdfc1bcec990f1c581773e90b3af609c734f9248736fa663136573298c9e0c5873307180cd2b9beb20 |
\Users\Admin\AppData\Local\Temp\mrt755F.tmp\Easing.mfx
| MD5 | 052d1c7eed7b50a18eddc10dfad3ae22 |
| SHA1 | 6f88687f930e73106d2b8af00f5317eca74e0c61 |
| SHA256 | 1b5e79e999c4cff19fe0260bdeaeeaea0fcda6057bf6d17bf0f121e9797d20ef |
| SHA512 | ef89c692a47d2ad66d6f4e722e9b330a85cca0faea2f022abfc3da3c1d32fc7c0cf01d6a6e36fddd0b82c97eebc707c9e00e2431792d551b7178fb8d50452966 |
\Users\Admin\AppData\Local\Temp\mrt755F.tmp\ultimatefullscreen.mfx
| MD5 | 96059dbec69c3904e4d7ce734a4b38d0 |
| SHA1 | 5169934f8d89b0dba963861dcbae55e78fc21dfc |
| SHA256 | fd179783ff6e6eb0959185087f33ed4a1b256e58762d9817bcb16888e20f7058 |
| SHA512 | 82977b2c249e47ca37d6fd62f416ed995b4b5f953bc5c18c84bfbdacc2c5b17fdc50c1e736fafcac242a3f8921b5000e0ec84302bc4e0077d6eeee3aa43cc520 |
\Users\Admin\AppData\Local\Temp\mrt755F.tmp\kclist.mfx
| MD5 | 10a8ccacb046c0dc05adfc6964e99e95 |
| SHA1 | 48acabc563a9c6d48eae3eda5254306127c00528 |
| SHA256 | 57d8f859ecf57eed8f2fdc3271ec1d57c879899a527d77a80c9f45b1377742f5 |
| SHA512 | e972e0a6d4aa5c0cab99283c27038eb31f0adf2f581b4be9b58768d25a81f71e2aa5482500e4cb16bbc60d41f84ef926cd61a9cbe9fce1fce4adca564a6b147a |
\Users\Admin\AppData\Local\Temp\mrt755F.tmp\kcini.mfx
| MD5 | a6ad14845999c5aa7adf2911671a7c5b |
| SHA1 | 98dfd5a9584d1c1b330c2c104c1779bd55ded211 |
| SHA256 | 5af175ffb932fb653873dad095dd40f2ab8d3fb56f287213c21bb68652ddad2d |
| SHA512 | 32bb59826b82d47ec420ac2532e1387a85422d2f0ce5370ad2c95b914a7615d3b122dbf4dd045105eb8ffea49324dac57659f0e5f2500b4d0eb75047cb36dfd8 |
\Users\Admin\AppData\Local\Temp\mrt755F.tmp\ctrlx.mfx
| MD5 | ceb8b2e522d0aaaecdf69b3bcc89a530 |
| SHA1 | c1cf769a96a9612f7fd0c1965413f4a57e4907e1 |
| SHA256 | 3407eb12f6bacec5ebd4df96ff3fd34741a3919fd46c2ec527364c5f1e753a65 |
| SHA512 | 3c46743c635eb96351e6a82490cececb24e6a104433c962f263ec01cf78fa9747d4f56d05c3085c0a18eff7c180b145df5e8e74bc008fe2f617f7f4c24be0331 |
\Users\Admin\AppData\Local\Temp\mrt755F.tmp\kcfile.mfx
| MD5 | 147788ae04300afedab921998dbd838e |
| SHA1 | db937ae697f98965084bd6cf7ab024101af0f732 |
| SHA256 | 1d1a83db2abfea8c92008e99e7dd12bd3c01e92baf5f2297f8874aa400f2e761 |
| SHA512 | 381d0c0ccea2155a3510d992fd513bda7804432e9d4377c0b35337f037b5ddd8a4eae9d41439a8c12056b4c07fc2191296f88dc53ca8c5fef61008ce57185b39 |
\Users\Admin\AppData\Local\Temp\mrt755F.tmp\DRPC.mfx
| MD5 | 0aa331b547d0650059a75dbad66248f6 |
| SHA1 | df01d62ecb2d263c80248c144d0b6212c0910767 |
| SHA256 | 5e7c4bcc7b722179ca5de3933d0e807d0d1630d8e5a0a51b98cce85199051ea5 |
| SHA512 | 9f4c0917cf39676c0c7145a21f1349d8ba981023a8c33990cf4046e852824a76ebab89371065ba546376fed95eeecf0accdbbf8fa99935ff4cb4622086c219bb |
memory/1700-45-0x0000000002AC0000-0x0000000002BD2000-memory.dmp
