snakebot | 109c70d63b69cd442a1fff4d9249de803bb4611791f7fdd7ea65b7da8ddb74b1

Resubmissions

27-08-2023 13:37

230827-qw645shf83 10

27-08-2023 13:33

230827-qtj7lahf64 6

Analysis

max time kernel
540s
max time network
549s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
27-08-2023 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pexels_videos_2028761 (1080p).mp4
Size

18.6MB
MD5

49fc43ffad271e2e4a1ba4585f8ab2d3
SHA1

188b1c31d57c233ea92394b7086a3a7c53668bdd
SHA256

109c70d63b69cd442a1fff4d9249de803bb4611791f7fdd7ea65b7da8ddb74b1
SHA512

9fc6c1bb4facd3eea293445d3874234df05a0d63b57169a8cb1f4f9afc8b864adefa2a9bce3eac374edc9ba03c759f3438f09f0c42ec79a2403a8cf20b17a1d8
SSDEEP

393216:3cHehtL3segrST4NGfs773Dc6CnzTCPXwL2v:3cY3casQJyPXwL2v

Score

10^/10

snakebot snakebot

Malware Config

Signatures

SnakeBOT
SnakeBOT is a heavily obfuscated .NET downloader.
snakebot

Contains SnakeBOT related strings 1 IoCs

snakebot

resource	yara_rule
behavioral1/files/0x000400000001d9fa-515.dat	snakebot_strings

ACProtect 1.3x - 1.4x DLL software 5 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000600000002367d-524.dat	acprotect
behavioral1/files/0x000600000002367d-523.dat	acprotect
behavioral1/files/0x000500000001d9ec-520.dat	acprotect
behavioral1/files/0x000500000001d9ec-519.dat	acprotect
behavioral1/files/0x000600000002367d-535.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
5444	Undertale.exe

Loads dropped DLL 6 IoCs

pid	Process
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4176143399-3250363947-192774652-1000\{71AF020A-E43C-4EDA-B202-1A55C25B7819}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4176143399-3250363947-192774652-1000\{8610E5D6-5145-4C47-9811-59976398EAD4}	svchost.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe
5444	Undertale.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2884	OpenWith.exe
5444	Undertale.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1408	unregmp2.exe
Token: SeCreatePagefilePrivilege	1408	unregmp2.exe
Token: SeRestorePrivilege	2832	7zG.exe
Token: 35	2832	7zG.exe
Token: SeSecurityPrivilege	2832	7zG.exe
Token: SeSecurityPrivilege	2832	7zG.exe
Token: 33	2608	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2608	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2832	7zG.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5444	Undertale.exe
2884	OpenWith.exe
5444	Undertale.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 4720	212	wmplayer.exe	89
PID 212 wrote to memory of 4720	212	wmplayer.exe	89
PID 212 wrote to memory of 4720	212	wmplayer.exe	89
PID 212 wrote to memory of 2176	212	wmplayer.exe	90
PID 212 wrote to memory of 2176	212	wmplayer.exe	90
PID 212 wrote to memory of 2176	212	wmplayer.exe	90
PID 2176 wrote to memory of 1408	2176	unregmp2.exe	91
PID 2176 wrote to memory of 1408	2176	unregmp2.exe	91

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\pexels_videos_2028761 (1080p).mp4"
1⤵
- Suspicious use of WriteProcessMemory
PID:212
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\pexels_videos_2028761 (1080p).mp4"
  2⤵
  PID:4720
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:1408

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4508.2.1871527067\1134899891" -childID 1 -isForBrowser -prefsHandle 3224 -prefMapHandle 3220 -prefsLen 21077 -prefMapSize 232675 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f1bb653-b3cb-4699-bbb4-84c19d9ba606} 4508 "\\.\pipe\gecko-crash-server-pipe.4508" 3236 212a55fb358 tab
1⤵
PID:4256

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4508.3.1487439373\562944613" -childID 2 -isForBrowser -prefsHandle 3420 -prefMapHandle 3416 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aae974df-cc32-4f57-823e-247d02fa25e5} 4508 "\\.\pipe\gecko-crash-server-pipe.4508" 3428 212a44e5058 tab
1⤵
PID:1960

