hxxps://cdn[.]discordapp[.]com/attachments/1209563768137449502/1209563804103348284/SoundPad_Cracked[.]zip?ex=65e76113&is=65d4ec13&hm=9782dfe2c01e4cfb23cabb75de3a9da86cc8030e8c2dfbaac2c0a77bf96928a6&

Analysis

max time kernel
85s
max time network
91s
platform
windows10-2004_x64
resource
win10v2004-20240220-en
resource tags

arch:x64arch:x86image:win10v2004-20240220-enlocale:en-usos:windows10-2004-x64system
submitted
20-02-2024 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1209563768137449502/1209563804103348284/SoundPad_Cracked.zip?ex=65e76113&is=65d4ec13&hm=9782dfe2c01e4cfb23cabb75de3a9da86cc8030e8c2dfbaac2c0a77bf96928a6&

Score

7^/10

persistence upx

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4628	regsvr32.exe
2404	regsvr32.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\InprocServer32\	Soundpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\InprocServer32\ = "C:\\Windows\\system32\\UniteFx.dll"	Soundpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\InprocServer32\ThreadingModel = "Both"	Soundpad.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5668-551-0x00007FFECC480000-0x00007FFECD4D0000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\UniteFx.dll	Soundpad.exe
File opened for modification	C:\Windows\system32\UniteFx.dll	Soundpad.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "81"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\Soundpad.Soundlist\shell\open\command\	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\Soundpad\shell\open\command	Soundpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\FriendlyName = "UniteFx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\FriendlyName = "UniteFx"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\Soundpad\shell\open\command\	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\Soundpad.Soundlist\ = "Soundpad sound list"	Soundpad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinInputConnections = "1"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxOutputConnections = "1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\ = "UniteFx Class"	Soundpad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\Soundpad.Soundlist\shell	Soundpad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxInstances = "4294967295"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	msedge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinOutputConnections = "1"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\Copyright = "Copyright (C) 2016-2019 Leppsoft"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	msedge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinorVersion = "6"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\APOInterface0 = "{FD7F2B29-24D0-4B5C-B177-592C39F9CA10}"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Downloads"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\.spl\Content Type = "audio/soundpadlist"	Soundpad.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\InprocServer32\	Soundpad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinInputConnections = "1"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\Soundpad.Soundlist\DefaultIcon\ = "C:\\Users\\Admin\\Downloads\\SoundPad_Cracked\\SoundPad\\SoundPad\\Soundpad.exe,1"	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\.spl\OpenWithList\ehshell.exe	Soundpad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinorVersion = "6"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "5"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\Soundpad.Soundlist\DefaultIcon	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\.spl\OpenWithList\ehshell.exe\	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\.spl\OpenWithList\ehshell.exe\	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\Soundpad	Soundpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\InprocServer32\ = "C:\\Windows\\system32\\UniteFx.dll"	Soundpad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000cc2a4acbd463da01d758e9f1dc63da01491716e92864da0114000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\Soundpad\DefaultIcon\ = "C:\\Users\\Admin\\Downloads\\SoundPad_Cracked\\SoundPad\\SoundPad\\Soundpad.exe,0"	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\Soundpad.Soundlist\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\SoundPad_Cracked\\SoundPad\\SoundPad\\Soundpad.exe\" \"%1\""	Soundpad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxInputConnections = "1"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxInstances = "4294967295"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\.spl\OpenWithProgids\Soundpad.Soundlist	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\.spl\ = "Soundpad.Soundlist"	Soundpad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MajorVersion = "1"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\Flags = "14"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\.spl\PerceivedType = "audio"	Soundpad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\Soundpad\shell\open	Soundpad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxInputConnections = "1"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1108	msedge.exe
1108	msedge.exe
4616	msedge.exe
4616	msedge.exe
3292	identity_helper.exe
3292	identity_helper.exe
1192	msedge.exe
1192	msedge.exe
2080	msedge.exe
2080	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	320	firefox.exe
Token: SeDebugPrivilege	320	firefox.exe
Token: SeTakeOwnershipPrivilege	5668	Soundpad.exe
Token: 33	4296	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4296	AUDIODG.EXE
Token: SeShutdownPrivilege	5668	Soundpad.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
320	firefox.exe
320	firefox.exe
320	firefox.exe
320	firefox.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe

Suspicious use of SendNotifyMessage 55 IoCs

pid	Process
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
320	firefox.exe
320	firefox.exe
320	firefox.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
320	firefox.exe
2080	msedge.exe
4616	msedge.exe
4616	msedge.exe
5668	Soundpad.exe
5668	Soundpad.exe
5668	Soundpad.exe
5668	Soundpad.exe
3752	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 4248	4616	msedge.exe	66
PID 4616 wrote to memory of 4248	4616	msedge.exe	66
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1984	4616	msedge.exe	89
PID 4616 wrote to memory of 1108	4616	msedge.exe	87
PID 4616 wrote to memory of 1108	4616	msedge.exe	87
PID 4616 wrote to memory of 4632	4616	msedge.exe	88
PID 4616 wrote to memory of 4632	4616	msedge.exe	88
PID 4616 wrote to memory of 4632	4616	msedge.exe	88
PID 4616 wrote to memory of 4632	4616	msedge.exe	88
PID 4616 wrote to memory of 4632	4616	msedge.exe	88
PID 4616 wrote to memory of 4632	4616	msedge.exe	88
PID 4616 wrote to memory of 4632	4616	msedge.exe	88
PID 4616 wrote to memory of 4632	4616	msedge.exe	88
PID 4616 wrote to memory of 4632	4616	msedge.exe	88
PID 4616 wrote to memory of 4632	4616	msedge.exe	88
PID 4616 wrote to memory of 4632	4616	msedge.exe	88
PID 4616 wrote to memory of 4632	4616	msedge.exe	88
PID 4616 wrote to memory of 4632	4616	msedge.exe	88
PID 4616 wrote to memory of 4632	4616	msedge.exe	88
PID 4616 wrote to memory of 4632	4616	msedge.exe	88
PID 4616 wrote to memory of 4632	4616	msedge.exe	88
PID 4616 wrote to memory of 4632	4616	msedge.exe	88
PID 4616 wrote to memory of 4632	4616	msedge.exe	88
PID 4616 wrote to memory of 4632	4616	msedge.exe	88
PID 4616 wrote to memory of 4632	4616	msedge.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1209563768137449502/1209563804103348284/SoundPad_Cracked.zip?ex=65e76113&is=65d4ec13&hm=9782dfe2c01e4cfb23cabb75de3a9da86cc8030e8c2dfbaac2c0a77bf96928a6&
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffedbfa46f8,0x7ffedbfa4708,0x7ffedbfa4718
  2⤵
  PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,15298282103202914652,12647990693390634958,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,15298282103202914652,12647990693390634958,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2472 /prefetch:8
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,15298282103202914652,12647990693390634958,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15298282103202914652,12647990693390634958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15298282103202914652,12647990693390634958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,15298282103202914652,12647990693390634958,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,15298282103202914652,12647990693390634958,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2052,15298282103202914652,12647990693390634958,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15298282103202914652,12647990693390634958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,15298282103202914652,12647990693390634958,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15298282103202914652,12647990693390634958,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:5532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15298282103202914652,12647990693390634958,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
  2⤵
  PID:5764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15298282103202914652,12647990693390634958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2632 /prefetch:1
  2⤵
  PID:5736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15298282103202914652,12647990693390634958,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
  2⤵
  PID:5560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15298282103202914652,12647990693390634958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:5552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15298282103202914652,12647990693390634958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15298282103202914652,12647990693390634958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:2596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15298282103202914652,12647990693390634958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1
  2⤵
  PID:840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15298282103202914652,12647990693390634958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
  2⤵
  PID:5412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2052,15298282103202914652,12647990693390634958,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3540 /prefetch:8
  2⤵
  PID:3040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2052,15298282103202914652,12647990693390634958,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1988 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2228