memory/1700-49-0x0000000000240000-0x0000000000258000-memory.dmp
\Users\Admin\AppData\Local\Temp\mrt755F.tmp\OpenURLs.mfx
| MD5 | 213a3941e576daf3e6f6be616a6643c1 |
| SHA1 | 55e31d2fb7084a130e4a27fbd433704e3e840b75 |
| SHA256 | 6d33883fe9a8fcdff9aab0e886d505a38e21a461c713e5ac7b7e0c2a65e934ae |
| SHA512 | 310f951c93cb54131bce7e7cdd50225b55a9168ff922e320145f8517cda27d53de55a03ef16aba107cd968a4471d1702b9c3689f5a20f55b786df31d6ab82933 |
memory/1700-53-0x0000000000270000-0x000000000027B000-memory.dmp
\Users\Admin\AppData\Local\Temp\mrt755F.tmp\parser.mfx
| MD5 | 5903e2efe098dae179c07d670ff836b7 |
| SHA1 | 93a2ce92a28c646735790d2cc9ff8959cc6e0c11 |
| SHA256 | 9813631f63f79fbaa741094786d4b13c34515ec4a33c0d4e88b75a20973c887c |
| SHA512 | e39bb67dc8765558274f93953de141e17de18550912bf79a94a2cc998918d07631a0251551abc080363ea52444c1511f15458232d0c656d8f62550d33756e740 |
\Users\Admin\AppData\Local\Temp\mrt755F.tmp\Viewport.mfx
| MD5 | 441ee6d834d6a08d16140cbf0e1490fc |
| SHA1 | 873146150b21c0f75d025c70d84beb111d78be8f |
| SHA256 | 69f35a440c5d153bba6c36ae3e2e7b6c8365f6a2ca9fe4eb216cd8a0bf784551 |
| SHA512 | 984ff7c644ce13a9348e3ec0fbd85225af25a2b14d1d348d9c90b45fed9a6f00e198e3bf15a58fe12c93961273ce9a9ececeba2c1375e91fa7a52deea691f751 |
\Users\Admin\AppData\Local\Temp\mrt755F.tmp\fontembed.mfx
| MD5 | f38352c344bd71eb21a78a1b69dcade8 |
| SHA1 | eca1053fa4ce77f96752f400d4ffac8f2f158d15 |
| SHA256 | 38b5dba1524e47ff474d29bb0fb3d7b0476e554cdb82f2de09c4a761ab5645b1 |
| SHA512 | 70134d7e2d4c589fc3ca5c52e005852d07e6b3cce91db00d32bf121611480601d007ead98c3e2febfdd1ca03a0c723fa46e9b73c0f497b315a6cdcb9f15afd56 |
\Users\Admin\AppData\Local\Temp\mrt755F.tmp\kcwctrl.mfx
| MD5 | fa3aa3c51150eb5410dc3d74484d84bb |
| SHA1 | 3ffca600b9d8b2d580c99021c95e8c6400d9a824 |
| SHA256 | 0666e52ea54bb2bdb81216443ea0787b8fcc6292b64d6bdf285eebf42e1bbae6 |
| SHA512 | 81ec7ec2a5877d1b226dfb4ccc8c3946b61fb409d5c53c789e6f8c310a0dc0b3ce1681613cc110a5559540a0ab302e6c36a00d0df07acb41c5a7c35b37d4594a |
memory/1700-63-0x00000000002B0000-0x00000000002C9000-memory.dmp
\Users\Admin\AppData\Local\Temp\mrt755F.tmp\strgenobj.mfx
| MD5 | fe5ed0a1d6d02d64648456ce10e0017f |
| SHA1 | a232636a92d9ea6d96a0838c6e077a0b7dcd1098 |
| SHA256 | c5cfdc511e9c924a8ee4d933ae42820c291f7f858fef8b24b0ca1ab1727f4f5e |
| SHA512 | 86c9818565366016754e1d2690bd476aa8ca77d5586a29c7e8844e5006941a20053ad45dc84c7a0bbf1ac00acef313961fdc001b49d7328a0a1e8e75e5b2091e |
\Users\Admin\AppData\Local\Temp\mrt755F.tmp\WndTransp.mfx
| MD5 | 6f93111ce72225daab2bcdceee48d204 |
| SHA1 | 1a5156f6e00b47dd4197c933092578aef49a66de |
| SHA256 | e8a1af555a3d39b1cb0c6bf6511158d4fd48a1e4e2dac60a6f54af4b486f60a1 |
| SHA512 | 44549a2f29c9b4cb217065cc4f670afe84691fcc9d0bb4898cd8caa408256015b1abc1c29b6ce4083207e56f339f0843757ae07d01e2a2bb945b6ddaa4c8d3f7 |
