Analysis Overview
SHA256
b12b245975fd23838a1b0dd9236038ab482d05b17817b37d64e079c16ac3ac64
Threat Level: Known bad
The file SecuriteInfo.com.NSIS.Runner.DMC.tr.1301.1660.exe was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Executes dropped EXE
Drops startup file
Checks computer location settings
Adds Run key to start application
Enumerates processes with tasklist
Drops file in Windows directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-02 19:22
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2025-07-02 19:22
Reported
2025-07-02 19:24
Platform
win11-20250619-en
Max time kernel
141s
Max time network
145s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1420 created 3280 | N/A | C:\Users\Admin\AppData\Local\Temp\262655\Anger.com | C:\Windows\Explorer.EXE |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsm.exe | C:\Users\Admin\AppData\Local\Temp\262655\RegAsm.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsm.exe | C:\Users\Admin\AppData\Local\Temp\262655\RegAsm.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\262655\Anger.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\262655\RegAsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\262655\RegAsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RegAsm.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3625340254-1625357543-1797847221-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Roaming\\RegAsm.exe" | C:\Users\Admin\AppData\Local\Temp\262655\RegAsm.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\EbooksFish | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.NSIS.Runner.DMC.tr.1301.1660.exe | N/A |
| File opened for modification | C:\Windows\ConferenceVictims | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.NSIS.Runner.DMC.tr.1301.1660.exe | N/A |
| File opened for modification | C:\Windows\SettleInstead | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.NSIS.Runner.DMC.tr.1301.1660.exe | N/A |
| File opened for modification | C:\Windows\MouthSavings | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.NSIS.Runner.DMC.tr.1301.1660.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\262655\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.NSIS.Runner.DMC.tr.1301.1660.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\262655\Anger.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\extrac32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\RegAsm.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\262655\RegAsm.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\262655\Anger.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\262655\Anger.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\262655\Anger.com | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\262655\Anger.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\262655\Anger.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\262655\Anger.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.NSIS.Runner.DMC.tr.1301.1660.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.NSIS.Runner.DMC.tr.1301.1660.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c copy Ever.ini Ever.ini.bat & Ever.ini.bat
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "opssvc wrsa"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr "nsWscSvc ekrn bdservicehost SophosHealth AvastUI AVGUI & if not errorlevel 1 Set ARjIQgRPVeqRrrYSuFHsckSGrEhGpSuAPRhqD=AutoIt3.exe & Set TJwJPPKcdrzqTXNiUJH=.a3x & Set XjszRYHRnwwHfSsuZVMWSkSJojXtwPU=300
C:\Windows\SysWOW64\extrac32.exe
extrac32 /Y Reporters.ini *.*
C:\Windows\SysWOW64\findstr.exe
findstr /V "Afghanistan" Powerful
C:\Users\Admin\AppData\Local\Temp\262655\Anger.com
Anger.com f
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks.exe /create /tn "Prefer" /tr "wscript //B 'C:\Users\Admin\AppData\Local\PixelGuard Tech\Pixelize.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Pixelize" /tr "wscript //B 'C:\Users\Admin\AppData\Local\PixelGuard Tech\Pixelize.js'" /sc onlogon /F /RL HIGHEST