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4508.4.1508171481\1015271274" -childID 3 -isForBrowser -prefsHandle 4608 -prefMapHandle 4596 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60d41ad2-138f-4069-80a4-c4a348fb8473} 4508 "\\.\pipe\gecko-crash-server-pipe.4508" 4620 212a79c3f58 tab
1⤵
PID:2452

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4508.5.716856338\1533284610" -childID 4 -isForBrowser -prefsHandle 5020 -prefMapHandle 5016 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75b8c8dd-c4cd-4b9f-8c7f-0459edf2cd83} 4508 "\\.\pipe\gecko-crash-server-pipe.4508" 1652 2129525e658 tab
1⤵
PID:1812

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4508.7.225943252\1414828687" -childID 6 -isForBrowser -prefsHandle 5316 -prefMapHandle 5320 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f84f9fd5-80c0-4ef7-a59c-4099ba9ff02c} 4508 "\\.\pipe\gecko-crash-server-pipe.4508" 5308 21295266058 tab
1⤵
PID:424

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4508.6.1773055428\1752693104" -childID 5 -isForBrowser -prefsHandle 5124 -prefMapHandle 5132 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9dcfaf85-8377-48a2-a5dd-2b95fe4619e7} 4508 "\\.\pipe\gecko-crash-server-pipe.4508" 5108 2129525c558 tab
1⤵
PID:2332

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4508.8.608949252\897525312" -childID 7 -isForBrowser -prefsHandle 5704 -prefMapHandle 5700 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d21f8bd-9271-4d4b-a862-ae9be9e6b728} 4508 "\\.\pipe\gecko-crash-server-pipe.4508" 5712 212a9c42858 tab
1⤵
PID:3968

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4508.9.294326091\75215568" -childID 8 -isForBrowser -prefsHandle 5100 -prefMapHandle 5084 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {966f0692-362d-471f-962a-285b9e43eb98} 4508 "\\.\pipe\gecko-crash-server-pipe.4508" 4620 2129525e658 tab
1⤵
PID:4800

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4508.10.1238952471\155096849" -childID 9 -isForBrowser -prefsHandle 3032 -prefMapHandle 2916 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {36529670-71ee-470c-ae9f-315628741080} 4508 "\\.\pipe\gecko-crash-server-pipe.4508" 2912 212a7dac258 tab
1⤵
PID:4084

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4508.11.1446089630\1611792887" -childID 10 -isForBrowser -prefsHandle 6064 -prefMapHandle 6056 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4dc655ff-1a9c-4f97-bd20-19a854bd8082} 4508 "\\.\pipe\gecko-crash-server-pipe.4508" 6088 212a8a66c58 tab
1⤵
PID:1180

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4508.12.1241286823\1117696328" -childID 11 -isForBrowser -prefsHandle 3176 -prefMapHandle 4440 -prefsLen 26831 -prefMapSize 232675 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cd77739-a2af-4e54-8828-188cfe8d7ee9} 4508 "\\.\pipe\gecko-crash-server-pipe.4508" 3164 2129522d558 tab
1⤵
PID:4180

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4508.13.1192270478\225575246" -childID 12 -isForBrowser -prefsHandle 10008 -prefMapHandle 10016 -prefsLen 26831 -prefMapSize 232675 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {73dd21f2-5a17-41f7-b20c-ad1301d614e1} 4508 "\\.\pipe\gecko-crash-server-pipe.4508" 9996 212a33d9758 tab
1⤵
PID:4752

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4508.14.803448362\1672264550" -childID 13 -isForBrowser -prefsHandle 5812 -prefMapHandle 4408 -prefsLen 27232 -prefMapSize 232675 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da5ef659-f3e1-4345-b819-c2c366655af2} 4508 "\\.\pipe\gecko-crash-server-pipe.4508" 4396 212a9c11958 tab
1⤵
PID:5392

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4508.15.1898154301\1756498476" -childID 14 -isForBrowser -prefsHandle 5388 -prefMapHandle 4464 -prefsLen 27232 -prefMapSize 232675 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {847a2f5f-d409-4f01-8de1-950d0a5a695e} 4508 "\\.\pipe\gecko-crash-server-pipe.4508" 5328 212a7dac858 tab
1⤵
PID:5564