memory/1700-67-0x00000000003F0000-0x0000000000405000-memory.dmp
\Users\Admin\AppData\Local\Temp\mrt755F.tmp\pinball.mvx
| MD5 | b208ae4e862a6c6bd6b99bc31b7bf1f9 |
| SHA1 | 9f7cd9ea0b400c63f11c0a6e7ca5546db7ff218b |
| SHA256 | cbcd1b19716940cb7b48986dfd51f36bc9e04625c4b6face3822a16ed7b49825 |
| SHA512 | 8ee62a8fcdc26527a2f2b733eefb4fa629ce6ea4cf65d382d95af691874839e88cca8ceaa7e267dc69aa886bdce42c2f64d3cd0743d01bd6f8fdf825fc4e74a3 |
memory/1700-71-0x0000000000920000-0x0000000000932000-memory.dmp
\Users\Admin\AppData\Local\Temp\mrt755F.tmp\mmf2d3d9.dll
| MD5 | c85bcc9f3049b57aa8ccbb290342ff14 |
| SHA1 | 38f5b81a540f1c995ff8d949702440b70921acc5 |
| SHA256 | bddda991185a9e83b9855a109f2fcfa78cd2d5402e9db344c6ec77f6ce69a0c5 |
| SHA512 | 5097f9d78ddc651aabf41f217f622ee656a1c6de6a9b339354525293102cf631cca2b7babaf991e99e49efe4d1bb6792c8a7a11f82e4ae2081c3961eb9b5afe7 |
\Users\Admin\AppData\Local\Temp\mrt755F.tmp\mp3flt.sft
| MD5 | 5bebc3ae0122702b89f9262888d3a393 |
| SHA1 | 064731c0f1d493b5b82921fa78f06e3d1db95284 |
| SHA256 | 81c9a9459a8e124793addf142cd513945d6fe600e1d67f74897898d7570e56b2 |
| SHA512 | c10cb520c2c4a9fe7c371f17ce7f86f138db247468ab1e465dafd7abd294c2beb13cf3a2595b4c8c820d911d8b70842c8f4e45398693c4f0454f973bd58a10a1 |
\Users\Admin\AppData\Local\Temp\mrt755F.tmp\oggflt.sft
| MD5 | 0c8c1ee3ba92189f4ce21d1b396a2765 |
| SHA1 | b7daa4a6e16416151dccbb0a89f304961b6cb627 |
| SHA256 | 9e589f86317d840df9bb74f6ee20c24ca65afe58f4009740382f63a0f5531941 |
| SHA512 | 0a4339092ac55bac3b1bdfaaa3401020f8f49918bd2fdb14524f3d558eb840b876aedfdeb54a1da163fa36393abf3fe8ab7e112a34ea9d891e82a22e96c85ddc |
\Users\Admin\AppData\Local\Temp\mrt755F.tmp\waveflt.sft
| MD5 | 57ea61dd14314ef155e80c6a0be8a664 |
| SHA1 | 963b0ef2fe976ff77044a821fe1e29be4a8cf8a7 |
| SHA256 | 92a5053cf5973a6aa228c738d55387f12f1dfa8a837d7b938c60f05b6b56b3ad |
| SHA512 | cc23cb30d76d22500c3ed7ce9ee0388588309d0779441b95559fce25a42f1eff52ca285c347655f8b33c15b75f9d2067738a151f81f605d3b563799a3a06c9a9 |
memory/1700-79-0x0000000000B10000-0x0000000000B34000-memory.dmp
C:\Users\Admin\AppData\Roaming\Undertale NMD\FileSave1.ini
| MD5 | 3262a0308ecbde98bb2a62ef2331a603 |
| SHA1 | 91025c8ee6ea0ccf92318fad845c30b58d290d57 |
| SHA256 | 930b5ee166e809dadd54eb8f23289a9a63cd5296101dc2029a8d5c8eeb517ffc |
| SHA512 | 17ba95aada8dc3a6eded33db7b413519bf28cb7813dc8204eea6c18894037e19ab2871d4e791fb3874c40421a481bea1a792a1a2cc65c76efb3e21002b2bf28f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 13:42
Reported
2024-11-13 14:00
Platform
win10v2004-20241007-en
Max time kernel
1042s
Max time network
444s
Command Line
Signatures