C:\Windows\SysWOW64\choice.exe
choice /d n /t 15
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Prefer" /tr "wscript //B 'C:\Users\Admin\AppData\Local\PixelGuard Tech\Pixelize.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
C:\Users\Admin\AppData\Local\Temp\262655\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\262655\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\262655\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\262655\RegAsm.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegAsm.exe
C:\Users\Admin\AppData\Roaming\RegAsm.exe
C:\Users\Admin\AppData\Roaming\RegAsm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | meGcKdibMncYyitBlVFb.meGcKdibMncYyitBlVFb | udp |
| SE | 185.100.157.161:7000 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Ever.ini
| MD5 | 8cc4329ea3a3720818cb257a3ed7f115 |
| SHA1 | 4593cb766b8a7b75e5c0f7332caa53be2a75de6e |
| SHA256 | 731429875f2e5866f7edd5c22ccd95a626f2741d0d2ae6cb07b0a00378c9629f |
| SHA512 | 9d72f8c0822d08ae6387801b56a413d03378f57c31b9bb4a7da96b3ef6e39c2576b51b0e544af1790dfacd772c16c160d9aece2e70618540886f35136fe3142e |
C:\Users\Admin\AppData\Local\Temp\Reporters.ini
| MD5 | 02670efd8ab6ba12bbea93678622ce55 |
| SHA1 | 964ec2f329e45f1257c69c2dfd14691c9bc0a406 |
| SHA256 | 4f1826ba14ba2bcae6544ab702eff249c3abfebea57527a63883f5168d9e92e2 |
| SHA512 | 95e4ca59d307d590c24d1cb1e4d616265cb7b9f7c6ac6e4b6289980cd1fdef81b15e67b9f7261f79a63d56b854de5fcaa282bc3acc7bc3586728a41926e4f52e |
C:\Users\Admin\AppData\Local\Temp\Powerful
| MD5 | dffc2267c98ac9720c2c00c0355a360a |
| SHA1 | 47766dfdc2a794a6e01e9d717fe6ee7a1be947b1 |
| SHA256 | 866adb9d429f08508fc0a776ce78de9dfbbcdb29c8951e2caf29bbc279ebc497 |
| SHA512 | 6a5bf7414979d6546e78d51993b0f9dc464b19bbaefd862fc0acad325de9ddaa26fced5a317094edc4a4f1e64e11270bc5dd52f31a06cec9a6934a7e9995f02d |
C:\Users\Admin\AppData\Local\Temp\Sudden
| MD5 | 43066fa9506c4ae9cf80750f928123e1 |
| SHA1 | 3bf0194a31fec89d0351fdd216dd81248cc548ed |
| SHA256 | 8b925aec38f1269efbfa65abe637b3763eb02d134d378c9c950ecb681d3307c4 |
| SHA512 | 88defb901917a3767c3074c6d2cb67aed60e608be7f932dc6acefa217c50d7c5c8ffe220df055a697e74d4e899d1560a1731032f8e1d81279019dddd09912227 |
C:\Users\Admin\AppData\Local\Temp\Content
| MD5 | 2be6c675e0fcf3ec5df57d886f497b2f |
| SHA1 | 3f752e10cd351e538ff59ee0ce64371b3b3dd091 |
| SHA256 | d4e7a42a5a15a88acde70cc2ebd0f44451c93ab30ddb23873a423fdefd29f71c |
| SHA512 | df9a61970e90082de23061c87d24d6ad10a37a88e992a11372d52823d6e1beb5db8c2ffb39f00cb86ca64eb73e1a45a055519ac8885fdd87b281180415fd1b29 |
C:\Users\Admin\AppData\Local\Temp\Navigate
| MD5 | 2e38eff0312188f0b6adcaeee160dbd9 |
| SHA1 | 40f8b52b8150185873d9a0e4f686fba1bf5e2ea9 |
| SHA256 | bdecadae6e52c14d7f2490c69e1dad43eb4f6f9a705aebfd6f74eca384b2796e |
| SHA512 | ae6f177ab5b013782d2ceff6d43dec01c06dc7b3e7507ffc49c0e80cf76dd59315d27acee22961f645f1551da355ad38b9465a3698f54e6f03fc9b491ea065a6 |
C:\Users\Admin\AppData\Local\Temp\Checks
| MD5 | 2fd93f485c089f568949f157d9051939 |
| SHA1 | c35962b50295ee9c7a23edf49ed1d4822de39907 |
| SHA256 | 24108c2475ba60eb8c48ec33e957738321fb192dc21db942f9ec456b85d1f29a |
| SHA512 | e07fad774f99f84922781c247c2c82a8f5170445e954de336820a571a292ba641fe9968e5952a2c314dbb8c25e38603b012930db8294dda8708b80c87865b724 |
C:\Users\Admin\AppData\Local\Temp\Green
| MD5 | 5003eb99e7f73436c9ad5ab3b136fd80 |
| SHA1 | 80034cc3f98caef04c5eda171db9dadb37cd13cf |
| SHA256 | c19cddc3f71159603f2f75cd91afa767dfeabf383abe15fbf2c568c885151f6b |
| SHA512 | f946ca63127fdabccef598b95ad8dda94e21da12ad90dcb184343b593290dd7ed87b4a0d98316c8daf579abf4c7469082ec64d6e569c55d3d5ce7b8620f559b9 |
C:\Users\Admin\AppData\Local\Temp\Ringtones
| MD5 | 9548c9a7b6955e2d2fe769362b81e98b |
| SHA1 | 69358722d4fb0ef3be553cac174451a3497ea409 |
| SHA256 | f88f21d697734d61b6dd45d8445cd2116f8c21d6fa8890a8ee4360ba86cb2543 |
| SHA512 | 657858b5e07e6aec3adbe28805692f7013b30dde43d88a98e8bd52a3ccf6a64a709e3582bffe09484307d8694892ba2e35a29182446828a00111b22a597fc60f |
