f3af112a81b432d062b2d15b06af0031c10da1aef52adc605b6ddcce347e42c8

Analysis

max time kernel
1702s
max time network
1794s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
26-12-2024 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e5586-grand-theft-auto-vice-city-free-pc-download.html
Size

5KB
MD5

ec8d60c792c4feea8bfa56f9979d1f43
SHA1

960f67298065584113c4d3621c5a4a278bef3002
SHA256

f3af112a81b432d062b2d15b06af0031c10da1aef52adc605b6ddcce347e42c8
SHA512

22f5f684f18427f8de83d6e8ca8f8e65a0bbe3dbf5dd386927d7c7580fb99ba26f1d89cf3aeb40c3742b237bc17aaff47c95b525840ebd708a68e469f9293af7
SSDEEP

96:1j9jwIjYj5jDK/D5DMF+C8kHZqXKHvpIkdN5rRU9PaQxJbKknx/IR:1j9jhjYj9K/Vo+nkEaHvFdN5ry9ieJ1u

Score

7^/10

steam discovery phishing

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0002000000044d0a-471.dat	acprotect
behavioral1/files/0x002100000004669c-476.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2116	Undertale.exe

Loads dropped DLL 6 IoCs

pid	Process
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
4636	GameBarPresenceWriter.exe

Detected potential entity reuse from brand STEAM.
phishing steam

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Undertale.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1411052346-3904498293-150013998-1000\{F5C04702-65BA-4F79-8EBA-0057943638F1}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1411052346-3904498293-150013998-1000\{F6BAEC0D-D5CE-4D0A-9AB0-2BC4713B196A}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1411052346-3904498293-150013998-1000\{F820053B-8B7E-492E-99FE-98A1B0BD09A6}	msedge.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe
2116	Undertale.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2116	Undertale.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeRestorePrivilege	4188	7zG.exe
Token: 35	4188	7zG.exe
Token: SeSecurityPrivilege	4188	7zG.exe
Token: SeSecurityPrivilege	4188	7zG.exe
Token: 33	3092	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3092	AUDIODG.EXE
Token: SeDebugPrivilege	2132	firefox.exe
Token: SeDebugPrivilege	2132	firefox.exe
Token: SeDebugPrivilege	2132	firefox.exe
Token: SeDebugPrivilege	2132	firefox.exe
Token: SeDebugPrivilege	2132	firefox.exe
Token: SeDebugPrivilege	2132	firefox.exe

Suspicious use of FindShellTrayWindow 22 IoCs

pid	Process
4188	7zG.exe
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe
2132	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2116	Undertale.exe
3408	OpenWith.exe
2116	Undertale.exe
2132	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4256 wrote to memory of 2132	4256	firefox.exe	138
PID 4256 wrote to memory of 2132	4256	firefox.exe	138
PID 4256 wrote to memory of 2132	4256	firefox.exe	138
PID 4256 wrote to memory of 2132	4256	firefox.exe	138
PID 4256 wrote to memory of 2132	4256	firefox.exe	138
PID 4256 wrote to memory of 2132	4256	firefox.exe	138
PID 4256 wrote to memory of 2132	4256	firefox.exe	138
PID 4256 wrote to memory of 2132	4256	firefox.exe	138
PID 4256 wrote to memory of 2132	4256	firefox.exe	138
PID 4256 wrote to memory of 2132	4256	firefox.exe	138
PID 4256 wrote to memory of 2132	4256	firefox.exe	138
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 2532	2132	firefox.exe	139
PID 2132 wrote to memory of 960	2132	firefox.exe	140
PID 2132 wrote to memory of 960	2132	firefox.exe	140
PID 2132 wrote to memory of 960	2132	firefox.exe	140
PID 2132 wrote to memory of 960	2132	firefox.exe	140
PID 2132 wrote to memory of 960	2132	firefox.exe	140
PID 2132 wrote to memory of 960	2132	firefox.exe	140
PID 2132 wrote to memory of 960	2132	firefox.exe	140
PID 2132 wrote to memory of 960	2132	firefox.exe	140

