6a63863444805c60e1b66e75a886ebed0d95eafe9f00adf1af66a24e81ae9164

Analysis

max time kernel
156s
max time network
190s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
01-07-2024 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

File-Undertale.v1.08_377530.exe
Size

7.8MB
MD5

e08977bbf52a90189e497fb1b0725a7f
SHA1

249c5e26b197f6937584ff1ac4ee90ddca6e2acb
SHA256

6a63863444805c60e1b66e75a886ebed0d95eafe9f00adf1af66a24e81ae9164
SHA512

9f0a72523398ff781e7cfb669121be06ef37cbe26860822e4acfff5e1235122e6faa1171a49cd5f173a91f4d240b3c8cb1fb68896844038fffffe0ab0558050b
SSDEEP

196608:J288p8RT3OgtMwVajd4nXhE7OUGCZvb+CV4i8JRzY6SKb:J288+T3O6I2nXhE7OUGClb+CV4vD3

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

setup.exefoobar2000.exefoobar2000 Shell Associations Updater.exefoobar2000.exe

pid process

5044 setup.exe
1204 foobar2000.exe
4476 foobar2000 Shell Associations Updater.exe
3308 foobar2000.exe

Loads dropped DLL 41 IoCs

Processes:

setup.exefoobar2000.exefoobar2000 Shell Associations Updater.exefoobar2000.exe

pid	process
5044	setup.exe
5044	setup.exe
5044	setup.exe
5044	setup.exe
1204	foobar2000.exe
1204	foobar2000.exe
1204	foobar2000.exe
1204	foobar2000.exe
1204	foobar2000.exe
1204	foobar2000.exe
1204	foobar2000.exe
1204	foobar2000.exe
1204	foobar2000.exe
1204	foobar2000.exe
1204	foobar2000.exe
1204	foobar2000.exe
1204	foobar2000.exe
1204	foobar2000.exe
1204	foobar2000.exe
1204	foobar2000.exe
1204	foobar2000.exe
1204	foobar2000.exe
4476	foobar2000 Shell Associations Updater.exe
3308	foobar2000.exe
3308	foobar2000.exe
3308	foobar2000.exe
3308	foobar2000.exe
3308	foobar2000.exe
3308	foobar2000.exe
3308	foobar2000.exe
3308	foobar2000.exe
3308	foobar2000.exe
3308	foobar2000.exe
3308	foobar2000.exe
3308	foobar2000.exe
3308	foobar2000.exe
3308	foobar2000.exe
3308	foobar2000.exe
3308	foobar2000.exe
3308	foobar2000.exe
3308	foobar2000.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 3 IoCs

Processes:

foobar2000.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Music\desktop.ini	foobar2000.exe
File opened for modification	C:\Users\Public\desktop.ini	foobar2000.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	foobar2000.exe