C:\Users\Admin\AppData\Local\Temp\Enclosed
| MD5 | 1b2d0178bc13697efd1e21c8efc6fcdc |
| SHA1 | c0c6b4a64fb7a93cf82b78b34f1ba630b54d9cf6 |
| SHA256 | 982f62e4254ea60ea5035b2da5951aca3a03ff99539260a82f92e024531aaa79 |
| SHA512 | c21a08188a38e93a02a09a1a8e159a36cacfbd7b9bf590fc24e756a9582ecd27bba39f096bcd9cd583a649153245019ac2ff0957b04728eb0325f36e0c592a6e |
C:\Users\Admin\AppData\Local\Temp\Blogging
| MD5 | e583b7ade6691021c280485235f915cf |
| SHA1 | ea8301a620a94abfe650f8e71b5e63c072b51d64 |
| SHA256 | 3ea64ab628acdd14b17a293c4bc134d86abdc392b24871b717e755d026a34b6a |
| SHA512 | 8e40d204fa64ee3461e322838c744abbcf9db11be570cfa797fdf4a93367bdb09b3c0d0c984fbd4c7484ce1eb7c0358d791df81fa42d38200d5dd3618f4094db |
C:\Users\Admin\AppData\Local\Temp\Crime
| MD5 | 14b5ede7dd1712dafde4fee43e4dae77 |
| SHA1 | b9010fad7cf1959e162fffb270e67f3e5ced8262 |
| SHA256 | 97a47bc3b553fc453f97aa56639b10ba9e1cfba6e4d8d5d5198147bd1819313d |
| SHA512 | aec7c1e95ba5308abd2a349eeb89fb39490c71340e8a4a342fca8bd451af2ec832f4f08e4e8b3db33c3ed7e74775d195a0cdfb5930df40a55d7ff1c6fdaedac3 |
C:\Users\Admin\AppData\Local\Temp\Decision.ini
| MD5 | 6429d09fa0eefd1d25bcf6b091eb181d |
| SHA1 | 51e9ab61ce9f4680bd759c8be7de391230c666ee |
| SHA256 | 615c3a6f608ac2f12ebbade476690219ed3d082b39aa9ca5fd6d87fa2a7c66d6 |
| SHA512 | 407d8d391e30bde093c6152cd91e59ad2aba79097be812574e11ba854e44ae4344aeb4762416fbfaad90d2e10401b52e9042cfa151bfda90e88c3699d41d3db6 |
C:\Users\Admin\AppData\Local\Temp\Beaver.ini
| MD5 | 3c4ead6496808e7653152232e41c0dea |
| SHA1 | 67198b7c072b6968e2800216eae31269c5ce1012 |
| SHA256 | 65f4012e2efcbd928bc20c7283ae55368f0f70e669272c418f8f2d8d7251e17c |
| SHA512 | 35907ae56f438c03bd9acd52b4651c6a7807aad0837919de04bbdab573984fbd6f4a18557e2d449c3c6332823a3fcd1752f7673a00fe7777803e8c10ae72b34a |
C:\Users\Admin\AppData\Local\Temp\Followed.ini
| MD5 | 89e3c7eab1c61b7c194c8462bb6649e1 |
| SHA1 | 3aa6da98b1a876e312e0656216653e8bb321bc44 |
| SHA256 | dfc079dc11051b2717b0e4b3093bce47dd0c0afecada1cebeb50e93d71e0728b |
| SHA512 | 0aa1a0ce8bd0c75301a0f29b33bbc4b9d8b12a6209acbc91d1f122af58db930a9258f2e8023c49c03d44ba3aa290f5ae1c58b23ea6da1c71fc09897a6c400a96 |
C:\Users\Admin\AppData\Local\Temp\Remedies.ini
| MD5 | 6cd2116a88410768dd515d33620402f0 |
| SHA1 | 89c20c34a5d68e0e9d45c156b5bca6949dd6e86b |
| SHA256 | e67e933d1aadc49277ec8031bdb162458e5f9ee5a052fba76236e6e28c0528a4 |
| SHA512 | 80c97f15981d73010b64f01a31e2533be5e2b4367ac142456bb723b1619b4676a4d12043cc12a0aa297737c08eea1e8e80c041d6d9c34a3454872e23a2d0f384 |
C:\Users\Admin\AppData\Local\Temp\That.ini
| MD5 | 2eb6361b4afb4bdaa04c01862c40ccb3 |
| SHA1 | a6d8f15581aaeba43325b671c98caa6687710185 |
| SHA256 | 988dc07921373651e72269848de2ea666d17e20789ae3b16496e2a7cd8148d34 |
| SHA512 | 4ae1d2b310c03b8c3e764b0a0909b233155b0405249ea516a54632e34433a9529ff123650dd679f55847405d6730d86ec7ba575f2c7b364e1df8fd7d9743d30e |
C:\Users\Admin\AppData\Local\Temp\Symbol.ini
| MD5 | c96e8aa6928ae2c6ed77f794acf5e328 |
| SHA1 | e34c68ac4439df2823e405af6f9bcdd27a083f5d |
| SHA256 | bb95b481e95a5f4058c5c6d017c9e484b034c6ea5367f8505b19028b0b832c28 |
| SHA512 | 1c273fa9711f30edb4a32fed018c6ce5ef218ac52426efbad63a97c5d950509011336fa0e572f95ac5654a08135877a53f1ec9dc5571a927f5255ce61da11cd8 |
C:\Users\Admin\AppData\Local\Temp\Plumbing.ini
| MD5 | 43dbe343d359d3ac4c5dc4cd37ff2f7e |
| SHA1 | 3cb8ba1f73b6b96cead2b0d4abf059123d43eca8 |
| SHA256 | 8ac04147f404d1dc2363bbd74a96bd98cfa64298bed4936b24b2b87b3f6d42f2 |
| SHA512 | adafe6e1d3e1d12a3f654f54200f0f1e28aa0e51d20d970e99e16b17255fc36589d74e2e353e53636baca289f0d3e0d52cebf85a31dc3edb4b12d88791b05edc |
C:\Users\Admin\AppData\Local\Temp\Attending.ini
| MD5 | 3a445a83b9d09bc1823346fa36301af9 |
| SHA1 | f6100ef512d1574cf9aff72febd057e016a8c145 |
| SHA256 | ab631a5fd810fe82c3da35193419dbbc9af8ad5ff68fd615614de4ae01998c09 |
| SHA512 | bdbe37e7b5ce766a10c4c0ce3eabaf3d63fb602892a39b25780c363b80df7f1a2c81952363129805e1f84f657148f62d4850a38bccb6bd0ddd9822c7d4f48bae |