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\8e5586-grand-theft-auto-vice-city-free-pc-download.html
1⤵
PID:4268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations=is-enterprise-managed=no --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=5060,i,7725352229495460145,1654775800534747848,262144 --variations-seed-version --mojo-platform-channel-handle=5076 /prefetch:1
1⤵
PID:2880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations=is-enterprise-managed=no --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=5088,i,7725352229495460145,1654775800534747848,262144 --variations-seed-version --mojo-platform-channel-handle=5496 /prefetch:1
1⤵
PID:3752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=5740,i,7725352229495460145,1654775800534747848,262144 --variations-seed-version --mojo-platform-channel-handle=5708 /prefetch:8
1⤵
PID:648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --string-annotations=is-enterprise-managed=no --field-trial-handle=5748,i,7725352229495460145,1654775800534747848,262144 --variations-seed-version --mojo-platform-channel-handle=5248 /prefetch:8
1⤵
PID:4556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations=is-enterprise-managed=no --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --field-trial-handle=6240,i,7725352229495460145,1654775800534747848,262144 --variations-seed-version --mojo-platform-channel-handle=6272 /prefetch:1
1⤵
PID:2952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations=is-enterprise-managed=no --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --field-trial-handle=6908,i,7725352229495460145,1654775800534747848,262144 --variations-seed-version --mojo-platform-channel-handle=6940 /prefetch:1
1⤵
PID:4492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations=is-enterprise-managed=no --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --field-trial-handle=6968,i,7725352229495460145,1654775800534747848,262144 --variations-seed-version --mojo-platform-channel-handle=7080 /prefetch:1
1⤵
PID:1484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --string-annotations=is-enterprise-managed=no --field-trial-handle=5164,i,7725352229495460145,1654775800534747848,262144 --variations-seed-version --mojo-platform-channel-handle=5028 /prefetch:8
1⤵
PID:948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations=is-enterprise-managed=no --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --field-trial-handle=6972,i,7725352229495460145,1654775800534747848,262144 --variations-seed-version --mojo-platform-channel-handle=7052 /prefetch:1
1⤵
PID:4384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations=is-enterprise-managed=no --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --field-trial-handle=6792,i,7725352229495460145,1654775800534747848,262144 --variations-seed-version --mojo-platform-channel-handle=5848 /prefetch:1
1⤵
PID:1180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --string-annotations=is-enterprise-managed=no --field-trial-handle=5560,i,7725352229495460145,1654775800534747848,262144 --variations-seed-version --mojo-platform-channel-handle=7148 /prefetch:8
1⤵
PID:3024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=6408,i,7725352229495460145,1654775800534747848,262144 --variations-seed-version --mojo-platform-channel-handle=6588 /prefetch:8
1⤵
- Modifies registry class
PID:2684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --string-annotations=is-enterprise-managed=no --field-trial-handle=7252,i,7725352229495460145,1654775800534747848,262144 --variations-seed-version --mojo-platform-channel-handle=7160 /prefetch:8
1⤵
PID:4460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations=is-enterprise-managed=no --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --field-trial-handle=7292,i,7725352229495460145,1654775800534747848,262144 --variations-seed-version --mojo-platform-channel-handle=7380 /prefetch:1
1⤵
PID:2384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=7736,i,7725352229495460145,1654775800534747848,262144 --variations-seed-version --mojo-platform-channel-handle=6988 /prefetch:8
1⤵
PID:960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=5304,i,7725352229495460145,1654775800534747848,262144 --variations-seed-version --mojo-platform-channel-handle=5580 /prefetch:8
1⤵
PID:3088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=7344,i,7725352229495460145,1654775800534747848,262144 --variations-seed-version --mojo-platform-channel-handle=7336 /prefetch:8
1⤵
PID:2040

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4636

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Undertale.v1.08\" -spe -an -ai#7zMap31554:88:7zEvent21295
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4188