Drops file in Program Files directory 64 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\foobar2000\msvcp140.dll	setup.exe
File created	C:\Program Files (x86)\foobar2000\icons\pls.ico	setup.exe
File created	C:\Program Files (x86)\foobar2000\runtime\api-ms-win-crt-locale-l1-1-0.dll	setup.exe
File created	C:\Program Files (x86)\foobar2000\icons\asx.ico	setup.exe
File created	C:\Program Files (x86)\foobar2000\components\foo_fileops.dll	setup.exe
File created	C:\Program Files (x86)\foobar2000\foobar2000.exe	setup.exe
File created	C:\Program Files (x86)\foobar2000\avutil-fb2k-58.dll	setup.exe
File created	C:\Program Files (x86)\foobar2000\PP-UWP-Interop.dll	setup.exe
File created	C:\Program Files (x86)\foobar2000\runtime\api-ms-win-core-processenvironment-l1-1-0.dll	setup.exe
File created	C:\Program Files (x86)\foobar2000\runtime\API-MS-Win-core-xstate-l2-1-0.dll	setup.exe
File created	C:\Program Files (x86)\foobar2000\themes\Visualisation + Cover Art + Tabs.fth	setup.exe
File created	C:\Program Files (x86)\foobar2000\themes\White.fth	setup.exe
File created	C:\Program Files (x86)\foobar2000\runtime\api-ms-win-core-localization-l1-2-0.dll	setup.exe
File created	C:\Program Files (x86)\foobar2000\components\foo_converter.dll	setup.exe
File created	C:\Program Files (x86)\foobar2000\themes\Hello Kitty.fth	setup.exe
File created	C:\Program Files (x86)\foobar2000\themes\Orange.fth	setup.exe
File created	C:\Program Files (x86)\foobar2000\themes\Simple Playlist + Tabs.fth	setup.exe
File created	C:\Program Files (x86)\foobar2000\icons\mp4.ico	setup.exe
File created	C:\Program Files (x86)\foobar2000\icons\ofr.ico	setup.exe
File created	C:\Program Files (x86)\foobar2000\themes\Album art in playlist.fth	setup.exe
File created	C:\Program Files (x86)\foobar2000\runtime\api-ms-win-core-console-l1-1-0.dll	setup.exe
File created	C:\Program Files (x86)\foobar2000\runtime\api-ms-win-core-util-l1-1-0.dll	setup.exe
File created	C:\Program Files (x86)\foobar2000\runtime\api-ms-win-crt-heap-l1-1-0.dll	setup.exe
File created	C:\Program Files (x86)\foobar2000\icons\mp2.ico	setup.exe
File created	C:\Program Files (x86)\foobar2000\msvcp140_codecvt_ids.dll	setup.exe
File created	C:\Program Files (x86)\foobar2000\runtime\api-ms-win-core-interlocked-l1-1-0.dll	setup.exe
File created	C:\Program Files (x86)\foobar2000\runtime\api-ms-win-crt-string-l1-1-0.dll	setup.exe
File created	C:\Program Files (x86)\foobar2000\themes\Slim View + Tabs.fth	setup.exe
File created	C:\Program Files (x86)\foobar2000\runtime\api-ms-win-crt-multibyte-l1-1-0.dll	setup.exe
File created	C:\Program Files (x86)\foobar2000\components\foo_dsp_std.dll	setup.exe
File opened for modification	C:\Program Files (x86)\foobar2000\Fb2kShellExt.dll	setup.exe
File created	C:\Program Files (x86)\foobar2000\themes\Album List + Properties.fth	setup.exe
File created	C:\Program Files (x86)\foobar2000\themes\Dark Blue.fth	setup.exe
File created	C:\Program Files (x86)\foobar2000\icons\fth.ico	setup.exe
File created	C:\Program Files (x86)\foobar2000\msvcp140_1.dll	setup.exe
File created	C:\Program Files (x86)\foobar2000\runtime\api-ms-win-core-console-l1-2-0.dll	setup.exe
File created	C:\Program Files (x86)\foobar2000\runtime\api-ms-win-core-processthreads-l1-1-1.dll	setup.exe
File created	C:\Program Files (x86)\foobar2000\runtime\ucrtbase.dll	setup.exe
File opened for modification	C:\Program Files (x86)\foobar2000\installer.ini	setup.exe
File created	C:\Program Files (x86)\foobar2000\icons\m3u.ico	setup.exe
File created	C:\Program Files (x86)\foobar2000\icons\m3u8.ico	setup.exe
File created	C:\Program Files (x86)\foobar2000\icons\wv.ico	setup.exe
File created	C:\Program Files (x86)\foobar2000\themes\Pastel Green.fth	setup.exe
File created	C:\Program Files (x86)\foobar2000\runtime\api-ms-win-crt-stdio-l1-1-0.dll	setup.exe
File created	C:\Program Files (x86)\foobar2000\Fb2kShellExt.dll	setup.exe
File created	C:\Program Files (x86)\foobar2000\icons\flac.ico	setup.exe
File created	C:\Program Files (x86)\foobar2000\runtime\api-ms-win-crt-convert-l1-1-0.dll	setup.exe
File created	C:\Program Files (x86)\foobar2000\runtime\runtime.manifest	setup.exe
File created	C:\Program Files (x86)\foobar2000\icons\m4a.ico	setup.exe
File created	C:\Program Files (x86)\foobar2000\avcodec-fb2k-60.dll	setup.exe
File created	C:\Program Files (x86)\foobar2000\runtime\api-ms-win-core-heap-l1-1-0.dll	setup.exe
File created	C:\Program Files (x86)\foobar2000\themes\Default Playlist.fth	setup.exe
File created	C:\Program Files (x86)\foobar2000\icons\wav.ico	setup.exe
File created	C:\Program Files (x86)\foobar2000\doc\license.html	setup.exe
File created	C:\Program Files (x86)\foobar2000\themes\Album List + Properties + Visualisations.fth	setup.exe
File created	C:\Program Files (x86)\foobar2000\themes\Black.fth	setup.exe
File created	C:\Program Files (x86)\foobar2000\avformat-fb2k-60.dll	setup.exe
File created	C:\Program Files (x86)\foobar2000\runtime\api-ms-win-core-string-l1-1-0.dll	setup.exe
File created	C:\Program Files (x86)\foobar2000\runtime\api-ms-win-core-sysinfo-l1-1-0.dll	setup.exe
File created	C:\Program Files (x86)\foobar2000\icons\tak.ico	setup.exe
File created	C:\Program Files (x86)\foobar2000\themes\Dark Grey Magenta.fth	setup.exe
File created	C:\Program Files (x86)\foobar2000\components\foo_ui_std.dll	setup.exe
File created	C:\Program Files (x86)\foobar2000\icons\mp3.ico	setup.exe
File created	C:\Program Files (x86)\foobar2000\themes\Separate Album & Artist Columns.fth	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