C:\Users\Admin\AppData\Local\Temp\Fusion.ini
| MD5 | 5ac170ac04ac5bacddb0a39b96d3b832 |
| SHA1 | 2def671662cd5d8a3ad1c2eb264344d671ae017d |
| SHA256 | b03984bc3ad09d08eb150beb9fc2493423038516beba9fb43d1e85d30132a1ec |
| SHA512 | 7c1aa691e4ced75f2e3abde50bceebed1666b130d1043405fddf9e7130b6d2ab2151391b2768e8635662902da15a5a4c637403b592b5fa1804c93c5ff0f8a8c9 |
C:\Users\Admin\AppData\Local\Temp\Counted.ini
| MD5 | 44f4b5b4c5c671e11950894673d7c3d1 |
| SHA1 | 200f713680afc69b75b6d8c482f48fbee00df252 |
| SHA256 | c5e6fd0b666017b2dc218649734aec89aa58f958b24e416cdd4d7d67ff6e4eee |
| SHA512 | fbd887d3f5c316a3db66c957791dc60227b731acbea912483d1ead1964d4a25d11435f22f2caa9243c8db4c04201b5406100a1915924cca7ac73bec7f7240a6a |
C:\Users\Admin\AppData\Local\Temp\Navigation.ini
| MD5 | c30718cd76812a2ffbbe99fdfd2eeac6 |
| SHA1 | aa91fdd86bb098d4e1d33cfbec0ae0b98ff804be |
| SHA256 | 7fba657c6629b2b055ebfaddf751c34b5c410894660f4b1a1614645f9d557b1b |
| SHA512 | c0f502f38b064d40fe4c88548ac1589c6d75d3e69b6588e471b164000f06ca4dc1365bed4bdd3aa2d9deb3b165a2d1dd3ae4fd2ffb250d0650adb8c21628d6bd |
C:\Users\Admin\AppData\Local\Temp\Distribute.ini
| MD5 | f0a2c6e04995efdb48c6f4e4b8bf12c5 |
| SHA1 | 7cf35832124ef5e4e5b0b6e5ea7dac92ad71bef3 |
| SHA256 | 2ba5a5d531cded62e31df3db0e30f5e59521393f953b5c37e37a52dba0aed68a |
| SHA512 | 142fb333715a16ae9980ef121e4b0fc5bf9a1e3d7d1edf6f903b24115dde7bed02e7e6886eaf91a925af7f28de5194c49907ed7377214c6c24afe7a21d87033f |
C:\Users\Admin\AppData\Local\Temp\Diesel.ini
| MD5 | 92797e98258a68794a2d94174dbbdfd5 |
| SHA1 | 0c70bb4e48414e6349a1d1f0ea128249d1c28d13 |
| SHA256 | dc244a1f48dc22c53089832babb402d703d250d0dff096fcd9dbf6f807aee744 |
| SHA512 | a9c5f792bd0534c793dccfbe5c9037cc2fa4ab5de7091094be36ba9d559d22f3a76affc6882f0b0c223a3b15b2d51fe16833b8d8c6eef60422b92cb836f42291 |
C:\Users\Admin\AppData\Local\Temp\Refrigerator.ini
| MD5 | e4fdb3c7541699eb66345cf7d2ac91dd |
| SHA1 | 1319ccfec1e2af2f083ea4dbb8818901fd26e818 |
| SHA256 | fa0acaac39705b35df4c28ea7d4e9b434c34fc62866b3e6b5dfc55210e9ef4a0 |
| SHA512 | 51d788074cba27b2d2470d70bcdc49a93c49d595e766977535985a5e9755a5ac2f4d72e5fca92c99c93a0f5b663c9ffcd32d6ed7fa22a8896248b662e64d80f9 |
C:\Users\Admin\AppData\Local\Temp\Festival.ini
| MD5 | 5b78415767fe9365a1cabe33ebd4b8c9 |
| SHA1 | b63f5aff0ff98f765d5be8e13238b138e1e6abe5 |
| SHA256 | aea5eeae87454897f17c03205af6fd430561cdf77b4f2aa2c7bd1af3de5a320c |
| SHA512 | 4e0b1be4d35bf8d382efd26049aa3b1f8ec3f1ddd18298238fafb612da3c27ab15c2e8f5c77bc42a4f3b8497a9d37368c7b0fe53a72a48d7bca45d304d4058fc |
C:\Users\Admin\AppData\Local\Temp\Matters.ini
| MD5 | 31cc5e48de9c782e21c30107b591297d |
| SHA1 | 687820e368937adf056a550cf6f3d8bd11312ff3 |
| SHA256 | 0f942eaef7da452c21653a58f3e529cd0cbfd7aa54cfbcf9130c9c400050f9f2 |
| SHA512 | 0e5f6e86449d65ad705d9afeed73a349d2a91b356bc8a2d2d05b0a42cab5dda5f19bac20fa2f9a77032486c139027889471c982419f80f977294eaf4246dc9f0 |
C:\Users\Admin\AppData\Local\Temp\262655\Anger.com
| MD5 | 62d09f076e6e0240548c2f837536a46a |
| SHA1 | 26bdbc63af8abae9a8fb6ec0913a307ef6614cf2 |
| SHA256 | 1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49 |
| SHA512 | 32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f |
C:\Users\Admin\AppData\Local\Temp\262655\f
| MD5 | 4c6aefebf670ea1bbe36eb740c08e4a9 |
| SHA1 | 9ac19922872dfd52dd7a4f2a2ac003ecc6215581 |
| SHA256 | fd1b852128c68e0730f66a822361fb47ffd113a12e570c487ad5595d9b414821 |
| SHA512 | 9fa9abd64c0d9a7e37512cc79fc20718ebd2771e9e56d4ba22e15b74670501cc6eee75b5b71bd8fec24d1f1998b6fb47de83dd0d02893fff575df7736c482271 |
C:\Users\Admin\AppData\Local\Temp\262655\RegAsm.exe
| MD5 | 42ab6e035df99a43dbb879c86b620b91 |
| SHA1 | c6e116569d17d8142dbb217b1f8bfa95bc148c38 |
| SHA256 | 53195987d396986ebcb20425ac130e78ad308fdbd918f33f3fd92b99abda314b |
| SHA512 | 2e79de2d394ad33023d71611bb728b254aa4680b5a3a1ef5282b1155ddfaa2f3585c840a6700dfe0d1a276dac801298431f0187086d2e8f96b22f6c808fb97e5 |