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\undertale-nmd-1.0.9b.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\discord-719474512550166539 | C:\Users\Admin\AppData\Local\Temp\undertale-nmd-1.0.9b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\discord-719474512550166539\ = "URL:Run game 719474512550166539 protocol" | C:\Users\Admin\AppData\Local\Temp\undertale-nmd-1.0.9b.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\discord-719474512550166539\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\undertale-nmd-1.0.9b.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\discord-719474512550166539\shell\open\command | C:\Users\Admin\AppData\Local\Temp\undertale-nmd-1.0.9b.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\discord-719474512550166539\shell\open | C:\Users\Admin\AppData\Local\Temp\undertale-nmd-1.0.9b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\discord-719474512550166539\URL Protocol | C:\Users\Admin\AppData\Local\Temp\undertale-nmd-1.0.9b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\discord-719474512550166539\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\undertale-nmd-1.0.9b.exe" | C:\Users\Admin\AppData\Local\Temp\undertale-nmd-1.0.9b.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\discord-719474512550166539\shell | C:\Users\Admin\AppData\Local\Temp\undertale-nmd-1.0.9b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\discord-719474512550166539\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\undertale-nmd-1.0.9b.exe" | C:\Users\Admin\AppData\Local\Temp\undertale-nmd-1.0.9b.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\undertale-nmd-1.0.9b.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\undertale-nmd-1.0.9b.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\undertale-nmd-1.0.9b.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\undertale-nmd-1.0.9b.exe
"C:\Users\Admin\AppData\Local\Temp\undertale-nmd-1.0.9b.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x500 0x50c
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\mrtADD4.tmp\mmfs2.dll
| MD5 | 200520e6e8b4d675b77971dfa9fb91b3 |
| SHA1 | 0c583bf4c3eda9c955fd0d0d3ba7fdc62a43bf07 |
| SHA256 | 763ef4484ba9b9e10e19268c045732515f0ac143cf075e6d1ea1f5adcc77633b |
| SHA512 | 8b7bb334b6bd83ae43e5a4fe32a92b38b1edd2c292c4a540a54c2ee16092eb30108524c1c363508f7c62617bb224d9b447f07cda97ab7de01688acbfbacec51b |
C:\Users\Admin\AppData\Local\Temp\mrtADD4.tmp\Layer.mfx
| MD5 | 8bba7602e13f66901207e4d7bdc99ff2 |
| SHA1 | 7efda2baa3eee70df450110bb89d934417bec3e1 |
| SHA256 | 9e9d49c81e02cdef2ea10f53fee958bb750a96e7567d680f86202f0e28e267a8 |
| SHA512 | 7f31819c1ac931ff51df57b1ee0bad9a6d22c97c0e0bd6fdfc1bcec990f1c581773e90b3af609c734f9248736fa663136573298c9e0c5873307180cd2b9beb20 |
C:\Users\Admin\AppData\Local\Temp\mrtADD4.tmp\Easing.mfx
| MD5 | 052d1c7eed7b50a18eddc10dfad3ae22 |