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4568

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2596
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:320
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="320.0.2097914452\479139818" -parentBuildID 20221007134813 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6fa3919d-bdbd-4063-98de-4837e69db770} 320 "\\.\pipe\gecko-crash-server-pipe.320" 1980 1a2239f5158 gpu
    3⤵
    PID:2244
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="320.1.1852666762\1947857412" -parentBuildID 20221007134813 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {49deda43-b59a-418d-bb69-7c320df41b6c} 320 "\\.\pipe\gecko-crash-server-pipe.320" 2380 1a22353a458 socket
    3⤵
    - Checks processor information in registry
    PID:5064
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="320.2.2019111661\680119071" -childID 1 -isForBrowser -prefsHandle 3160 -prefMapHandle 1776 -prefsLen 20823 -prefMapSize 233444 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01d4cd1d-050e-4a55-b15a-c9e8abd7d116} 320 "\\.\pipe\gecko-crash-server-pipe.320" 3044 1a2278a3258 tab
    3⤵
    PID:2824
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="320.3.951898489\1552279192" -childID 2 -isForBrowser -prefsHandle 3592 -prefMapHandle 3588 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {886040a9-4d9e-49eb-92f9-b07cd80ca9e5} 320 "\\.\pipe\gecko-crash-server-pipe.320" 3600 1a217167b58 tab
    3⤵
    PID:3128
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="320.4.695739832\2019784753" -childID 3 -isForBrowser -prefsHandle 4204 -prefMapHandle 4336 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8613d69f-4201-48ad-9ac0-275f8802571d} 320 "\\.\pipe\gecko-crash-server-pipe.320" 4348 1a2296de558 tab
    3⤵
    PID:5368
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="320.5.1063207324\807660030" -childID 4 -isForBrowser -prefsHandle 5184 -prefMapHandle 5156 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {36467f61-8a31-4647-a1a9-7ab1736b9e84} 320 "\\.\pipe\gecko-crash-server-pipe.320" 5176 1a229b5c858 tab
    3⤵
    PID:5800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="320.7.326226808\1024656237" -childID 6 -isForBrowser -prefsHandle 5504 -prefMapHandle 5508 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {920f8141-ad79-45a3-b427-29fba6f779f0} 320 "\\.\pipe\gecko-crash-server-pipe.320" 5496 1a22ab3b558 tab
    3⤵
    PID:5816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="320.6.2137528129\1731804954" -childID 5 -isForBrowser -prefsHandle 5296 -prefMapHandle 5300 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69f2bbeb-887d-46f3-ab84-9dc0e038e1e4} 320 "\\.\pipe\gecko-crash-server-pipe.320" 5288 1a229db3858 tab
    3⤵
    PID:5808

C:\Users\Admin\Downloads\SoundPad_Cracked\SoundPad\SoundPad\Soundpad.exe
"C:\Users\Admin\Downloads\SoundPad_Cracked\SoundPad\SoundPad\Soundpad.exe"
1⤵
- Registers COM server for autorun
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5668
- C:\Windows\System32\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Windows\system32\UniteFx.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:4628
- C:\Windows\System32\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Windows\system32\UniteFx.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:2404

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x31c 0x2fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3958055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3300b8028991d6e234684db7803b66f9

SHA1
96df26150566233e1e0201bf17b4ea896861862e

SHA256
5b7786b5ae4ba62b88bdbd0992a8fd96b37e4c7068e2fd23d0b33acf769d00cc

SHA512
2f2dff4c24d4fd60160f70d544059bf02eca983309ff46bb7a1cb4d7c413e291c1520842e1922be55a4058380cd041cb6b4d9e70cdc5e4e00880fe13472df031

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a7f6a4b84d93993fde98d6553834416b

SHA1
4b4a227af10826f5a2f2e9b232ddb0336b3066f1

SHA256
843a9671b3fab9337d8d600e170f9ac8b200a2faf63b5a8cd16f157bcf73c21d

SHA512
ccfe39c47109dbf71c74ff6950526be7fcd521462f80e69e27388a9757d7f1adebf5f723c46b1631ffe3e2b4aa5829655d556bff8bd7e0f9f87fca46545bfb97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
194KB