foobar2000 Shell Associations Updater.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT	foobar2000 Shell Associations Updater.exe
Key created	\REGISTRY\USER\S-1-5-19	foobar2000 Shell Associations Updater.exe
Key created	\REGISTRY\USER\S-1-5-20	foobar2000 Shell Associations Updater.exe

Modifies registry class 64 IoCs

Processes:

foobar2000 Shell Associations Updater.exesetup.exefoobar2000.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.AC3\shell\open\MultiSelectModel = "Player"	foobar2000 Shell Associations Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.APL\shell\open\ = "Open in foobar2000"	foobar2000 Shell Associations Updater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.FPL\shell\enqueue	foobar2000 Shell Associations Updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\foobar2000.FB2K-COMPONENT\shell	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.AAC\shell\enqueue	foobar2000 Shell Associations Updater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.MP+\shell	foobar2000 Shell Associations Updater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.SVX\shell	foobar2000 Shell Associations Updater.exe
Key created	\REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\.tif	foobar2000 Shell Associations Updater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.M4R	foobar2000 Shell Associations Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.WMA\ = "Windows Media Audio"	foobar2000 Shell Associations Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.WMA\DefaultIcon\ = "C:\\Program Files (x86)\\foobar2000\\icons\\WMA.ico"	foobar2000 Shell Associations Updater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.WV\shell\enqueue	foobar2000 Shell Associations Updater.exe
Key created	\REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\.bay	foobar2000 Shell Associations Updater.exe
Key created	\REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\.iiq	foobar2000 Shell Associations Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.M3U8\shell\enqueue\ = "Enqueue in foobar2000"	foobar2000 Shell Associations Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.SND\DefaultIcon\ = "C:\\Program Files (x86)\\foobar2000\\icons\\generic.ico"	foobar2000 Shell Associations Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.TAK\shell\open\command\ = "\"C:\\Program Files (x86)\\foobar2000\\foobar2000.exe\" \"%1\""	foobar2000 Shell Associations Updater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.WMA\DefaultIcon	foobar2000 Shell Associations Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.CDA\shell\enqueue\command\DelegateExecute = "{0A35F9F4-F4BE-471A-890D-E09FFA6B38AD}"	foobar2000 Shell Associations Updater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.EAC3\shell	foobar2000 Shell Associations Updater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.FPL	foobar2000 Shell Associations Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.SPX\shell\ = "open"	foobar2000 Shell Associations Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.WAV\shell\open\MultiSelectModel = "Player"	foobar2000 Shell Associations Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.WAX\shell\open\ = "Open in foobar2000"	foobar2000 Shell Associations Updater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.CUE\shell\enqueue\command	foobar2000 Shell Associations Updater.exe
Key created	\REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\.html	foobar2000 Shell Associations Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.OGX\shell\enqueue\command\DelegateExecute = "{0A35F9F4-F4BE-471A-890D-E09FFA6B38AD}"	foobar2000 Shell Associations Updater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.SVX	foobar2000 Shell Associations Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.FTH\shell\open\ = "Open"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.8SVX\DefaultIcon	foobar2000 Shell Associations Updater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.APL\shell\open\command	foobar2000 Shell Associations Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.AU\shell\ = "open"	foobar2000 Shell Associations Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.CUE\shell\enqueue\command\ = "\"C:\\Program Files (x86)\\foobar2000\\foobar2000.exe\" /add \"%1\""	foobar2000 Shell Associations Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.MPP\shell\open\MultiSelectModel = "Player"	foobar2000 Shell Associations Updater.exe
Key created	\REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\.cr3	foobar2000 Shell Associations Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.M3U\shell\enqueue\command\ = "\"C:\\Program Files (x86)\\foobar2000\\foobar2000.exe\" /add \"%1\""	foobar2000 Shell Associations Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.MP3\DefaultIcon\ = "C:\\Program Files (x86)\\foobar2000\\icons\\MP3.ico"	foobar2000 Shell Associations Updater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.OPUS\shell\enqueue\command	foobar2000 Shell Associations Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.WMA\shell\open\command\ = "\"C:\\Program Files (x86)\\foobar2000\\foobar2000.exe\" \"%1\""	foobar2000 Shell Associations Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.DTSMA\ = "DTS file"	foobar2000 Shell Associations Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.TAK\shell\enqueue\command\ = "\"C:\\Program Files (x86)\\foobar2000\\foobar2000.exe\" /add \"%1\""	foobar2000 Shell Associations Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A35F9F4-F4BE-471A-890D-E09FFA6B38AD}\AppID = "{0A35F9F4-F4BE-471A-890D-E09FFA6B38AD}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.CUE\shell\open\MultiSelectModel = "Player"	foobar2000 Shell Associations Updater.exe
Key created	\REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\.mpe	foobar2000 Shell Associations Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.8SVX\shell\enqueue\command\ = "\"C:\\Program Files (x86)\\foobar2000\\foobar2000.exe\" /add \"%1\""	foobar2000 Shell Associations Updater.exe
Key created	\REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\.erf	foobar2000 Shell Associations Updater.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\FFlags = "1"	foobar2000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.FB2K-COMPONENT\shell\ = "open"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.FLAC\ = "FLAC"	foobar2000 Shell Associations Updater.exe
Key created	\REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\.avci	foobar2000 Shell Associations Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.AU\shell\open\ = "Open in foobar2000"	foobar2000 Shell Associations Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.MPC\shell\ = "open"	foobar2000 Shell Associations Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.OGA\shell\enqueue\MultiSelectModel = "Player"	foobar2000 Shell Associations Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.PLS\shell\enqueue\command\DelegateExecute = "{0A35F9F4-F4BE-471A-890D-E09FFA6B38AD}"	foobar2000 Shell Associations Updater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.SND\shell\enqueue\command	foobar2000 Shell Associations Updater.exe
Key created	\REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\.wmv	foobar2000 Shell Associations Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.M3U\shell\enqueue\command\DelegateExecute = "{0A35F9F4-F4BE-471A-890D-E09FFA6B38AD}"	foobar2000 Shell Associations Updater.exe
Key created	\REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	foobar2000.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2824BDFD-0162-4737-9FDB-48C31991C5D7}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.AIFF\ = "AIFF"	foobar2000 Shell Associations Updater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.AIFF\DefaultIcon	foobar2000 Shell Associations Updater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.CUE	foobar2000 Shell Associations Updater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.DTSWAV\shell\enqueue\command	foobar2000 Shell Associations Updater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar2000.EAC3\DefaultIcon	foobar2000 Shell Associations Updater.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