memory/1864-339-0x0000000000700000-0x000000000080A000-memory.dmp
memory/1864-342-0x0000000004D80000-0x0000000004E1C000-memory.dmp
memory/892-349-0x0000000000B60000-0x0000000000B72000-memory.dmp
memory/1864-351-0x0000000005300000-0x0000000005366000-memory.dmp
memory/1864-352-0x0000000005C00000-0x0000000005C92000-memory.dmp
memory/1864-353-0x0000000006250000-0x00000000067F6000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-02 19:22
Reported
2025-07-02 19:24
Platform
win10v2004-20250619-en
Max time kernel
105s
Max time network
144s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2056 created 3520 | N/A | C:\Users\Admin\AppData\Local\Temp\262655\Anger.com | C:\Windows\Explorer.EXE |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.NSIS.Runner.DMC.tr.1301.1660.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsm.exe | C:\Users\Admin\AppData\Local\Temp\262655\RegAsm.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsm.exe | C:\Users\Admin\AppData\Local\Temp\262655\RegAsm.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\262655\Anger.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\262655\RegAsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RegAsm.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Roaming\\RegAsm.exe" | C:\Users\Admin\AppData\Local\Temp\262655\RegAsm.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\EbooksFish | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.NSIS.Runner.DMC.tr.1301.1660.exe | N/A |
| File opened for modification | C:\Windows\ConferenceVictims | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.NSIS.Runner.DMC.tr.1301.1660.exe | N/A |
| File opened for modification | C:\Windows\SettleInstead | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.NSIS.Runner.DMC.tr.1301.1660.exe | N/A |
| File opened for modification | C:\Windows\MouthSavings | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.NSIS.Runner.DMC.tr.1301.1660.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\262655\Anger.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.NSIS.Runner.DMC.tr.1301.1660.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\extrac32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\262655\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\262655\RegAsm.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\262655\Anger.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\262655\Anger.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\262655\Anger.com | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\262655\Anger.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\262655\Anger.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\262655\Anger.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.NSIS.Runner.DMC.tr.1301.1660.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.NSIS.Runner.DMC.tr.1301.1660.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c copy Ever.ini Ever.ini.bat & Ever.ini.bat
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "opssvc wrsa"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr "nsWscSvc ekrn bdservicehost SophosHealth AvastUI AVGUI & if not errorlevel 1 Set ARjIQgRPVeqRrrYSuFHsckSGrEhGpSuAPRhqD=AutoIt3.exe & Set TJwJPPKcdrzqTXNiUJH=.a3x & Set XjszRYHRnwwHfSsuZVMWSkSJojXtwPU=300
C:\Windows\SysWOW64\extrac32.exe
extrac32 /Y Reporters.ini *.*
C:\Windows\SysWOW64\findstr.exe
findstr /V "Afghanistan" Powerful
C:\Users\Admin\AppData\Local\Temp\262655\Anger.com
Anger.com f
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks.exe /create /tn "Prefer" /tr "wscript //B 'C:\Users\Admin\AppData\Local\PixelGuard Tech\Pixelize.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Pixelize" /tr "wscript //B 'C:\Users\Admin\AppData\Local\PixelGuard Tech\Pixelize.js'" /sc onlogon /F /RL HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Prefer" /tr "wscript //B 'C:\Users\Admin\AppData\Local\PixelGuard Tech\Pixelize.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