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4508.16.737847007\211850606" -childID 15 -isForBrowser -prefsHandle 9740 -prefMapHandle 5616 -prefsLen 27232 -prefMapSize 232675 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f809c667-63d3-4d98-8418-ab1d2612606a} 4508 "\\.\pipe\gecko-crash-server-pipe.4508" 5420 212a7daf258 tab
1⤵
PID:5572

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4508.17.1952036711\2035709988" -childID 16 -isForBrowser -prefsHandle 3692 -prefMapHandle 5192 -prefsLen 27232 -prefMapSize 232675 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5f6bdf6-75dd-4fd0-97e7-671c9b528f2f} 4508 "\\.\pipe\gecko-crash-server-pipe.4508" 5796 21295262f58 tab
1⤵
PID:5820

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4508.18.347528922\220645942" -childID 17 -isForBrowser -prefsHandle 5724 -prefMapHandle 4440 -prefsLen 27272 -prefMapSize 232675 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {beb10290-f3ac-41a3-9697-140dab4c482d} 4508 "\\.\pipe\gecko-crash-server-pipe.4508" 9684 212aaff8158 tab
1⤵
PID:6072

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4508.19.1618153923\440502295" -childID 18 -isForBrowser -prefsHandle 4832 -prefMapHandle 9504 -prefsLen 27272 -prefMapSize 232675 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91b0e789-14af-4f10-b107-b84e439420f3} 4508 "\\.\pipe\gecko-crash-server-pipe.4508" 5892 212ab40e158 tab
1⤵
PID:1720

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4508.20.874812652\496431362" -childID 19 -isForBrowser -prefsHandle 9680 -prefMapHandle 9692 -prefsLen 27272 -prefMapSize 232675 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {930d058e-cc19-4e82-9ff8-9ba8ec86cdb9} 4508 "\\.\pipe\gecko-crash-server-pipe.4508" 5492 212aa8b2b58 tab
1⤵
PID:1096

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4508.21.759606120\345300369" -childID 20 -isForBrowser -prefsHandle 9156 -prefMapHandle 9152 -prefsLen 27272 -prefMapSize 232675 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa47bce3-4d6a-47b2-a551-024bb49de722} 4508 "\\.\pipe\gecko-crash-server-pipe.4508" 9168 212aa8b2258 tab
1⤵
PID:4760

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4508.22.1184366455\455305433" -childID 21 -isForBrowser -prefsHandle 5976 -prefMapHandle 9388 -prefsLen 27272 -prefMapSize 232675 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76da230c-0f31-407c-b0d2-c72b7ecb95cf} 4508 "\\.\pipe\gecko-crash-server-pipe.4508" 9688 212aa455758 tab
1⤵
PID:4428

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5036

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap16411:88:7zEvent25601
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2832

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4508.23.103477527\1270556059" -childID 22 -isForBrowser -prefsHandle 4400 -prefMapHandle 9988 -prefsLen 27337 -prefMapSize 232675 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e224d3a-a3a5-4e3e-9140-91ca2ac184e5} 4508 "\\.\pipe\gecko-crash-server-pipe.4508" 9576 212a7a57258 tab
1⤵
PID:3860

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4508.24.1373706724\1184018193" -childID 23 -isForBrowser -prefsHandle 8964 -prefMapHandle 9504 -prefsLen 27346 -prefMapSize 232675 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {145f9e44-2b01-4393-a091-5166e920e497} 4508 "\\.\pipe\gecko-crash-server-pipe.4508" 9076 212a77b3258 tab
1⤵
PID:6104

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4508.25.405574397\534646889" -childID 24 -isForBrowser -prefsHandle 5808 -prefMapHandle 8496 -prefsLen 27346 -prefMapSize 232675 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f998d640-e49e-43d5-bdde-bf256eec830c} 4508 "\\.\pipe\gecko-crash-server-pipe.4508" 5460 212a77b4158 tab
1⤵
PID:4912