File-Undertale.v1.08_377530.exe

pid process

3380 File-Undertale.v1.08_377530.exe
3380 File-Undertale.v1.08_377530.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

foobar2000.exe

pid process

3308 foobar2000.exe

pid	process
3380	File-Undertale.v1.08_377530.exe
3380	File-Undertale.v1.08_377530.exe

pid	process
3308	foobar2000.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

File-Undertale.v1.08_377530.exeAUDIODG.EXEfoobar2000.exe

description	pid	process
Token: SeDebugPrivilege	3380	File-Undertale.v1.08_377530.exe
Token: 33	3876	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3876	AUDIODG.EXE
Token: 33	3308	foobar2000.exe
Token: SeIncBasePriorityPrivilege	3308	foobar2000.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

foobar2000.exe

pid process

3308 foobar2000.exe
3308 foobar2000.exe
3308 foobar2000.exe
3308 foobar2000.exe
3308 foobar2000.exe
3308 foobar2000.exe
3308 foobar2000.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

foobar2000.exe

pid process

3308 foobar2000.exe
3308 foobar2000.exe
3308 foobar2000.exe
3308 foobar2000.exe
3308 foobar2000.exe
3308 foobar2000.exe
3308 foobar2000.exe
3308 foobar2000.exe

pid	process
3308	foobar2000.exe
3308	foobar2000.exe
3308	foobar2000.exe
3308	foobar2000.exe
3308	foobar2000.exe
3308	foobar2000.exe
3308	foobar2000.exe

pid	process
3308	foobar2000.exe
3308	foobar2000.exe
3308	foobar2000.exe
3308	foobar2000.exe
3308	foobar2000.exe
3308	foobar2000.exe
3308	foobar2000.exe
3308	foobar2000.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