C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\Undertale.exe
"C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\Undertale.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2116

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
- Network Service Discovery
PID:4636

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:2852

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300 0x4f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=7532,i,7725352229495460145,1654775800534747848,262144 --variations-seed-version --mojo-platform-channel-handle=7060 /prefetch:8
1⤵
PID:4736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:2380

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4256
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 23839 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {68025630-ff33-43fe-87de-54e776c15740} 2132 "\\.\pipe\gecko-crash-server-pipe.2132" gpu
    3⤵
    PID:2532
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2368 -parentBuildID 20240401114208 -prefsHandle 2360 -prefMapHandle 2356 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d244a0b-29bc-4888-99ba-316b13fdfdf3} 2132 "\\.\pipe\gecko-crash-server-pipe.2132" socket
    3⤵
    PID:960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2868 -childID 1 -isForBrowser -prefsHandle 2960 -prefMapHandle 2968 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1008 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {726a371b-18b7-48c7-a28d-435b2951d2bb} 2132 "\\.\pipe\gecko-crash-server-pipe.2132" tab
    3⤵
    PID:3760
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4172 -childID 2 -isForBrowser -prefsHandle 4184 -prefMapHandle 4180 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1008 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4cb925a-3510-4b5d-b40d-19461a9d87a4} 2132 "\\.\pipe\gecko-crash-server-pipe.2132" tab
    3⤵
    PID:2100
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4240 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4868 -prefMapHandle 4852 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c160d2a-4b00-4925-a19e-b901b0e1ccfc} 2132 "\\.\pipe\gecko-crash-server-pipe.2132" utility
    3⤵
    - Checks processor information in registry
    PID:5544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5420 -childID 3 -isForBrowser -prefsHandle 5424 -prefMapHandle 5408 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1008 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfbefd7f-9eb6-41df-8db8-5f550f172ff5} 2132 "\\.\pipe\gecko-crash-server-pipe.2132" tab
    3⤵
    PID:1368
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5564 -childID 4 -isForBrowser -prefsHandle 5572 -prefMapHandle 5576 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1008 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {90b6d496-35c6-4283-92a5-7aba2c037d91} 2132 "\\.\pipe\gecko-crash-server-pipe.2132" tab
    3⤵
    PID:1256
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5644 -childID 5 -isForBrowser -prefsHandle 5776 -prefMapHandle 5780 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1008 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95d90ed3-7cf3-4a9d-8d0a-3cc2c746a246} 2132 "\\.\pipe\gecko-crash-server-pipe.2132" tab
    3⤵
    PID:2476
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5776 -childID 6 -isForBrowser -prefsHandle 5576 -prefMapHandle 6044 -prefsLen 33392 -prefMapSize 244658 -jsInitHandle 1008 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5e0108b-a290-4d06-92ae-96180b7d8db8} 2132 "\\.\pipe\gecko-crash-server-pipe.2132" tab
    3⤵
    PID:5244
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2788 -childID 7 -isForBrowser -prefsHandle 6304 -prefMapHandle 6296 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1008 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35c10ddf-5659-4e99-87a0-b739216b788b} 2132 "\\.\pipe\gecko-crash-server-pipe.2132" tab
    3⤵
    PID:5512
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5956 -childID 8 -isForBrowser -prefsHandle 5456 -prefMapHandle 5444 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1008 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9b55023-7997-4c46-8176-48e95691c4c5} 2132 "\\.\pipe\gecko-crash-server-pipe.2132" tab
    3⤵
    PID:6068
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4820 -childID 9 -isForBrowser -prefsHandle 5716 -prefMapHandle 5728 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1008 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {398e32bd-8dc4-4ad4-9d9f-e5e59cdfb074} 2132 "\\.\pipe\gecko-crash-server-pipe.2132" tab
    3⤵
    PID:5684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5336 -parentBuildID 20240401114208 -prefsHandle 2688 -prefMapHandle 5320 -prefsLen 33718 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {31101768-9d72-420d-a136-a33a48b09b6c} 2132 "\\.\pipe\gecko-crash-server-pipe.2132" rdd
    3⤵
    PID:5956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\igamsxea.default-release\activity-stream.discovery_stream.json