C:\Windows\SysWOW64\choice.exe
choice /d n /t 15
C:\Users\Admin\AppData\Local\Temp\262655\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\262655\RegAsm.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegAsm.exe
C:\Users\Admin\AppData\Roaming\RegAsm.exe
C:\Users\Admin\AppData\Roaming\RegAsm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | meGcKdibMncYyitBlVFb.meGcKdibMncYyitBlVFb | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| SE | 185.100.157.161:7000 | tcp | |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Ever.ini
| MD5 | 8cc4329ea3a3720818cb257a3ed7f115 |
| SHA1 | 4593cb766b8a7b75e5c0f7332caa53be2a75de6e |
| SHA256 | 731429875f2e5866f7edd5c22ccd95a626f2741d0d2ae6cb07b0a00378c9629f |
| SHA512 | 9d72f8c0822d08ae6387801b56a413d03378f57c31b9bb4a7da96b3ef6e39c2576b51b0e544af1790dfacd772c16c160d9aece2e70618540886f35136fe3142e |
C:\Users\Admin\AppData\Local\Temp\Reporters.ini
| MD5 | 02670efd8ab6ba12bbea93678622ce55 |
| SHA1 | 964ec2f329e45f1257c69c2dfd14691c9bc0a406 |
| SHA256 | 4f1826ba14ba2bcae6544ab702eff249c3abfebea57527a63883f5168d9e92e2 |
| SHA512 | 95e4ca59d307d590c24d1cb1e4d616265cb7b9f7c6ac6e4b6289980cd1fdef81b15e67b9f7261f79a63d56b854de5fcaa282bc3acc7bc3586728a41926e4f52e |
C:\Users\Admin\AppData\Local\Temp\Powerful
| MD5 | dffc2267c98ac9720c2c00c0355a360a |
| SHA1 | 47766dfdc2a794a6e01e9d717fe6ee7a1be947b1 |
| SHA256 | 866adb9d429f08508fc0a776ce78de9dfbbcdb29c8951e2caf29bbc279ebc497 |
| SHA512 | 6a5bf7414979d6546e78d51993b0f9dc464b19bbaefd862fc0acad325de9ddaa26fced5a317094edc4a4f1e64e11270bc5dd52f31a06cec9a6934a7e9995f02d |
C:\Users\Admin\AppData\Local\Temp\Sudden
| MD5 | 43066fa9506c4ae9cf80750f928123e1 |
| SHA1 | 3bf0194a31fec89d0351fdd216dd81248cc548ed |
| SHA256 | 8b925aec38f1269efbfa65abe637b3763eb02d134d378c9c950ecb681d3307c4 |
| SHA512 | 88defb901917a3767c3074c6d2cb67aed60e608be7f932dc6acefa217c50d7c5c8ffe220df055a697e74d4e899d1560a1731032f8e1d81279019dddd09912227 |
C:\Users\Admin\AppData\Local\Temp\Content
| MD5 | 2be6c675e0fcf3ec5df57d886f497b2f |
| SHA1 | 3f752e10cd351e538ff59ee0ce64371b3b3dd091 |
| SHA256 | d4e7a42a5a15a88acde70cc2ebd0f44451c93ab30ddb23873a423fdefd29f71c |
| SHA512 | df9a61970e90082de23061c87d24d6ad10a37a88e992a11372d52823d6e1beb5db8c2ffb39f00cb86ca64eb73e1a45a055519ac8885fdd87b281180415fd1b29 |
C:\Users\Admin\AppData\Local\Temp\Navigate
| MD5 | 2e38eff0312188f0b6adcaeee160dbd9 |
| SHA1 | 40f8b52b8150185873d9a0e4f686fba1bf5e2ea9 |
| SHA256 | bdecadae6e52c14d7f2490c69e1dad43eb4f6f9a705aebfd6f74eca384b2796e |
| SHA512 | ae6f177ab5b013782d2ceff6d43dec01c06dc7b3e7507ffc49c0e80cf76dd59315d27acee22961f645f1551da355ad38b9465a3698f54e6f03fc9b491ea065a6 |
C:\Users\Admin\AppData\Local\Temp\Checks
| MD5 | 2fd93f485c089f568949f157d9051939 |
| SHA1 | c35962b50295ee9c7a23edf49ed1d4822de39907 |
| SHA256 | 24108c2475ba60eb8c48ec33e957738321fb192dc21db942f9ec456b85d1f29a |
| SHA512 | e07fad774f99f84922781c247c2c82a8f5170445e954de336820a571a292ba641fe9968e5952a2c314dbb8c25e38603b012930db8294dda8708b80c87865b724 |
C:\Users\Admin\AppData\Local\Temp\Green
| MD5 | 5003eb99e7f73436c9ad5ab3b136fd80 |
| SHA1 | 80034cc3f98caef04c5eda171db9dadb37cd13cf |
| SHA256 | c19cddc3f71159603f2f75cd91afa767dfeabf383abe15fbf2c568c885151f6b |
| SHA512 | f946ca63127fdabccef598b95ad8dda94e21da12ad90dcb184343b593290dd7ed87b4a0d98316c8daf579abf4c7469082ec64d6e569c55d3d5ce7b8620f559b9 |
C:\Users\Admin\AppData\Local\Temp\Ringtones
| MD5 | 9548c9a7b6955e2d2fe769362b81e98b |
| SHA1 | 69358722d4fb0ef3be553cac174451a3497ea409 |
| SHA256 | f88f21d697734d61b6dd45d8445cd2116f8c21d6fa8890a8ee4360ba86cb2543 |
| SHA512 | 657858b5e07e6aec3adbe28805692f7013b30dde43d88a98e8bd52a3ccf6a64a709e3582bffe09484307d8694892ba2e35a29182446828a00111b22a597fc60f |
C:\Users\Admin\AppData\Local\Temp\Blogging
| MD5 | e583b7ade6691021c280485235f915cf |
| SHA1 | ea8301a620a94abfe650f8e71b5e63c072b51d64 |
| SHA256 | 3ea64ab628acdd14b17a293c4bc134d86abdc392b24871b717e755d026a34b6a |