File-Undertale.v1.08_377530.exesetup.exe

description	pid	process	target process
PID 3380 wrote to memory of 5044	3380	File-Undertale.v1.08_377530.exe	setup.exe
PID 3380 wrote to memory of 5044	3380	File-Undertale.v1.08_377530.exe	setup.exe
PID 3380 wrote to memory of 5044	3380	File-Undertale.v1.08_377530.exe	setup.exe
PID 5044 wrote to memory of 1204	5044	setup.exe	foobar2000.exe
PID 5044 wrote to memory of 1204	5044	setup.exe	foobar2000.exe
PID 5044 wrote to memory of 1204	5044	setup.exe	foobar2000.exe
PID 5044 wrote to memory of 4476	5044	setup.exe	foobar2000 Shell Associations Updater.exe
PID 5044 wrote to memory of 4476	5044	setup.exe	foobar2000 Shell Associations Updater.exe
PID 5044 wrote to memory of 4476	5044	setup.exe	foobar2000 Shell Associations Updater.exe
PID 5044 wrote to memory of 3308	5044	setup.exe	foobar2000.exe
PID 5044 wrote to memory of 3308	5044	setup.exe	foobar2000.exe
PID 5044 wrote to memory of 3308	5044	setup.exe	foobar2000.exe

C:\Users\Admin\AppData\Local\Temp\File-Undertale.v1.08_377530.exe
"C:\Users\Admin\AppData\Local\Temp\File-Undertale.v1.08_377530.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3380

C:\Users\Admin\AppData\Local\Temp\7zS43D1E477\setup.exe
.\setup.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5044

C:\Program Files (x86)\foobar2000\foobar2000.exe
"C:\Program Files (x86)\foobar2000\foobar2000.exe" /install /quiet /exportshelldata "C:\Users\Admin\AppData\Local\Temp\fb2kshelldata.tmp"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1204

C:\Program Files (x86)\foobar2000\foobar2000 Shell Associations Updater.exe
"C:\Program Files (x86)\foobar2000\foobar2000 Shell Associations Updater.exe" "C:\Users\Admin\AppData\Local\Temp\fb2kshelldata.tmp"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
PID:4476

C:\Program Files (x86)\foobar2000\foobar2000.exe
"C:\Program Files (x86)\foobar2000\foobar2000.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4216

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004AC 0x00000000000004D8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3876

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\foobar2000\Fb2kShellExt.dll
Filesize
127KB

MD5
f7586f6b3ce9353b233c7f13a6f8ae53

SHA1
dce8f78dd8788069ee8e624465767007c5ad84c7

SHA256
31f3ebd308b8f54a2b8720ebeb93ab6678faa14e70c51f84d5a06ee07d0abc47

SHA512
a38c093beca2af9ec93bb7c2e18597ebfbbab46a8865c35eb908c708b4bb26cb0e10154964ec792e20335b399887935da5795c67ef96ab9b6076091a4a6e5b65

Download Submit
C:\Program Files (x86)\foobar2000\avcodec-fb2k-60.dll
Filesize
941KB

MD5
92e12da2eb765ab11fbbe5b7cedaae38

SHA1
4b98437a3bd2f49166b282dd5e29f6da43ac57e6

SHA256
050a92a54f3258fc31f97cfe462dbf307c55dfbbbf3862aa1549117777bf3f03

SHA512
0a0c4b3f7e8e3af2caedf86abc928e8933c75452bfd9dba56a88ef81d111d43aa985cea2457287718f62c1f11cb07b73ad7895f48f4f1a3617d2ac628f364663

Download Submit
C:\Program Files (x86)\foobar2000\avformat-fb2k-60.dll
Filesize
159KB

MD5
3fbe2ca8e9f16cbc664139c9ebd6ec15

SHA1
a341bd379a571269d8ce4d9edbf15adbfb06d062

SHA256
7e273f00b5da2cc7608eaa000df4038bfaa0266a0c0bb3a6cdfec8018e8ef1f8

SHA512
f745210a9dff3777020fa6f6af720e99a4b680e5523cc524eed2c8cbc0f7952db801e87e78259c82b2ca03bca669ebc7cf438a76e81727f135e30728bd9131ec

Download Submit
C:\Program Files (x86)\foobar2000\avutil-fb2k-58.dll
Filesize
702KB