| SHA1 | 6f88687f930e73106d2b8af00f5317eca74e0c61 |
| SHA256 | 1b5e79e999c4cff19fe0260bdeaeeaea0fcda6057bf6d17bf0f121e9797d20ef |
| SHA512 | ef89c692a47d2ad66d6f4e722e9b330a85cca0faea2f022abfc3da3c1d32fc7c0cf01d6a6e36fddd0b82c97eebc707c9e00e2431792d551b7178fb8d50452966 |
C:\Users\Admin\AppData\Local\Temp\mrtADD4.tmp\ultimatefullscreen.mfx
| MD5 | 96059dbec69c3904e4d7ce734a4b38d0 |
| SHA1 | 5169934f8d89b0dba963861dcbae55e78fc21dfc |
| SHA256 | fd179783ff6e6eb0959185087f33ed4a1b256e58762d9817bcb16888e20f7058 |
| SHA512 | 82977b2c249e47ca37d6fd62f416ed995b4b5f953bc5c18c84bfbdacc2c5b17fdc50c1e736fafcac242a3f8921b5000e0ec84302bc4e0077d6eeee3aa43cc520 |
C:\Users\Admin\AppData\Local\Temp\mrtADD4.tmp\kclist.mfx
| MD5 | 10a8ccacb046c0dc05adfc6964e99e95 |
| SHA1 | 48acabc563a9c6d48eae3eda5254306127c00528 |
| SHA256 | 57d8f859ecf57eed8f2fdc3271ec1d57c879899a527d77a80c9f45b1377742f5 |
| SHA512 | e972e0a6d4aa5c0cab99283c27038eb31f0adf2f581b4be9b58768d25a81f71e2aa5482500e4cb16bbc60d41f84ef926cd61a9cbe9fce1fce4adca564a6b147a |
C:\Users\Admin\AppData\Local\Temp\mrtADD4.tmp\kcini.mfx
| MD5 | a6ad14845999c5aa7adf2911671a7c5b |
| SHA1 | 98dfd5a9584d1c1b330c2c104c1779bd55ded211 |
| SHA256 | 5af175ffb932fb653873dad095dd40f2ab8d3fb56f287213c21bb68652ddad2d |
| SHA512 | 32bb59826b82d47ec420ac2532e1387a85422d2f0ce5370ad2c95b914a7615d3b122dbf4dd045105eb8ffea49324dac57659f0e5f2500b4d0eb75047cb36dfd8 |
C:\Users\Admin\AppData\Local\Temp\mrtADD4.tmp\ctrlx.mfx
| MD5 | ceb8b2e522d0aaaecdf69b3bcc89a530 |
| SHA1 | c1cf769a96a9612f7fd0c1965413f4a57e4907e1 |
| SHA256 | 3407eb12f6bacec5ebd4df96ff3fd34741a3919fd46c2ec527364c5f1e753a65 |
| SHA512 | 3c46743c635eb96351e6a82490cececb24e6a104433c962f263ec01cf78fa9747d4f56d05c3085c0a18eff7c180b145df5e8e74bc008fe2f617f7f4c24be0331 |
C:\Users\Admin\AppData\Local\Temp\mrtADD4.tmp\kcfile.mfx
| MD5 | 147788ae04300afedab921998dbd838e |
| SHA1 | db937ae697f98965084bd6cf7ab024101af0f732 |
| SHA256 | 1d1a83db2abfea8c92008e99e7dd12bd3c01e92baf5f2297f8874aa400f2e761 |
| SHA512 | 381d0c0ccea2155a3510d992fd513bda7804432e9d4377c0b35337f037b5ddd8a4eae9d41439a8c12056b4c07fc2191296f88dc53ca8c5fef61008ce57185b39 |
C:\Users\Admin\AppData\Local\Temp\mrtADD4.tmp\DRPC.mfx
| MD5 | 0aa331b547d0650059a75dbad66248f6 |
| SHA1 | df01d62ecb2d263c80248c144d0b6212c0910767 |
| SHA256 | 5e7c4bcc7b722179ca5de3933d0e807d0d1630d8e5a0a51b98cce85199051ea5 |
| SHA512 | 9f4c0917cf39676c0c7145a21f1349d8ba981023a8c33990cf4046e852824a76ebab89371065ba546376fed95eeecf0accdbbf8fa99935ff4cb4622086c219bb |
memory/3400-49-0x0000000003510000-0x0000000003622000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mrtADD4.tmp\Viewport.mfx
| MD5 | 441ee6d834d6a08d16140cbf0e1490fc |
| SHA1 | 873146150b21c0f75d025c70d84beb111d78be8f |