MD5
ac84f1282f8542dee07f8a1af421f2a7

SHA1
261885284826281a99ff982428a765be30de9029

SHA256
193b8f571f3fd65b98dc39601431ff6e91ade5f90ee7790bfc1fba8f7580a4b0

SHA512
9f4f58ab43ddadad903cea3454d79b99a750f05e4d850de5f25371d5bec16fc312015a875b8f418154f1124c400ae1c82e2efd862870cd35c3f0961426c8cd82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6545fe59d12bd55e6b82721ef0829b7f

SHA1
c99ea9da2019d7cde0b8eea2686ac57713f5198f

SHA256
a1d507bbb14bc9f944c29c8391a8f3004b7b877ffbd7303f94c20705d99f6402

SHA512
48ed82243e698cfbfbdaa0f811150c60c571d7f4eac6f4f0953749822502dff4d3664cfc6b3b7b30e2fb9faa81a60e91eb040d20bd615f62c1229b81e46ae5af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
fe14b4167dd1c43630983fd46d4b76f1

SHA1
2750a3379fd8ce6798ece686e79efd4ab2558bbc

SHA256
74fcb652e99ec6db5946d715c992bf33dfc053f8fe39f25bb70a213a47eaa3ca

SHA512
790ac535ced7a8de3b14e2ee6265ba310de5453167733dae9575fa5bb3c182ff169fae48a8b28e0ca2382745b590fd3410cb47b9e35030cdd6dcc7a2bb0a34a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cf1584b59254dfa8fca431e39bdd8a44

SHA1
76b42be516a0466f8a7f91e22b4eec874d1094b9

SHA256
70dd358c8344a1c3cefbfa3073de8e17113b8b0e7bfb62e99581314054228dd9

SHA512
1581fb54c329653cb090176a0bea0fc6c30d8a3afc107764e39abe1cef4169184208de25d70a2b36fd575cf32f705e165c7c380efc0aa8cfc6e9c90102b6e2d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
64db7952515fff0207d18a03f7fae8fb

SHA1
6e00ae3382ece891a65ba2ce4e64486a0a75fd79

SHA256
ee59f0977282f5e65af188d50b61dfe5a5f0516191044d06e2659682a34afcc2

SHA512
3808ef6e98bad1341850a780ea1180784de26a7ff265e25c2cf5079cb606d73b7a703cf302ad55cd38b70c2f33925043b4b480f2b0346d9611606e0f5d01dc33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4df7450b9434d4ee08c2f70e3e8c6204

SHA1
5ede0df3b4e5d3029304540b0426d597d5e22ce3

SHA256
be11e8b0ca96c05485a990e419a4fa23fc9e98819f390f549bab30ae75cfaaf5

SHA512
0ea2f6ecffd5883993b92b4e19672bae13e56c90a17191be6caea84c2d5e31c7a5ce363757d21a1e82f538d31b21ece01edeaf0fde62fc0cd35f9896c3c19c95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
067716dfe2708c1e8681d25e60619002

SHA1
0b065932933c9821f3494c8432234781ae5e0506

SHA256
d9107e33e40868d2d9de8231abac4f7651062d86aef40a4c481bdc336bf0f2a9

SHA512
a0ee940b4ddbea66326162398c7ed17412b27c6b4354f8053f76e64adf6208ccf8bc1e40505a2cf75fc54c31b12d7b9dc97169c51edd36bba65a56e1d0f9b441

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5a7f44c8fa83d89cd2109ba1ae0568e9

SHA1
c09a125892520c1c288897e339e2ab4bdda9dff4

SHA256
6a9dd2979450f71f2a92c2c8ab76277b9d0d669d56d6f3edca77514e557a5e49

SHA512
c6e7ee4f6b3dc3a941d39b69b4ca546f0e72dc4d3757691629d1bb30085cd87ca3fcd43f7ad1f97d9591a03af46a8441afb662c416ef36278ecb205610561515