MD5
7b5a19d59e16243ee5fa626d2c85f591

SHA1
479031e8cee46f9413945ed8c21e6938ec4df903

SHA256
6989e896e11ffb32599ba3171c1ba621760b8b3a17c528d49c249ca6a6829375

SHA512
03d6a885c1718d58660c6a5e7be4f1807d9aea5845c48acc750f4059ec4c12bddc94275cf054e6ce63cbe45921ed5aea14affe442c007f839915ff0702d0c2a8

Download Submit
C:\Program Files (x86)\foobar2000\components\foo_converter.dll
Filesize
601KB

MD5
0a06dfaa2a0c8595e99435f103c72e20

SHA1
755868b3cd75ea3b687020f2fddd77cf2847c194

SHA256
bdf4a706eeb533249ba743860075e4ad4c5f433cee757c43b5d15986433b23be

SHA512
67db8a6ca9ad0a170ea6a06211e553b9454caa6614945d8f40fb2dd28e97e4935a7a8cb6665d25f5fa205651484b0c51be13a17e735fb1baf0e4f9a6263cf13d

Download Submit
C:\Program Files (x86)\foobar2000\components\foo_dsp_eq.dll
Filesize
422KB

MD5
c8e556953debb2fc90915d4161504995

SHA1
95f5ee9182bf32115b8a674f0a270871be2fb7fa

SHA256
13924b23896d949843fb85c20dc6cbb6ce569d9c2810dc0dc7f1605434c0b7fb

SHA512
ee5ff51de2104213dadaa5386723cbe0059e316d96d1451c4f4f83141ff7d0d07ffca9edffa5cc9f2d4c96b44ca13cc674cc8715da5b6d50746e7bbb965d7f2f

Download Submit
C:\Program Files (x86)\foobar2000\components\foo_dsp_std.dll
Filesize
228KB

MD5
c9a793bceced21ba8e1a7ef6a42f6b57

SHA1
768ebfb87ee82985b621f83020883d1266892f0c

SHA256
25e4a250d4254df6b3334f92297bd3ee2a6a88b761eac19da2a1f0ce137a5727

SHA512
69b7af81a640aa1bcaa077a19ba3651279a3985712ba7a870330bf9216641f7f4ab3963709fd8676c4f4170477a6f28b45e4f59364f5f8ff51e401787733fc12

Download Submit
C:\Program Files (x86)\foobar2000\components\foo_fileops.dll
Filesize
364KB

MD5
1fdb6bc4907548152e6479b7fa622987

SHA1
e7707ba1bf82c6e4c26ab70c5d73007e7468afa3

SHA256
713c96b96139f395bd32e5b96f91296ab5705fd78c19518b54a33e2b36311de0

SHA512
50d0c25b08878688a85f012fb37a630980794343283296a5965115304a01ff6bb287e8cfadf0e9fdce055c3f78af66a5dece5bb5a0f1dbe5f3d70e64372e92af

Download Submit
C:\Program Files (x86)\foobar2000\components\foo_freedb2.dll
Filesize
211KB

MD5
9c17a22c1b8cb28a998a77cccf2090f7

SHA1
54a880e46e1bd48077c5f3e4e18a6218b46b1c0f

SHA256
03af06d027823ff860a2d8c886e88caf7ed02aa61efaac9a93eb37b3bea11181

SHA512
d47391ce79a24300e66104567b1410669e35f7ec4b4016ee9500351a6fc1722edf9eca934568c88515254912ec0a757dadab71f5187eb0aeae3178045c8e7260

Download Submit
C:\Program Files (x86)\foobar2000\components\foo_input_std.dll
Filesize
1.8MB

MD5
d240197b4168fb96dd2c4dad631cbd4f

SHA1
a8511b453bebd407b783dec82a9f52e4d7cdbd45

SHA256
ccd72f7c7816920f20f3291fb9daeeb0cd3a3094ff7a285af50e7f0268ee1f7a

SHA512
2957ae1d10e6f89f5083c31d8475a3409673bfdc23e447392b5c916bc1c214ad43d126d0a5ed1a3f995634913dea2ec069203b72548f42a9d04fd07063a238f4

Download Submit
C:\Program Files (x86)\foobar2000\components\foo_ui_std.dll
Filesize
1.7MB

MD5
8bba069ffa071b478749f1c50ccae62a

SHA1
d613497af0945f45af205b51e883d40b6a125a62

SHA256
cb027f98b0d79b97140003d2f99daa5d5d35e6ea24fa2a947a7ffea00c408f67

SHA512
3fb4d6585f5aae52f3945050fc84420328d0f66bcc2392634786df9e776d0316b8a9ffd719113ea8e2806068f26aad2fd3e1f38d1187b994ea89f24bfb8fc054