| SHA256 | 69f35a440c5d153bba6c36ae3e2e7b6c8365f6a2ca9fe4eb216cd8a0bf784551 |
| SHA512 | 984ff7c644ce13a9348e3ec0fbd85225af25a2b14d1d348d9c90b45fed9a6f00e198e3bf15a58fe12c93961273ce9a9ececeba2c1375e91fa7a52deea691f751 |
C:\Users\Admin\AppData\Local\Temp\mrtADD4.tmp\fontembed.mfx
| MD5 | f38352c344bd71eb21a78a1b69dcade8 |
| SHA1 | eca1053fa4ce77f96752f400d4ffac8f2f158d15 |
| SHA256 | 38b5dba1524e47ff474d29bb0fb3d7b0476e554cdb82f2de09c4a761ab5645b1 |
| SHA512 | 70134d7e2d4c589fc3ca5c52e005852d07e6b3cce91db00d32bf121611480601d007ead98c3e2febfdd1ca03a0c723fa46e9b73c0f497b315a6cdcb9f15afd56 |
memory/3400-61-0x0000000002F50000-0x0000000002F5B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mrtADD4.tmp\parser.mfx
| MD5 | 5903e2efe098dae179c07d670ff836b7 |
| SHA1 | 93a2ce92a28c646735790d2cc9ff8959cc6e0c11 |
| SHA256 | 9813631f63f79fbaa741094786d4b13c34515ec4a33c0d4e88b75a20973c887c |
| SHA512 | e39bb67dc8765558274f93953de141e17de18550912bf79a94a2cc998918d07631a0251551abc080363ea52444c1511f15458232d0c656d8f62550d33756e740 |
memory/3400-55-0x0000000002F10000-0x0000000002F28000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mrtADD4.tmp\OpenURLs.mfx
| MD5 | 213a3941e576daf3e6f6be616a6643c1 |
| SHA1 | 55e31d2fb7084a130e4a27fbd433704e3e840b75 |
| SHA256 | 6d33883fe9a8fcdff9aab0e886d505a38e21a461c713e5ac7b7e0c2a65e934ae |
| SHA512 | 310f951c93cb54131bce7e7cdd50225b55a9168ff922e320145f8517cda27d53de55a03ef16aba107cd968a4471d1702b9c3689f5a20f55b786df31d6ab82933 |
C:\Users\Admin\AppData\Local\Temp\mrtADD4.tmp\kcwctrl.mfx
| MD5 | fa3aa3c51150eb5410dc3d74484d84bb |
| SHA1 | 3ffca600b9d8b2d580c99021c95e8c6400d9a824 |
| SHA256 | 0666e52ea54bb2bdb81216443ea0787b8fcc6292b64d6bdf285eebf42e1bbae6 |
| SHA512 | 81ec7ec2a5877d1b226dfb4ccc8c3946b61fb409d5c53c789e6f8c310a0dc0b3ce1681613cc110a5559540a0ab302e6c36a00d0df07acb41c5a7c35b37d4594a |
C:\Users\Admin\AppData\Local\Temp\mrtADD4.tmp\strgenobj.mfx
| MD5 | fe5ed0a1d6d02d64648456ce10e0017f |
| SHA1 | a232636a92d9ea6d96a0838c6e077a0b7dcd1098 |
| SHA256 | c5cfdc511e9c924a8ee4d933ae42820c291f7f858fef8b24b0ca1ab1727f4f5e |
| SHA512 | 86c9818565366016754e1d2690bd476aa8ca77d5586a29c7e8844e5006941a20053ad45dc84c7a0bbf1ac00acef313961fdc001b49d7328a0a1e8e75e5b2091e |
memory/3400-77-0x0000000002FB0000-0x0000000002FC9000-memory.dmp
memory/3400-83-0x0000000003010000-0x0000000003025000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mrtADD4.tmp\WndTransp.mfx
| MD5 | 6f93111ce72225daab2bcdceee48d204 |
| SHA1 | 1a5156f6e00b47dd4197c933092578aef49a66de |
| SHA256 | e8a1af555a3d39b1cb0c6bf6511158d4fd48a1e4e2dac60a6f54af4b486f60a1 |
| SHA512 | 44549a2f29c9b4cb217065cc4f670afe84691fcc9d0bb4898cd8caa408256015b1abc1c29b6ce4083207e56f339f0843757ae07d01e2a2bb945b6ddaa4c8d3f7 |