Filesize
24KB

MD5
ca5ed3de115450576702d38cc5834993

SHA1
f4dd4220a3b67934fa01897a1b1b6cfb4b484a8e

SHA256
074ec933fb200020cf8e3c77805005563dd3c4300ec873091aaa87c065481a31

SHA512
e84250d75ff4ef0081ce2c9ca0c41f48366d3d842d9531c5969eec553d3786464ca6c7ffda6e42632d8fbb1291b92ede48d97108e560ca1aedf6dcf4e92b0991

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6FPJC2I3S1EWHANVVW00.temp

Filesize
9KB

MD5
951f5e4c6f0d94828e165e81641fa65a

SHA1
0445dfb25450b0ebbfd88134440ece45a4b6ff85

SHA256
e0cb360230e0947f082f96e18c479958a7dcbd6b26c5989eca5e449004b3b4bc

SHA512
ba5995eb307682351439d489f5347f7121c98f62ab3b02c36e56953c7aeeb6c2601522513d24d5d38c9f79a640e1b656e1af8f8bc0f557d8f8651b1c00ca2680

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\AlternateServices.bin

Filesize
10KB

MD5
049e830130c5d79d9414b64e7ace9df8

SHA1
2355a3f706f80604e6151fa043d8585a330d6a18

SHA256
b9aa05b0ae41bb21bbfefbe042a55a2b178c24d02ac7242fc62dcb7e4e39f2c7

SHA512
8f93267d2cc2f764d6c7570f9f8d498e7dda2efd275bf155e25853aa4777fdf957b8a7e69fa11106ff366191b68afa44fc1e573d7014a563b6b1727567af1b4d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\AlternateServices.bin

Filesize
7KB

MD5
c87c4325e29015c96540c67e72e48f80

SHA1
d6a121d07595cde0000acdf1b0f21ce3fc22d121

SHA256
026cde9bf292c2129a1e4c190794b6cf0e7c2ba07e510fd0c07bd9f0bb6e99bc

SHA512
aa71cbfb500cbb2874aa19f30c4ac43e8dd2446244261f18b16f4d3aa6c5fd242e0e859c81108501d835eacdcc071dd526366daa5395befdb3b6715c99548a33

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\bookmarkbackups\bookmarks-2024-12-26_11_xBbx+Pu3mF1DfYJj7E0bhg==.jsonlz4

Filesize
1013B

MD5
49e35b98b09b4907c4bc21f368842b85

SHA1
815ca7ec6f29f1602dca5819f721e0ce4d1d5fa5

SHA256
a539bca6639618395f98066865ba571f4c46fe7e87b2255740817de678a6e195

SHA512
83ae45e1d9822483080e295fbad41ee2091f5f3e0a6662be9f8e4fa18602405050cde6662a7d99a9f87c57e53c6f82ecc1934d9dee5172027d382edfc9094ff9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
de3d39e08a729c9e8460f4dfa4e1ddfe

SHA1
d33df97aefd8158e2fb5fb057e5af512b2e2432c

SHA256
e912540747fd34f5962228e832bf9f6f6967b26d236b44d19edf75b7034c7f83

SHA512
e302c6b153aea4b07b3c874f6ea90c0923aa3ab355cde372e1e49faa41901f7afd09fc745e6dddbfd59644a2b75978933398889963c9d39e52c113604eb4ab89

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
ccc4f8efa41e49101081f8c86634e704

SHA1
8a53441ace2e9e55087530f9dc7fe4c5539d6daa

SHA256
1e5feb5825c5eca86ddda508adab32257043025ff70cf1bb054b4c177fbf1a3c

SHA512
64e667ab68f34694ea3b3692c9d9ee15b86521203722d0b61a3e2f70200559848770f8734963af5d0cca0f881fb35f840655ef53e1b72402379e45328f1d4294