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4508.26.154386958\1055314953" -childID 25 -isForBrowser -prefsHandle 9688 -prefMapHandle 9692 -prefsLen 27346 -prefMapSize 232675 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a7bb9b8-3b76-4918-8b8f-dd141d28ad4e} 4508 "\\.\pipe\gecko-crash-server-pipe.4508" 4556 212a7996058 tab
1⤵
PID:1328

C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\Undertale.exe
"C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\Undertale.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5444

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
PID:4276

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Modifies registry class
PID:2340

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4 0x468
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Modifies registry class
PID:4260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
PID:4428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
640KB

MD5
91934a1698086dec2102436bfec4bf48

SHA1
65f4148aaf09fcbd36142a32108fea28ee0547c3

SHA256
7c20d905f19d2b3cebf98f747bce8b895ce6fc3df0b544fd3d35d2404f9bc59e

SHA512
e84586e76d702fe091088824732d441a39cc68f06e27229d8e8cf16530d8ff04f3f1a25287b3b7ce09c56ed00862c82bcab84cd7e48c2a9eb0208e87a3f7dfcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
a0bad661c450688a78c5e2226d9a215a

SHA1
77072912c0cfe8bcbc6fc87b83e59a72dd6367d6

SHA256
29ab9f3469745e167e5dd1c0ce0be861bfd92831764118926ed3a86717db6056

SHA512
76a055a0a0f19fffcc711f9bc6080bf7571adc7f3744eb99e9b0a2e76baaab3c6b3b1ce8bb24015ad88c56db62b9ec80afbccc8978135642c8c6956bbd834e5c

Download Submit
C:\Users\Admin\Desktop\Undertale.v1.08.zip

Filesize
165.4MB

MD5
c595f15d602439ae8dfd99347f2152c9

SHA1
12d30525deb42c5c012a5208005d23b572e670f7

SHA256
998903777ed20b3d13a5fb6b87bd72a4e90c44568f40f197e52d99419009b7ed

SHA512
2b3b2657caa2bbbdae9b79ac83ef07f2cf82fdabe3534f936221e3e5c2f03965e4215a626961ff5c2a6a5b6fe95cf50c12e7ee05c0fc206ee304803a4d03eee3

Download Submit
C:\Users\Admin\Desktop\Undertale.v1.08\HOW TO RUN GAME!!.txt

Filesize
232B

MD5
5d4d3bb4cce2aea9b4cf38c5878be992

SHA1
63908698f8b82f1d63c682e7f2e75a2c9eb5a304

SHA256
05791a6b3ebc64af32cd8080e0af203342845e4c2989f3a5ebe05c4837e9279e

SHA512
2d19590c29f6d0cd3522979545dcf33b32aa7162f217efe5284867100bfcb6bb118be1bb03a8aee1e2983cb2a64413d8e87f252956f689396936b33c47b09f30

Download Submit
C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\CODEX.DLL

Filesize
103KB

MD5
7b8887951d5834203f155e1f16005da5

SHA1
e199242e51d816b1abc3e4091c429a22175b1ac6

SHA256
382a95940910172335a3f6356671e3cf6e514ec95b98faf5d943b23870164afc

SHA512
bf849ce862aeba8b0782997fa5ad2adc27644c37e080bf3b52d6ebe3a33dfed48b781d6c021c20164fd1d1a058fa00b1cf5bf5745a012947739f364f9fc7539c

Download Submit
C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\D3DX9_43.dll

Filesize
1.9MB

MD5
86e39e9161c3d930d93822f1563c280d

SHA1
f5944df4142983714a6d9955e6e393d9876c1e11

SHA256
0b28546be22c71834501f7d7185ede5d79742457331c7ee09efc14490dd64f5f

SHA512
0a3e311c4fd5c2194a8807469e47156af35502e10aeb8a3f64a01ff802cd8669c7e668cc87b593b182fd830a126d002b5d5d7b6c77991158bffdb0b5b997f6b3

Download Submit
C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\GameOverlayRenderer.dll

Filesize
1.2MB

MD5
0ec731067f6886b526eb75ff94177bba

SHA1
5ada34244869985cf941fc08937142a521adadd6

SHA256
ad143640b71a36b45dadbe1b68096e9ca6e4fd0af69b6e3e50b90ea98bab5700

SHA512
3bf15f43e451a2f19491353e10c116a92deec6b9c372a9924e7205e33fb4bb2e1c437ca8c88992ef9fd836539d91c744e905480cde48d85afebcf66c1bf2be16