C:\Users\Admin\AppData\Local\Temp\mrtADD4.tmp\pinball.mvx
| MD5 | b208ae4e862a6c6bd6b99bc31b7bf1f9 |
| SHA1 | 9f7cd9ea0b400c63f11c0a6e7ca5546db7ff218b |
| SHA256 | cbcd1b19716940cb7b48986dfd51f36bc9e04625c4b6face3822a16ed7b49825 |
| SHA512 | 8ee62a8fcdc26527a2f2b733eefb4fa629ce6ea4cf65d382d95af691874839e88cca8ceaa7e267dc69aa886bdce42c2f64d3cd0743d01bd6f8fdf825fc4e74a3 |
memory/3400-89-0x0000000003650000-0x0000000003662000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mrtADD4.tmp\mmf2d3d9.dll
| MD5 | c85bcc9f3049b57aa8ccbb290342ff14 |
| SHA1 | 38f5b81a540f1c995ff8d949702440b70921acc5 |
| SHA256 | bddda991185a9e83b9855a109f2fcfa78cd2d5402e9db344c6ec77f6ce69a0c5 |
| SHA512 | 5097f9d78ddc651aabf41f217f622ee656a1c6de6a9b339354525293102cf631cca2b7babaf991e99e49efe4d1bb6792c8a7a11f82e4ae2081c3961eb9b5afe7 |
C:\Users\Admin\AppData\Local\Temp\mrtADD4.tmp\mp3flt.sft
| MD5 | 5bebc3ae0122702b89f9262888d3a393 |
| SHA1 | 064731c0f1d493b5b82921fa78f06e3d1db95284 |
| SHA256 | 81c9a9459a8e124793addf142cd513945d6fe600e1d67f74897898d7570e56b2 |
| SHA512 | c10cb520c2c4a9fe7c371f17ce7f86f138db247468ab1e465dafd7abd294c2beb13cf3a2595b4c8c820d911d8b70842c8f4e45398693c4f0454f973bd58a10a1 |
C:\Users\Admin\AppData\Local\Temp\mrtADD4.tmp\waveflt.sft
| MD5 | 57ea61dd14314ef155e80c6a0be8a664 |
| SHA1 | 963b0ef2fe976ff77044a821fe1e29be4a8cf8a7 |
| SHA256 | 92a5053cf5973a6aa228c738d55387f12f1dfa8a837d7b938c60f05b6b56b3ad |
| SHA512 | cc23cb30d76d22500c3ed7ce9ee0388588309d0779441b95559fce25a42f1eff52ca285c347655f8b33c15b75f9d2067738a151f81f605d3b563799a3a06c9a9 |
memory/3400-101-0x00000000037E0000-0x0000000003804000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mrtADD4.tmp\oggflt.sft
| MD5 | 0c8c1ee3ba92189f4ce21d1b396a2765 |
| SHA1 | b7daa4a6e16416151dccbb0a89f304961b6cb627 |
| SHA256 | 9e589f86317d840df9bb74f6ee20c24ca65afe58f4009740382f63a0f5531941 |
| SHA512 | 0a4339092ac55bac3b1bdfaaa3401020f8f49918bd2fdb14524f3d558eb840b876aedfdeb54a1da163fa36393abf3fe8ab7e112a34ea9d891e82a22e96c85ddc |
C:\Users\Admin\AppData\Roaming\Undertale NMD\FileSave1.ini
| MD5 | 3262a0308ecbde98bb2a62ef2331a603 |
| SHA1 | 91025c8ee6ea0ccf92318fad845c30b58d290d57 |
| SHA256 | 930b5ee166e809dadd54eb8f23289a9a63cd5296101dc2029a8d5c8eeb517ffc |
| SHA512 | 17ba95aada8dc3a6eded33db7b413519bf28cb7813dc8204eea6c18894037e19ab2871d4e791fb3874c40421a481bea1a792a1a2cc65c76efb3e21002b2bf28f |
C:\Users\Admin\AppData\Roaming\Undertale NMD\FileSave1.ini
| MD5 | 8ee7977e61d39f2f6bc626639fac3039 |
| SHA1 | 9116546b8e09ec0f4dce9e2d1965ecc84961200e |
| SHA256 | df24141350681f28e5f5ce61cff0a11a9b6ae574ae187ad3612113603311e748 |
| SHA512 | 9eca9266c6e0e2221db55c6844b5024f9d45944b2625df24e5112c44a5b3de4429289f5a5196a317378a622b4f65470b6b743ccabd15213e156423fb9179a059 |