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\datareporting\glean\db\data.safe.tmp

Filesize
25KB

MD5
827f1e0dcd3b06e632255ea9a60ed753

SHA1
13e355e5085d4785999d521a9edb99f8c249b94b

SHA256
4a498210cf814204156d5da625e8514438996f612b11c3b44dc9c605597d23b7

SHA512
34cd3c8a50f3836a328b98203f70d26b513f3a46fd0e77b5ead4358087209792e13a853b38e3f3b73d7549b07ed04527ea1384f2079feace36c8a2bcf8cb74c4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\datareporting\glean\pending_pings\0ea335e7-68f4-43e2-aec8-71f62c134e64

Filesize
659B

MD5
6a832d6df7ab9a0d8786c485bfe70459

SHA1
ce437bf54a92772c1b11171cbba60736bec894de

SHA256
8d92c7a2bcfd92996ecc0adf34dacdbbff750c7d69d7503492d6fb9779a48c3c

SHA512
92433e10cc6c6355a6475559dd852735e4f62402b17fc58b6466f35f057b9b62f365bcc79add7e5c1f685a3beedd4aafec9b5c16510b9057f902090638960451

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\datareporting\glean\pending_pings\d70e0a45-6ea4-40df-8508-79e663b45a61

Filesize
982B

MD5
f84f8beae55ff40a0458dad1081e5f4e

SHA1
9cf653d5d253caf25c93c40d57802138274f8083

SHA256
3cb447cf72b8be95cb882200836a826fba9695585d927a3a92f7f62074834235

SHA512
02e665a26314a6cbf229b93d9bc9d54740d51506223380a0ee3b6458689aed788609b44d0ac6409299339bf06c2872b0b3f7066fc85eac3db9e7caed2e3b75d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\prefs-1.js

Filesize
12KB

MD5
1a5028d4e17f18e9f9576f10937b384f

SHA1
6ac5def61b2d08f0daa6933b027b800b21792757

SHA256
37b59af95d2038567858293c0b12f0f3c42df702de753a71c51d594c61d3f43c

SHA512
2fe37a57d131486133eabb14c63c6f04d785f75ba8a7f8fef511248e2524fbecabd67fe531b0df5b086eb270dcb64d0d0c7bb30202cf1127e87e28e4d93896da

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\prefs-1.js

Filesize
10KB

MD5
c7ecf5c6e9807956d5c7da94f47334f4

SHA1
aa6d9a2297e4b674a03492e954631f9de18ff461

SHA256
f8213091f9a07aee2b0469167319d60bab4f8361ebc76e08a4b6350b5829cd9e

SHA512
819c24b68b2c77e0b1a9a323dfba6c923086a1725036d3d1ac2f6f47099245ff3ca430b0c6f1a895c501d5bc5d800628aace5f6b5c4ab8a1ecd5c9a5993aac8e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\prefs.js

Filesize
10KB

MD5
89583f0f4da9bec80bd57b5d75966584

SHA1
5edabc49468bbdab78946330063f4d44093edc27

SHA256
73f25afa1ad1c4881262e5c511573400a76758dfce6d1867efe34acc6e89eb1a

SHA512
51d78b548ad21929bebdd39cc27eef145a576cc47a5ae3f37cac55134178874684379df29c68cf13ebce92691503136ceffd5f1edba94ac8835079dda7d7980b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\prefs.js

Filesize
10KB

MD5
95f9fabfdb63243bb4078d1e8af34dc0

SHA1
b4677b5d66b205cd6a780c78cf7dfe61681c6b1b

SHA256
98370cd9aaa8a02f9fb7b1e3aaafa3221ca619b7b84d833fbd2e6ba3069abb40

SHA512
31b1d7b0c7b8e11b85f6c1a4506df3a6fe9b0e1ee430942a80804e666929438dac3a6814785df82212d7df8f64657592c347fa5c6bdb0cc792d3ccddd600eb88