Download Submit
C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\GameOverlayRenderer.dll

Filesize
1.2MB

MD5
0ec731067f6886b526eb75ff94177bba

SHA1
5ada34244869985cf941fc08937142a521adadd6

SHA256
ad143640b71a36b45dadbe1b68096e9ca6e4fd0af69b6e3e50b90ea98bab5700

SHA512
3bf15f43e451a2f19491353e10c116a92deec6b9c372a9924e7205e33fb4bb2e1c437ca8c88992ef9fd836539d91c744e905480cde48d85afebcf66c1bf2be16

Download Submit
C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\Undertale.exe

Filesize
3.9MB

MD5
8741fe2075cfbb8070ff1ccb7468981a

SHA1
9ff96c296cc555a6a000133e07fb3f4ab92811c4

SHA256
c8c4191026bf5587a6fad120855b8b82ffb4fa0c3eaf10515be472ad84248e58

SHA512
c5e424cece81a4dad5f4e66e6e00b19d0ce014853f4dcd1a45d16e8d4321ba33f6333e2ebaf2dba3152e0fb22f942749664f231e6df5982e4511788a30d7e655

Download Submit
C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\Undertale.exe

Filesize
3.9MB

MD5
8741fe2075cfbb8070ff1ccb7468981a

SHA1
9ff96c296cc555a6a000133e07fb3f4ab92811c4

SHA256
c8c4191026bf5587a6fad120855b8b82ffb4fa0c3eaf10515be472ad84248e58

SHA512
c5e424cece81a4dad5f4e66e6e00b19d0ce014853f4dcd1a45d16e8d4321ba33f6333e2ebaf2dba3152e0fb22f942749664f231e6df5982e4511788a30d7e655

Download Submit
C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\Undertale.exe

Filesize
3.9MB

MD5
8741fe2075cfbb8070ff1ccb7468981a

SHA1
9ff96c296cc555a6a000133e07fb3f4ab92811c4

SHA256
c8c4191026bf5587a6fad120855b8b82ffb4fa0c3eaf10515be472ad84248e58

SHA512
c5e424cece81a4dad5f4e66e6e00b19d0ce014853f4dcd1a45d16e8d4321ba33f6333e2ebaf2dba3152e0fb22f942749664f231e6df5982e4511788a30d7e655

Download Submit
C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\codex.dll

Filesize
103KB

MD5
7b8887951d5834203f155e1f16005da5

SHA1
e199242e51d816b1abc3e4091c429a22175b1ac6

SHA256
382a95940910172335a3f6356671e3cf6e514ec95b98faf5d943b23870164afc

SHA512
bf849ce862aeba8b0782997fa5ad2adc27644c37e080bf3b52d6ebe3a33dfed48b781d6c021c20164fd1d1a058fa00b1cf5bf5745a012947739f364f9fc7539c

Download Submit
C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\d3dx9_43.dll

Filesize
1.9MB

MD5
86e39e9161c3d930d93822f1563c280d

SHA1
f5944df4142983714a6d9955e6e393d9876c1e11

SHA256
0b28546be22c71834501f7d7185ede5d79742457331c7ee09efc14490dd64f5f

SHA512
0a3e311c4fd5c2194a8807469e47156af35502e10aeb8a3f64a01ff802cd8669c7e668cc87b593b182fd830a126d002b5d5d7b6c77991158bffdb0b5b997f6b3

Download Submit
C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\data.win

Filesize
60.0MB

MD5
5903fc5cb042a728d4ad8ee9e949c6eb

SHA1
cb394cdd8a663bd0e39a5cf1f1607c3d12da4b58

SHA256
b718f8223a5bb31979ffeed10be6140c857b882fc0d0462b89d6287ae38c81c7

SHA512
1bb4d74acf76ee94ae877bbe81ed1da1b314726b95b9663fba16b98a450378da10914e53d552da38dbdc863cba4602f48f878b4b377ec9ac0d78403bffc8b2f0