| SHA512 | 8e40d204fa64ee3461e322838c744abbcf9db11be570cfa797fdf4a93367bdb09b3c0d0c984fbd4c7484ce1eb7c0358d791df81fa42d38200d5dd3618f4094db |
C:\Users\Admin\AppData\Local\Temp\Enclosed
| MD5 | 1b2d0178bc13697efd1e21c8efc6fcdc |
| SHA1 | c0c6b4a64fb7a93cf82b78b34f1ba630b54d9cf6 |
| SHA256 | 982f62e4254ea60ea5035b2da5951aca3a03ff99539260a82f92e024531aaa79 |
| SHA512 | c21a08188a38e93a02a09a1a8e159a36cacfbd7b9bf590fc24e756a9582ecd27bba39f096bcd9cd583a649153245019ac2ff0957b04728eb0325f36e0c592a6e |
C:\Users\Admin\AppData\Local\Temp\Crime
| MD5 | 14b5ede7dd1712dafde4fee43e4dae77 |
| SHA1 | b9010fad7cf1959e162fffb270e67f3e5ced8262 |
| SHA256 | 97a47bc3b553fc453f97aa56639b10ba9e1cfba6e4d8d5d5198147bd1819313d |
| SHA512 | aec7c1e95ba5308abd2a349eeb89fb39490c71340e8a4a342fca8bd451af2ec832f4f08e4e8b3db33c3ed7e74775d195a0cdfb5930df40a55d7ff1c6fdaedac3 |
C:\Users\Admin\AppData\Local\Temp\Decision.ini
| MD5 | 6429d09fa0eefd1d25bcf6b091eb181d |
| SHA1 | 51e9ab61ce9f4680bd759c8be7de391230c666ee |
| SHA256 | 615c3a6f608ac2f12ebbade476690219ed3d082b39aa9ca5fd6d87fa2a7c66d6 |
| SHA512 | 407d8d391e30bde093c6152cd91e59ad2aba79097be812574e11ba854e44ae4344aeb4762416fbfaad90d2e10401b52e9042cfa151bfda90e88c3699d41d3db6 |
C:\Users\Admin\AppData\Local\Temp\Followed.ini
| MD5 | 89e3c7eab1c61b7c194c8462bb6649e1 |
| SHA1 | 3aa6da98b1a876e312e0656216653e8bb321bc44 |
| SHA256 | dfc079dc11051b2717b0e4b3093bce47dd0c0afecada1cebeb50e93d71e0728b |
| SHA512 | 0aa1a0ce8bd0c75301a0f29b33bbc4b9d8b12a6209acbc91d1f122af58db930a9258f2e8023c49c03d44ba3aa290f5ae1c58b23ea6da1c71fc09897a6c400a96 |
C:\Users\Admin\AppData\Local\Temp\Beaver.ini
| MD5 | 3c4ead6496808e7653152232e41c0dea |
| SHA1 | 67198b7c072b6968e2800216eae31269c5ce1012 |
| SHA256 | 65f4012e2efcbd928bc20c7283ae55368f0f70e669272c418f8f2d8d7251e17c |
| SHA512 | 35907ae56f438c03bd9acd52b4651c6a7807aad0837919de04bbdab573984fbd6f4a18557e2d449c3c6332823a3fcd1752f7673a00fe7777803e8c10ae72b34a |
C:\Users\Admin\AppData\Local\Temp\Remedies.ini
| MD5 | 6cd2116a88410768dd515d33620402f0 |
| SHA1 | 89c20c34a5d68e0e9d45c156b5bca6949dd6e86b |
| SHA256 | e67e933d1aadc49277ec8031bdb162458e5f9ee5a052fba76236e6e28c0528a4 |
| SHA512 | 80c97f15981d73010b64f01a31e2533be5e2b4367ac142456bb723b1619b4676a4d12043cc12a0aa297737c08eea1e8e80c041d6d9c34a3454872e23a2d0f384 |
C:\Users\Admin\AppData\Local\Temp\That.ini
| MD5 | 2eb6361b4afb4bdaa04c01862c40ccb3 |
| SHA1 | a6d8f15581aaeba43325b671c98caa6687710185 |
| SHA256 | 988dc07921373651e72269848de2ea666d17e20789ae3b16496e2a7cd8148d34 |
| SHA512 | 4ae1d2b310c03b8c3e764b0a0909b233155b0405249ea516a54632e34433a9529ff123650dd679f55847405d6730d86ec7ba575f2c7b364e1df8fd7d9743d30e |
C:\Users\Admin\AppData\Local\Temp\Symbol.ini
| MD5 | c96e8aa6928ae2c6ed77f794acf5e328 |
| SHA1 | e34c68ac4439df2823e405af6f9bcdd27a083f5d |
| SHA256 | bb95b481e95a5f4058c5c6d017c9e484b034c6ea5367f8505b19028b0b832c28 |
| SHA512 | 1c273fa9711f30edb4a32fed018c6ce5ef218ac52426efbad63a97c5d950509011336fa0e572f95ac5654a08135877a53f1ec9dc5571a927f5255ce61da11cd8 |
C:\Users\Admin\AppData\Local\Temp\Plumbing.ini
| MD5 | 43dbe343d359d3ac4c5dc4cd37ff2f7e |
| SHA1 | 3cb8ba1f73b6b96cead2b0d4abf059123d43eca8 |
| SHA256 | 8ac04147f404d1dc2363bbd74a96bd98cfa64298bed4936b24b2b87b3f6d42f2 |
| SHA512 | adafe6e1d3e1d12a3f654f54200f0f1e28aa0e51d20d970e99e16b17255fc36589d74e2e353e53636baca289f0d3e0d52cebf85a31dc3edb4b12d88791b05edc |
C:\Users\Admin\AppData\Local\Temp\Attending.ini
| MD5 | 3a445a83b9d09bc1823346fa36301af9 |
| SHA1 | f6100ef512d1574cf9aff72febd057e016a8c145 |
| SHA256 | ab631a5fd810fe82c3da35193419dbbc9af8ad5ff68fd615614de4ae01998c09 |
| SHA512 | bdbe37e7b5ce766a10c4c0ce3eabaf3d63fb602892a39b25780c363b80df7f1a2c81952363129805e1f84f657148f62d4850a38bccb6bd0ddd9822c7d4f48bae |
C:\Users\Admin\AppData\Local\Temp\Fusion.ini
| MD5 | 5ac170ac04ac5bacddb0a39b96d3b832 |
| SHA1 | 2def671662cd5d8a3ad1c2eb264344d671ae017d |
| SHA256 | b03984bc3ad09d08eb150beb9fc2493423038516beba9fb43d1e85d30132a1ec |