Download Submit
C:\Program Files (x86)\foobar2000\components\foo_unpack.dll
Filesize
478KB

MD5
fc4ec28c7d87fcc850c9b9167efa0ca1

SHA1
ef2d133e90a1eb70e84b1e7fbb9e3db40567f17e

SHA256
4c92998848936ba44784557907edc821e54cdaeb9d889df300f994352fc1f28d

SHA512
2e375dadb5323eeaccfdb23d5eeb0b2ec0bbd0c7df35702be030be35f7d277a194c1fc03170d3c19de93ad2340fac17d141a074a4c4f2068e242c80726d1d48b

Download Submit
C:\Program Files (x86)\foobar2000\foobar2000 Shell Associations Updater.exe
Filesize
38KB

MD5
358704c74f6caffe67ff0648802606ad

SHA1
5af7128451e9420cd9e16ed43a6f591fd7699172

SHA256
b3e911d9a0fd10f67b8285e2416be9458e01e35ac4ef9879812e748bcb4b3b4d

SHA512
0cb899af658066a30481c7013b6f9ff5a777be01f1c6f37f9d11a3332777d14e2e3dd4ff69858d98f29c7eb650a8698d1759183357a0ec162d5347e8310b5f2b

Download Submit
C:\Program Files (x86)\foobar2000\foobar2000.exe
Filesize
3.5MB

MD5
a6d44952c28afbeb29dbb6ca489356f7

SHA1
a22e5b179d6d136bd17325306b9a20634a3eb9f7

SHA256
2cde955cc262006e314bfeb14151ab81c6aba33cfc4a2536f03bf6966b8cd7b9

SHA512
1e322d6e3d05f849dc52fdf02de9e555a1dd9ae5d9d2b72701f3cafbf1c8f79a1f30042238760ea6228a8cedc2cc87f018f5c77bdd95a935d32d99b4745693b4

Download Submit
C:\Program Files (x86)\foobar2000\msvcp140.dll
Filesize
436KB

MD5
37dcbba718886e5c24703b1268ce10b9

SHA1
441738a1ea802c266cb0a84789ace62e40010335

SHA256
968bbd2a36b04cc5795c6fc99afe85e4d294ff9c28032ce0e870463827181799

SHA512
00ab4cfe4b5bb989f2931cc8928982819a99df027b118c731957fc84c58cc8d636687ff39cf90dac313e3fe7c7738a4899fba98ebab5b6ed4cbfa372b0eb2561

Download Submit
C:\Program Files (x86)\foobar2000\shared.dll
Filesize
120KB

MD5
314fc2c570dddd2a356628074b487f97

SHA1
a728c6135fadeb41b79e27dd45ca72a38957d641

SHA256
f961ab1e9a78ad040e8cb0183c5fa090070ba864265fe68e808461c63ce04c29

SHA512
b3b16dd36f788619f874556cdda51bc34bcbf6ac901cac5d37d77424a8d1761bfcc588efbb32727e14082c5eb02bb08eabdd94c0b6abf4c121e6f92e038f518d

Download Submit
C:\Program Files (x86)\foobar2000\sqlite3.dll
Filesize
796KB

MD5
79970f143645922e1ff575de5064c575

SHA1
2bd80ef9ecf95e95cdfc3773d306547b7199a2d6

SHA256
6841b96232d250b73f5be4fa38547e6bb97190a3f1e5e91602041e2682750870

SHA512
7fe77588282411ae0da0d39be0b9e7fc4f90efade5dd4c8c143ec3fbecd8c121b7fff2102b98160d44830c25affe55bd515e5513c1902d71f05d4fb6ac7da76f

Download Submit
C:\Program Files (x86)\foobar2000\vcruntime140.dll
Filesize
88KB

MD5
81b11024a8ed0c9adfd5fbf6916b133c

SHA1
c87f446d9655ba2f6fddd33014c75dc783941c33

SHA256
eb6a3a491efcc911f9dff457d42fed85c4c170139414470ea951b0dafe352829

SHA512
e4b1c694cb028fa960d750fa6a202bc3a477673b097b2a9e0991219b9891b5f879aa13aa741f73acd41eb23feee58e3dd6032821a23e9090ecd9cc2c3ec826a1