Download Submit
C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\mus_intronoise.ogg

Filesize
38KB

MD5
e6b9a8fd4d6ed0819fd752c8653a313c

SHA1
4d4634f9970c4d2d179fc70cdf632c2d12771b16

SHA256
83b9d3befdf1b9fae8729ed396d7277110207a6857a72fedc7b499d26362517a

SHA512
c9be35dc017130e815012595a1312686c278fd37d26c2d4b7e2e815e2f7ec4e2b88af2fa0b0e17442663c5f8a9d0463ef444123ed89ad138151b788ec557b578

Download Submit
C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\mus_menu0.ogg

Filesize
199KB

MD5
21ef759dabb390cb4a7a7eb3b69e16d8

SHA1
1d43902cec0add9c6407fea0386e37ed32d7c6c6

SHA256
f52bce7dca16f1631b7a6f1d51f712e7a778059cbd51908ff69c4011bd371456

SHA512
8d1c5ad03437a544042f1a80e34fea69aa7a37a9dcc5c00225b2602856e659ea9d84c5d4382ae2bab3865a56df4faa6200ac86e050334bc68aef4ad3f1bf9f89

Download Submit
C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\mus_story.ogg

Filesize
648KB

MD5
3eb22f63fd2c3327c539f002605426b3

SHA1
49b3299becda167b22f4daacb009157c21c38485

SHA256
eb5e5463710acba3a2da93ace616cf4a4a42a93ccbc93d8815b08c038fc66463

SHA512
a196c21813f97a96c9f56fdb922d6f61ef254b2f8fff029112aa671cec0aa7e0fc8ec49c70285cc7dd2d60aea907096f8bdefb8f17e5922dfd4f65cc4af53225

Download Submit
C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\options.ini

Filesize
97B

MD5
40ede613879f6406fd90c4bad9ba08cb

SHA1
234d1a88ecb5eb2f945f0f8959df69bc154a4677

SHA256
52a59e5417778aac32756ac0617d5b00fd47a9015e54b3865fdc17a867b58cf9

SHA512
c42b738b58298bdd8866b6f053df12a13b9eee3917e86846a7fa3d00248a7dc1c7658878c06f51d6b9e0450a4eee940c61d56ad11fe32656bd64f9341abdcaab

Download Submit
C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\splash.png

Filesize
1KB

MD5
5a886add3e5fe341d635aa98639bb76b

SHA1
b1fa811638510e5758952f95ae1119eb6a9acd8b

SHA256
4d61c1a05b596720523f442bed39d04067d19f7c306073e2306f282e1198c554

SHA512
40e11231ec53b18ef132ea76ff37872a0885322948cd489c3076af40bdbed262a710783068b448d5e026fe4493d0ff40239fabc50c94dacf825e61fa3b939171

Download Submit
C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\steam_api.dll

Filesize
210KB

MD5
30ae1db76c1af7f46e6f41c375e1b9b0

SHA1
5e30d08ae301bb866a8856b4ef2c57d788bcda4a

SHA256
dfa223f72fe3b975b5033ec03d505e5a702bf4ff632bce7ba1b8a5ff411f0245

SHA512
2a4239ffb214341b9495ae02fae90785b9a8f2712fa91a59730b1a9778aaa35b6c8cb88cb57f19c34a131a2bfecaef71c4b56a26fac4bbf6e1a3d8748d8f7b70

Download Submit
C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\steam_api.dll

Filesize
210KB

MD5
30ae1db76c1af7f46e6f41c375e1b9b0

SHA1
5e30d08ae301bb866a8856b4ef2c57d788bcda4a

SHA256
dfa223f72fe3b975b5033ec03d505e5a702bf4ff632bce7ba1b8a5ff411f0245

SHA512
2a4239ffb214341b9495ae02fae90785b9a8f2712fa91a59730b1a9778aaa35b6c8cb88cb57f19c34a131a2bfecaef71c4b56a26fac4bbf6e1a3d8748d8f7b70

Download Submit
C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\steam_emu.ini