| SHA512 | 7c1aa691e4ced75f2e3abde50bceebed1666b130d1043405fddf9e7130b6d2ab2151391b2768e8635662902da15a5a4c637403b592b5fa1804c93c5ff0f8a8c9 |
C:\Users\Admin\AppData\Local\Temp\Counted.ini
| MD5 | 44f4b5b4c5c671e11950894673d7c3d1 |
| SHA1 | 200f713680afc69b75b6d8c482f48fbee00df252 |
| SHA256 | c5e6fd0b666017b2dc218649734aec89aa58f958b24e416cdd4d7d67ff6e4eee |
| SHA512 | fbd887d3f5c316a3db66c957791dc60227b731acbea912483d1ead1964d4a25d11435f22f2caa9243c8db4c04201b5406100a1915924cca7ac73bec7f7240a6a |
C:\Users\Admin\AppData\Local\Temp\Festival.ini
| MD5 | 5b78415767fe9365a1cabe33ebd4b8c9 |
| SHA1 | b63f5aff0ff98f765d5be8e13238b138e1e6abe5 |
| SHA256 | aea5eeae87454897f17c03205af6fd430561cdf77b4f2aa2c7bd1af3de5a320c |
| SHA512 | 4e0b1be4d35bf8d382efd26049aa3b1f8ec3f1ddd18298238fafb612da3c27ab15c2e8f5c77bc42a4f3b8497a9d37368c7b0fe53a72a48d7bca45d304d4058fc |
C:\Users\Admin\AppData\Local\Temp\Matters.ini
| MD5 | 31cc5e48de9c782e21c30107b591297d |
| SHA1 | 687820e368937adf056a550cf6f3d8bd11312ff3 |
| SHA256 | 0f942eaef7da452c21653a58f3e529cd0cbfd7aa54cfbcf9130c9c400050f9f2 |
| SHA512 | 0e5f6e86449d65ad705d9afeed73a349d2a91b356bc8a2d2d05b0a42cab5dda5f19bac20fa2f9a77032486c139027889471c982419f80f977294eaf4246dc9f0 |
C:\Users\Admin\AppData\Local\Temp\Diesel.ini
| MD5 | 92797e98258a68794a2d94174dbbdfd5 |
| SHA1 | 0c70bb4e48414e6349a1d1f0ea128249d1c28d13 |
| SHA256 | dc244a1f48dc22c53089832babb402d703d250d0dff096fcd9dbf6f807aee744 |
| SHA512 | a9c5f792bd0534c793dccfbe5c9037cc2fa4ab5de7091094be36ba9d559d22f3a76affc6882f0b0c223a3b15b2d51fe16833b8d8c6eef60422b92cb836f42291 |
C:\Users\Admin\AppData\Local\Temp\Refrigerator.ini
| MD5 | e4fdb3c7541699eb66345cf7d2ac91dd |
| SHA1 | 1319ccfec1e2af2f083ea4dbb8818901fd26e818 |
| SHA256 | fa0acaac39705b35df4c28ea7d4e9b434c34fc62866b3e6b5dfc55210e9ef4a0 |
| SHA512 | 51d788074cba27b2d2470d70bcdc49a93c49d595e766977535985a5e9755a5ac2f4d72e5fca92c99c93a0f5b663c9ffcd32d6ed7fa22a8896248b662e64d80f9 |
C:\Users\Admin\AppData\Local\Temp\Navigation.ini
| MD5 | c30718cd76812a2ffbbe99fdfd2eeac6 |
| SHA1 | aa91fdd86bb098d4e1d33cfbec0ae0b98ff804be |
| SHA256 | 7fba657c6629b2b055ebfaddf751c34b5c410894660f4b1a1614645f9d557b1b |
| SHA512 | c0f502f38b064d40fe4c88548ac1589c6d75d3e69b6588e471b164000f06ca4dc1365bed4bdd3aa2d9deb3b165a2d1dd3ae4fd2ffb250d0650adb8c21628d6bd |
C:\Users\Admin\AppData\Local\Temp\Distribute.ini
| MD5 | f0a2c6e04995efdb48c6f4e4b8bf12c5 |
| SHA1 | 7cf35832124ef5e4e5b0b6e5ea7dac92ad71bef3 |
| SHA256 | 2ba5a5d531cded62e31df3db0e30f5e59521393f953b5c37e37a52dba0aed68a |
| SHA512 | 142fb333715a16ae9980ef121e4b0fc5bf9a1e3d7d1edf6f903b24115dde7bed02e7e6886eaf91a925af7f28de5194c49907ed7377214c6c24afe7a21d87033f |
C:\Users\Admin\AppData\Local\Temp\262655\Anger.com
| MD5 | 62d09f076e6e0240548c2f837536a46a |
| SHA1 | 26bdbc63af8abae9a8fb6ec0913a307ef6614cf2 |
| SHA256 | 1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49 |
| SHA512 | 32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f |
C:\Users\Admin\AppData\Local\Temp\262655\f
| MD5 | 4c6aefebf670ea1bbe36eb740c08e4a9 |
| SHA1 | 9ac19922872dfd52dd7a4f2a2ac003ecc6215581 |
| SHA256 | fd1b852128c68e0730f66a822361fb47ffd113a12e570c487ad5595d9b414821 |
| SHA512 | 9fa9abd64c0d9a7e37512cc79fc20718ebd2771e9e56d4ba22e15b74670501cc6eee75b5b71bd8fec24d1f1998b6fb47de83dd0d02893fff575df7736c482271 |
memory/2852-337-0x0000000000720000-0x000000000082A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\262655\RegAsm.exe
| MD5 | 0d5df43af2916f47d00c1573797c1a13 |
| SHA1 | 230ab5559e806574d26b4c20847c368ed55483b0 |
| SHA256 | c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc |
| SHA512 | f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2 |
memory/2852-340-0x0000000004DF0000-0x0000000004E8C000-memory.dmp
memory/4784-347-0x0000000000A50000-0x0000000000A62000-memory.dmp
memory/2852-349-0x00000000053A0000-0x0000000005406000-memory.dmp
memory/2852-350-0x0000000005DD0000-0x0000000005E62000-memory.dmp
memory/2852-351-0x0000000006420000-0x00000000069C4000-memory.dmp