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
89b015b6197f85d053a5e871356eb5db

SHA1
7a3b5bf4f1732d55d2b0408bfcb8cb7209830ba1

SHA256
3ee7de7fe58c7171b6bf05a09e85c6e665e39cca6d34cd50a10dfc509051ca37

SHA512
6a67e3105957dc80f83d106195f7b0643b2565a3f1192f733737348dcd22d5091cad08755789401720cdc3e5579297550e8288315e26a5ffadcfc699373015e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
85ef2b495561fd8afe2f3449e75fd41f

SHA1
3546d0938eec1380ece9263a072514c8710973c5

SHA256
8269cf9443ef7b86ce086d4d5b66c05a9f833443b8c7ffca723e2d7d4b04929f

SHA512
ad6a1a850d5723d7c743eecfff980b8b08eafac1684d4a41dead9a7e62d0a254ec3584bee327e42f815a8f4ddfde1f121e1d2b9f3fa1ea291d71f48eb793b579

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5861a3.TMP

Filesize
48B

MD5
2195baf4fbcee2d1e5124b17fd36a4af

SHA1
ee4b9372db9a88faff64f30fe2876788c407bb14

SHA256
9ebcc747d830ea3a4096d8174e6a9c70b6de683615cbd73c4b8d3e236f60784f

SHA512
4c806338cf5727d9406a3e3ceff00e4747793a53f0022f7af10f3fa41a46c30745fc7cf57c970410c9475a98b98ea20b6e9cb78e5160eff306789eb1fcfe37fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
10100c92a3ffa524c0f7e7db769405f7

SHA1
3a436e9d9e491c8e94e9ae51742c77f552d05a07

SHA256
c104e63190b4ec7ce18038c67011dde9c743d52cf06d684269b0ab69e92d1deb

SHA512
f61c7efc557a57e45c4e384f2981f44c45cc160fdc4f10d76aaf6d4e0c497d89cdbd8deb626059319c97869bfcf95b7baaf6b65218a62c4ae82b96ceb6fb0c6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c0dd0cd6def0e2b844649ad6fa47d77a

SHA1
4ce374028eca18bedc9a173b27e2a34cb5fada0f

SHA256
7b7a47e5ae15e4e61ff5c8f11ba0a8c6e22e65872bac5771bb76bf6b371f500b

SHA512
21c098a22cacd419f23ecd53b428ea1272cdcfea32d16d064d30be11b33630fae69129f43ea7c7f2eb27b98198ea98b65abf28d357e6573fcd3e7b3770dc4fde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
eea7aeef9f7efb24bc22ad9ccd5885a2

SHA1
ee0e7c33b9d0112fbc1dc281dd6049920c37a105

SHA256
b560318c8299a400a733fc9439fac178c63e3d8cd1bf411131463fab8d3f5041

SHA512
7461c35ca153fcc140d5d4b8d25c6a5d0911f6f2d4eacb07c24fc08dc8edca00efd221d25f950b526df772abc77d81249e24e17c6452cfd8c63dec353ff7b26a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ki9g2jr.default-release\datareporting\glean\db\data.safe.bin

Filesize
9KB

MD5
31e552ff3efd062d1643302daf1c0611

SHA1
d0aac674e8e6c2eb606846544f55fdfe3fa6f4e0

SHA256
0bd247398c34221465544d5e332d40a1fc1736f19d4b7d01161913f1922ea776

SHA512
694876e9cbad3e7b2a9aa5c0aefa827e30d3f83c6f50738223a11a70393f61896dd685fd87537d4be8b4e973b97499468b0df5e8c505b6b3551c3285ce338322

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ki9g2jr.default-release\datareporting\glean\pending_pings\1ec89cbb-c125-4457-af35-03e12316e514

Filesize
734B

MD5
3f3d7bb07d27fbeb57e0ecf26cb315bc

SHA1
677b608a9463737ed4016e4fc698f0624c582a7d

SHA256
1ffac1330f6aa142828b8969081a0d59af39a849408769f67e67f336a068c3a9

SHA512
f0cb4171e2da7a289a444db6ee91dcd1105862c7e8890b0425c2bf2eff62eb427d07b6aae43abae299a7f63cf7aef772590817e32eedf50d222fcc46f056b319