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
9f5f705922be241d96b76dc80d375c4e

SHA1
c3998e976463e44ad352b7cd07d11b61b6004cec

SHA256
60689a99f64f83f6d7ba53ce7e7bc50267970cec5c85764efad1e2f5f8fd0418

SHA512
30242856bba2a507e714a5d6e69a9e3b9b3b02ce5b735b53993cf77ca79dcda73e021b1cb0d062c962577ff4f34ded5fe99acf5a8f6d532c926abdc91ef9581c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\sessionstore-backups\recovery.baklz4

Filesize
56KB

MD5
e07b5194207a70117a30598c686dfbf5

SHA1
a40b46e0185c23da9599669e791f94181db331e9

SHA256
22a7575d31c5fb85aff103ba33237bce570bd0d87352d5390ed15d5471d7bde3

SHA512
e64f7e26a527fd4dc24b7076563b049de4f83d4a2042cc14177c227f1b35ce1ce50560e091575bce69ae289b0c073fc96742c6ca1552fbb82bd0ea6705de2a86

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\sessionstore-backups\recovery.baklz4

Filesize
14KB

MD5
94e51369ffee2cd2d29c70e51b1d9e09

SHA1
150a0d861f17521f89c104d598a1f592e2964dce

SHA256
bed2200aea1c1e46d28a269a01051c79fbcc83879eb8cccde20bcb4944dc653c

SHA512
df83dfb3f5bb984b8f69ac5a4a507c0d509e0d8f4544d943a2bc6208a7c05ca3c55f4238d329f5d8c103b1b9bbc046bbfe644b116aa27a9c8219f07767a2c096

Download Submit
C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\CODEX.DLL

Filesize
103KB

MD5
7b8887951d5834203f155e1f16005da5

SHA1
e199242e51d816b1abc3e4091c429a22175b1ac6

SHA256
382a95940910172335a3f6356671e3cf6e514ec95b98faf5d943b23870164afc

SHA512
bf849ce862aeba8b0782997fa5ad2adc27644c37e080bf3b52d6ebe3a33dfed48b781d6c021c20164fd1d1a058fa00b1cf5bf5745a012947739f364f9fc7539c

Download Submit
C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\D3DX9_43.dll

Filesize
1.9MB

MD5
86e39e9161c3d930d93822f1563c280d

SHA1
f5944df4142983714a6d9955e6e393d9876c1e11

SHA256
0b28546be22c71834501f7d7185ede5d79742457331c7ee09efc14490dd64f5f

SHA512
0a3e311c4fd5c2194a8807469e47156af35502e10aeb8a3f64a01ff802cd8669c7e668cc87b593b182fd830a126d002b5d5d7b6c77991158bffdb0b5b997f6b3

Download Submit
C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\GameOverlayRenderer.dll

Filesize
1.2MB

MD5
0ec731067f6886b526eb75ff94177bba

SHA1
5ada34244869985cf941fc08937142a521adadd6

SHA256
ad143640b71a36b45dadbe1b68096e9ca6e4fd0af69b6e3e50b90ea98bab5700

SHA512
3bf15f43e451a2f19491353e10c116a92deec6b9c372a9924e7205e33fb4bb2e1c437ca8c88992ef9fd836539d91c744e905480cde48d85afebcf66c1bf2be16

Download Submit
C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\Undertale.exe

Filesize
3.9MB

MD5
8741fe2075cfbb8070ff1ccb7468981a

SHA1
9ff96c296cc555a6a000133e07fb3f4ab92811c4

SHA256
c8c4191026bf5587a6fad120855b8b82ffb4fa0c3eaf10515be472ad84248e58

SHA512
c5e424cece81a4dad5f4e66e6e00b19d0ce014853f4dcd1a45d16e8d4321ba33f6333e2ebaf2dba3152e0fb22f942749664f231e6df5982e4511788a30d7e655

Download Submit
C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\mus_cymbal.ogg