Download Submit
C:\Program Files (x86)\foobar2000\zlib1.dll
Filesize
86KB

MD5
4d409f4b4addb052ccd12f29f5fd72b1

SHA1
447c02e5bdce330561b3529bca13449bae5335c0

SHA256
1f54b49f079d240318249647f395077313a6dfe9f2ca0f90ed675840c5808270

SHA512
419d83cb9d50ce1e5a7bea41966792675e3599eec8dee7605134e61a51b544db5569cf2b1d055e8152c706f57ab3d9119a0a6d3a3c1d1ef7954e81a9ee9c9d02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
14KB

MD5
db43438c23665206d6814558e2223a89

SHA1
4e4e0f3c41af39bde3ed8ba9af1014a2d7dfc0ed

SHA256
1de40099fc6e502cb82d5c43ea87daf45a9b9eeba725d180ff3a267389174b54

SHA512
8093e043f8aff800ff6c9c0ff6513a05cdca5a69f901674abd007d82ae0fac09cb2be7443b91effefbe0890b0f6cb3c1fc514c1a48f1865cc50a5ec01fc8da50

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43D1E477\setup.exe
Filesize
5.7MB

MD5
98b7ff04d271a6456ff75695569d0131

SHA1
615b1d967e0432bc9314cb62b1a900f2068ad8b2

SHA256
9be23da2b8505180a1f94520dab6e6a741dbe961520bf4ae1eb6a0e68d1f811d

SHA512
8f5cdec901ed1586f5e888cc2aeac985545d3c2719b80de671003b4b275ce7b0460a0c4744c1ef5a2210ee52f41566c54333ca91d411d22154370e81f62ba94a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fb2kshelldata.tmp
Filesize
7KB

MD5
9232a0a7b55f2e28539303106c8c9a0d

SHA1
d7fe718925057a4f1be1e081267d1aa02bfa58e8

SHA256
6fff459e043092ddad88ff41d4e890248b15c9220b9894b75c3cb980168aa817

SHA512
649eaa23423fc9bb609f4629829f9f65059286be67feeb570238f6a340885f880ff67d879d0312aff6ecf1e860e416ac4b46f3f00a075c25ec76919c4db49f44

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq47F8.tmp\System.dll
Filesize
12KB

MD5
192639861e3dc2dc5c08bb8f8c7260d5

SHA1
58d30e460609e22fa0098bc27d928b689ef9af78

SHA256
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

SHA512
6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq47F8.tmp\UAC.dll
Filesize
13KB

MD5
3fa5491c158c30082b42569cf4f54381

SHA1
a2d92f2c7a1b7c468ab14bd3ae03e2574baebc1a

SHA256
560ba0a768687a5b8643062b6183991e4d8e172b870e3c0a8a8847043ce32c86

SHA512
d12c67773d21cc8e827685feeb5805ca421ff1f5826471739909d6785d33b7ea21f41289ba063d58205918099efd4464523d8f90558f647e182d4cefb156d10a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq47F8.tmp\nsDialogs.dll
Filesize
9KB

MD5
b7d61f3f56abf7b7ff0d4e7da3ad783d

SHA1
15ab5219c0e77fd9652bc62ff390b8e6846c8e3e

SHA256
89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912

SHA512
6467c0de680fadb8078bdaa0d560d2b228f5a22d4d8358a1c7d564c6ebceface5d377b870eaf8985fbee727001da569867554154d568e3b37f674096bbafafb8

Download Submit
C:\Users\Admin\AppData\Roaming\foobar2000-v2\config.sqlite
Filesize
44KB

MD5
665b5f068f8382462ab790fdda7ea8ed

SHA1
ec13f43e23900f56200b2857608f2daad32da177

SHA256
4367e86f9892e46b1a026c65070b1b3d099043c40f3e976ea4b399d1b9cac976

SHA512
5fb2c2c79aa8e0ddc6535a4f10b7292009bce6fbe77893f9da1075f33632f870d5785049b6a3580f15ee73a51e4477b759dff88b35409d162f478a2f90e4b115

Download Submit
C:\Users\Admin\AppData\Roaming\foobar2000-v2\playlists-v2.0\index.txt
Filesize
58B

MD5
5319e9d86244dc6a0b56954b04b21fc8

SHA1
b866ffbb5ee9dedf4a5797b934e8be89911ef9a6

SHA256
60845868db305f6b6d8c6fa2a342bf71d9264a86cfa478f7bfc44b59cc9a4b97

SHA512
0b842f9eaca19d44194b910704196731584c97395704c0886ae6ccb0b75c79ad1ac82084c132e8c445256c7de5b4d9155882046a88fb9b36a4b0fddbd80b2fa9

Download Submit
memory/3380-0-0x0000000010000000-0x0000000010090000-memory.dmp

Filesize
576KB

Download