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ki9g2jr.default-release\prefs-1.js

Filesize
6KB

MD5
ad42248a86ca69ae51e1b5afba462334

SHA1
d221cf81eb3678b5551e5ca76b463c933311f6de

SHA256
a1b0fdd39aa1fa60745eaca5e5c8ee94bc1036e8244c2c1de0c86baa4d0c79cf

SHA512
5cbcbff600bbeaec51b6f30b2c459f6d939370edb4a8fa0723972322f14093029f791017d703a9628d0fe6e849e20a7b3daa16da7e35e4dd737d5ac99b0c3a8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ki9g2jr.default-release\prefs.js

Filesize
6KB

MD5
95b6f135ba794ecc15419a86aae51ab6

SHA1
f931f219e9c15c1169edbc1c8df992ebaa6630c2

SHA256
b05cd067e41ea8c5a875bfe4e3aab6cb565112326fe540efe7aadee88d717a12

SHA512
0daac117bf930b24c349dc5f718e69c9f1349655c6fbcf8e53750c1111e9ff8884bbf3810f1ab1f02d044701a4fd6f34d596cd25ab415af95d5c8219e4081d85

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ki9g2jr.default-release\sessionCheckpoints.json

Filesize
212B

MD5
29ce37dc02c78bbe2e5284d350fae004

SHA1
bab97d5908ea6592aef6b46cee1ded6f34693fa2

SHA256
1bfee61e2f346959c53aa41add4b02d2b05c86c9f19ffefe1018f4a964bf4693

SHA512
53a9eb746e193c088210d8eaa6218d988f3a67ee4cb21844d682ff0178db040932404f5ce2f3cf8b4576313ba0ec33c04ca288c3412bfa5df7dd8230cc2068bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ki9g2jr.default-release\sessionstore.jsonlz4

Filesize
882B

MD5
a695635ab2775c419ed1b20e6d37e5ec

SHA1
5206b295b9059523a463991da456ef112000c797

SHA256
7290c786fdb4df51a82469f750a7cbd89fb42178879b807912c53ff76a6dc234

SHA512
b23fe7e8fc2042fa00097f11985c01dfb2974f36516e89c883fb2f8acbc5a79dc6300221dffc6cc8b75a1c3eb4ef0e37f759a88a6b5406e68685454583ba059d

Download Submit
C:\Users\Admin\Downloads\SoundPad_Cracked.zip

Filesize
8.9MB

MD5
a38293dd27d0b58851c9117835313c80

SHA1
fc780cfe8f5200ab44cc34b5410352ad2951d3e6

SHA256
bb6d09dac5d8a4fe68f4b9b00c875cd5b8aef7dc8fdb357810f57b39020ff58e

SHA512
d121ff8130fef0f2921449a5944e168063d276459c4f0976917fa8dfda519b8f9f6bad132ef3f7a1828f432b9d24810b86143c0ef23130c68d2e7d2ed18145d4

Download Submit
C:\Windows\system32\UniteFx.dll

Filesize
442KB

MD5
0ee743073ee6b68f8222be2661d95315

SHA1
2e642772ec19edf73422fe25a8d45db1a006ff85

SHA256
562b17370c7283e92a3353b76ab2aefd301c2e78782fa60ec9ee35676ad44f96

SHA512
c3f2037bd37cef7978187f67f1d0633ee3067b4837e0ad9ae2a5c8efab8ec4ce6a14c1d88e200ffaa8677f74fd5995789297e6a7b5ac18d19dc9d53b4d9170ba

Download Submit
memory/5668-551-0x00007FFECC480000-0x00007FFECD4D0000-memory.dmp

Filesize
16.3MB

Download
memory/5668-555-0x00007FFEA9B10000-0x00007FFEA9B11000-memory.dmp

Filesize
4KB

Download