Filesize
53KB

MD5
812fb0349bda6aba30addc4b616df8e2

SHA1
4c99cb98239348f6c18b82d212b897f3d5eea552

SHA256
ffa15c5c3a6bf803fce0a0d9e268bfa6d7f573b7b91985ac5a5c252b3c4a7a3e

SHA512
21cf8916f61bde2abcf0e7e3af36c18fbc266248605c238142eb1f5704eda0dc967360993b48d60ab02c668d03758decb71639c24b4f525b91dfd28757d7231c

Download Submit
C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\mus_flowey.ogg

Filesize
184KB

MD5
8c345823ed2b90c5c0c3678c1c764efc

SHA1
6f1b1176fa7905b91de4c3a47c19ac1a65d77bed

SHA256
bc7a0df715c6ab7eeafb624c20fdc211ca612cdca00f59749be1975d5aac30dd

SHA512
4fdd0facbf0488afb69058de7a538cb4f00660849c8fcc79778da27b4c02ddc336e51a89692fa616247899c3368c8f03a4e72fcd3fcbab43056882bdbc2a0f59

Download Submit
C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\mus_intronoise.ogg

Filesize
38KB

MD5
e6b9a8fd4d6ed0819fd752c8653a313c

SHA1
4d4634f9970c4d2d179fc70cdf632c2d12771b16

SHA256
83b9d3befdf1b9fae8729ed396d7277110207a6857a72fedc7b499d26362517a

SHA512
c9be35dc017130e815012595a1312686c278fd37d26c2d4b7e2e815e2f7ec4e2b88af2fa0b0e17442663c5f8a9d0463ef444123ed89ad138151b788ec557b578

Download Submit
C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\mus_menu0.ogg

Filesize
199KB

MD5
21ef759dabb390cb4a7a7eb3b69e16d8

SHA1
1d43902cec0add9c6407fea0386e37ed32d7c6c6

SHA256
f52bce7dca16f1631b7a6f1d51f712e7a778059cbd51908ff69c4011bd371456

SHA512
8d1c5ad03437a544042f1a80e34fea69aa7a37a9dcc5c00225b2602856e659ea9d84c5d4382ae2bab3865a56df4faa6200ac86e050334bc68aef4ad3f1bf9f89

Download Submit
C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\mus_story.ogg

Filesize
648KB

MD5
3eb22f63fd2c3327c539f002605426b3

SHA1
49b3299becda167b22f4daacb009157c21c38485

SHA256
eb5e5463710acba3a2da93ace616cf4a4a42a93ccbc93d8815b08c038fc66463

SHA512
a196c21813f97a96c9f56fdb922d6f61ef254b2f8fff029112aa671cec0aa7e0fc8ec49c70285cc7dd2d60aea907096f8bdefb8f17e5922dfd4f65cc4af53225

Download Submit
C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\mus_toriel.ogg

Filesize
370KB

MD5
14c20ef6327d603b10d0571456cdfc10

SHA1
86ce35fc602b2774183b032e64a844df7adc23ca

SHA256
e1a41ba199effa44a4168dde1f7184e9c368be6fad0c757d1b1ddab24b5e0db8

SHA512
0ceafdda72217b610839a3b7d4c24a5ae63968b07bc052740b328c8c0cb6a22e41780bbd9fd0488c2e624f1a7e717f427ba34d3b82315ba4d2ba44af70e6fd3b

Download Submit
C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\options.ini

Filesize
97B

MD5
40ede613879f6406fd90c4bad9ba08cb

SHA1
234d1a88ecb5eb2f945f0f8959df69bc154a4677

SHA256
52a59e5417778aac32756ac0617d5b00fd47a9015e54b3865fdc17a867b58cf9

SHA512
c42b738b58298bdd8866b6f053df12a13b9eee3917e86846a7fa3d00248a7dc1c7658878c06f51d6b9e0450a4eee940c61d56ad11fe32656bd64f9341abdcaab

Download Submit
C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\splash.png