Filesize
2KB

MD5
81f97400f469182246375fbbc22d3679

SHA1
1adf2add052f22ec0ec1d138b8398d77996a3c52

SHA256
f77451c9fb4d9c32475d18565083a95f81e4296d6ef8b8a4c263926fa943897a

SHA512
1e66c1f4916a09f29b9ee8e1100fda75da2e8974316233e84ed1eeb5fd2ddfb943f33ccbd330ddd1d65277e545112d358bc927b4bf7332c1680f8331c3c1fda3

Download Submit
C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\steamclient.dll

Filesize
255KB

MD5
2e5c2c249c56a6bd8b374e8d32b2abe7

SHA1
116f109add3102e64ca3ac435b734c695737f6d5

SHA256
6b8411ea4559e739995beab3f8fc26a9c590291a5338a642d7ecb2f38a833950

SHA512
10b5c80c3c666d7c2a9b9f3ee5242cc5defee3008b7c9c687b8835afa3ca0ba00d69662852d0544d845a0d59c9b7a1e7fe595e9883c0288eca71cb854193484d

Download Submit
C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\steamclient.dll

Filesize
255KB

MD5
2e5c2c249c56a6bd8b374e8d32b2abe7

SHA1
116f109add3102e64ca3ac435b734c695737f6d5

SHA256
6b8411ea4559e739995beab3f8fc26a9c590291a5338a642d7ecb2f38a833950

SHA512
10b5c80c3c666d7c2a9b9f3ee5242cc5defee3008b7c9c687b8835afa3ca0ba00d69662852d0544d845a0d59c9b7a1e7fe595e9883c0288eca71cb854193484d

Download Submit
C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\steamclient.dll

Filesize
255KB

MD5
2e5c2c249c56a6bd8b374e8d32b2abe7

SHA1
116f109add3102e64ca3ac435b734c695737f6d5

SHA256
6b8411ea4559e739995beab3f8fc26a9c590291a5338a642d7ecb2f38a833950

SHA512
10b5c80c3c666d7c2a9b9f3ee5242cc5defee3008b7c9c687b8835afa3ca0ba00d69662852d0544d845a0d59c9b7a1e7fe595e9883c0288eca71cb854193484d

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
memory/5444-527-0x00000000749D0000-0x0000000074A86000-memory.dmp

Filesize
728KB

Download
memory/5444-566-0x0000000006F00000-0x0000000006FB6000-memory.dmp

Filesize
728KB

Download
memory/5444-530-0x0000000077B72000-0x0000000077B73000-memory.dmp

Filesize
4KB

Download
memory/5444-525-0x0000000074C00000-0x0000000074C4C000-memory.dmp

Filesize
304KB

Download
memory/5444-560-0x0000000074C00000-0x0000000074C4C000-memory.dmp

Filesize
304KB

Download
memory/5444-561-0x00000000749D0000-0x0000000074A86000-memory.dmp

Filesize
728KB

Download
memory/5444-531-0x0000000077B72000-0x0000000077B73000-memory.dmp

Filesize
4KB

Download
memory/5444-564-0x00000000749D0000-0x0000000074A86000-memory.dmp

Filesize
728KB

Download
memory/5444-565-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/5444-536-0x0000000006F00000-0x0000000006FB6000-memory.dmp

Filesize
728KB

Download
memory/5444-533-0x0000000077B72000-0x0000000077B73000-memory.dmp

Filesize
4KB

Download
memory/5444-571-0x00000000749D0000-0x0000000074A86000-memory.dmp

Filesize
728KB

Download
memory/5444-534-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/5444-584-0x00000000749D0000-0x0000000074A86000-memory.dmp

Filesize
728KB

Download
memory/5444-532-0x0000000077B72000-0x0000000077B73000-memory.dmp

Filesize
4KB

Download
memory/5444-587-0x00000000749D0000-0x0000000074A86000-memory.dmp

Filesize
728KB

Download
memory/5444-592-0x0000000077B72000-0x0000000077B73000-memory.dmp

Filesize
4KB

Download
memory/5444-593-0x0000000077B72000-0x0000000077B73000-memory.dmp

Filesize
4KB

Download
memory/5444-594-0x00000000749D0000-0x0000000074A86000-memory.dmp

Filesize
728KB

Download