Filesize
1KB

MD5
5a886add3e5fe341d635aa98639bb76b

SHA1
b1fa811638510e5758952f95ae1119eb6a9acd8b

SHA256
4d61c1a05b596720523f442bed39d04067d19f7c306073e2306f282e1198c554

SHA512
40e11231ec53b18ef132ea76ff37872a0885322948cd489c3076af40bdbed262a710783068b448d5e026fe4493d0ff40239fabc50c94dacf825e61fa3b939171

Download Submit
C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\steam_api.dll

Filesize
210KB

MD5
30ae1db76c1af7f46e6f41c375e1b9b0

SHA1
5e30d08ae301bb866a8856b4ef2c57d788bcda4a

SHA256
dfa223f72fe3b975b5033ec03d505e5a702bf4ff632bce7ba1b8a5ff411f0245

SHA512
2a4239ffb214341b9495ae02fae90785b9a8f2712fa91a59730b1a9778aaa35b6c8cb88cb57f19c34a131a2bfecaef71c4b56a26fac4bbf6e1a3d8748d8f7b70

Download Submit
C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\steam_emu.ini

Filesize
2KB

MD5
81f97400f469182246375fbbc22d3679

SHA1
1adf2add052f22ec0ec1d138b8398d77996a3c52

SHA256
f77451c9fb4d9c32475d18565083a95f81e4296d6ef8b8a4c263926fa943897a

SHA512
1e66c1f4916a09f29b9ee8e1100fda75da2e8974316233e84ed1eeb5fd2ddfb943f33ccbd330ddd1d65277e545112d358bc927b4bf7332c1680f8331c3c1fda3

Download Submit
C:\Users\Admin\Desktop\Undertale.v1.08\Undertale\steamclient.dll

Filesize
255KB

MD5
2e5c2c249c56a6bd8b374e8d32b2abe7

SHA1
116f109add3102e64ca3ac435b734c695737f6d5

SHA256
6b8411ea4559e739995beab3f8fc26a9c590291a5338a642d7ecb2f38a833950

SHA512
10b5c80c3c666d7c2a9b9f3ee5242cc5defee3008b7c9c687b8835afa3ca0ba00d69662852d0544d845a0d59c9b7a1e7fe595e9883c0288eca71cb854193484d

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
memory/2116-485-0x0000000076FD3000-0x0000000076FD4000-memory.dmp

Filesize
4KB

Download
memory/2116-560-0x0000000073DE0000-0x0000000073E96000-memory.dmp

Filesize
728KB

Download
memory/2116-532-0x0000000073DE0000-0x0000000073E96000-memory.dmp

Filesize
728KB

Download
memory/2116-521-0x0000000073DE0000-0x0000000073E96000-memory.dmp

Filesize
728KB

Download
memory/2116-516-0x0000000007150000-0x0000000007206000-memory.dmp

Filesize
728KB

Download
memory/2116-515-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

Filesize
4KB

Download
memory/2116-514-0x0000000073DE0000-0x0000000073E96000-memory.dmp

Filesize
728KB

Download
memory/2116-510-0x0000000073DE0000-0x0000000073E96000-memory.dmp

Filesize
728KB

Download
memory/2116-508-0x0000000074010000-0x000000007405C000-memory.dmp

Filesize
304KB

Download
memory/2116-488-0x0000000007150000-0x0000000007206000-memory.dmp

Filesize
728KB

Download
memory/2116-486-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

Filesize
4KB

Download
memory/2116-484-0x0000000076FD3000-0x0000000076FD4000-memory.dmp

Filesize
4KB

Download
memory/2116-483-0x0000000076FD3000-0x0000000076FD4000-memory.dmp

Filesize
4KB

Download
memory/2116-482-0x0000000076FD3000-0x0000000076FD4000-memory.dmp

Filesize
4KB

Download
memory/2116-478-0x0000000073DE0000-0x0000000073E96000-memory.dmp

Filesize
728KB

Download
memory/2116-473-0x0000000074010000-0x000000007405C000-memory.dmp

Filesize
304KB

Download