hxxps://github[.]com/marhau-dev/Soundpad-cracked/releases/download/Soundpad/SoundPad[.]zip

Analysis

max time kernel
52s
max time network
50s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/02/2024, 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/marhau-dev/Soundpad-cracked/releases/download/Soundpad/SoundPad.zip

Score

7^/10

persistence upx

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
5140	regsvr32.exe
5164	regsvr32.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\InprocServer32\ = "C:\\Windows\\system32\\UniteFx.dll"	Soundpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\InprocServer32\ThreadingModel = "Both"	Soundpad.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\InprocServer32\	Soundpad.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3796-62-0x00007FF9F0100000-0x00007FF9F1150000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\UniteFx.dll	Soundpad.exe
File opened for modification	C:\Windows\system32\UniteFx.dll	Soundpad.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\Flags = "14"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Soundpad.Soundlist\shell\open	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.spl\OpenWithList	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Soundpad\shell	Soundpad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\	Soundpad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinInputConnections = "1"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.spl\Content Type = "audio/soundpadlist"	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.spl\PerceivedType = "audio"	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.spl\OpenWithList\ehshell.exe	Soundpad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MajorVersion = "1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\ = "UniteFx Class"	Soundpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\APOInterface0 = "{FD7F2B29-24D0-4B5C-B177-592C39F9CA10}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.spl\OpenWithList\ehshell.exe\	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.spl\OpenWithProgids	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Soundpad\ = "URL:Soundpad Protocol"	Soundpad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\NumAPOInterfaces = "1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\InprocServer32\ThreadingModel = "Both"	Soundpad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Soundpad	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Soundpad\shell\open\command	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Soundpad\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\SoundPad\\SoundPad\\Soundpad.exe\" -c \"%1\""	Soundpad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxInputConnections = "1"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Soundpad.Soundlist\ = "Soundpad sound list"	Soundpad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\NumAPOInterfaces = "1"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Soundpad.Soundlist	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Soundpad.Soundlist\shell	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Soundpad\URL Protocol	Soundpad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinInputConnections = "1"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxInstances = "4294967295"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\Copyright = "Copyright (C) 2016-2019 Leppsoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\APOInterface0 = "{FD7F2B29-24D0-4B5C-B177-592C39F9CA10}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Soundpad.Soundlist\shell\open\command\	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Soundpad\shell\open	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Soundpad\shell\open\command\	Soundpad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxInputConnections = "1"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinOutputConnections = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\FriendlyName = "UniteFx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\Copyright = "Copyright (C) 2016-2019 Leppsoft"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.spl	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.spl\OpenWithList\ehshell.exe\	Soundpad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MajorVersion = "1"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Soundpad.Soundlist\shell\open\command	Soundpad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinorVersion = "6"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\InprocServer32\ = "C:\\Windows\\system32\\UniteFx.dll"	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.spl\ = "Soundpad.Soundlist"	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.spl\OpenWithProgids\Soundpad.Soundlist	Soundpad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinOutputConnections = "1"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Soundpad.Soundlist\DefaultIcon	Soundpad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinorVersion = "6"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxInstances = "4294967295"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-566096764-1992588923-1249862864-1000\{1BB85E8A-A5EA-4AC0-8164-C254AA3CE4C4}	Soundpad.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\InprocServer32\	Soundpad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxOutputConnections = "1"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Soundpad.Soundlist\DefaultIcon\ = "C:\\Users\\Admin\\Downloads\\SoundPad\\SoundPad\\Soundpad.exe,1"	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Soundpad.Soundlist\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\SoundPad\\SoundPad\\Soundpad.exe\" \"%1\""	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Soundpad\DefaultIcon	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Soundpad\DefaultIcon\ = "C:\\Users\\Admin\\Downloads\\SoundPad\\SoundPad\\Soundpad.exe,0"	Soundpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\FriendlyName = "UniteFx"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxOutputConnections = "1"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4564	msedge.exe
4564	msedge.exe
1960	msedge.exe
1960	msedge.exe
4240	identity_helper.exe
4240	identity_helper.exe
2868	msedge.exe
2868	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3796	Soundpad.exe
Token: 33	5188	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5188	AUDIODG.EXE
Token: 33	3796	Soundpad.exe
Token: SeIncBasePriorityPrivilege	3796	Soundpad.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3796	Soundpad.exe
3796	Soundpad.exe
3796	Soundpad.exe
3796	Soundpad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 3420	1960	msedge.exe	92
PID 1960 wrote to memory of 3420	1960	msedge.exe	92
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 2464	1960	msedge.exe	94
PID 1960 wrote to memory of 4564	1960	msedge.exe	93
PID 1960 wrote to memory of 4564	1960	msedge.exe	93
PID 1960 wrote to memory of 4412	1960	msedge.exe	95
PID 1960 wrote to memory of 4412	1960	msedge.exe	95
PID 1960 wrote to memory of 4412	1960	msedge.exe	95
PID 1960 wrote to memory of 4412	1960	msedge.exe	95
PID 1960 wrote to memory of 4412	1960	msedge.exe	95
PID 1960 wrote to memory of 4412	1960	msedge.exe	95
PID 1960 wrote to memory of 4412	1960	msedge.exe	95
PID 1960 wrote to memory of 4412	1960	msedge.exe	95
PID 1960 wrote to memory of 4412	1960	msedge.exe	95
PID 1960 wrote to memory of 4412	1960	msedge.exe	95
PID 1960 wrote to memory of 4412	1960	msedge.exe	95
PID 1960 wrote to memory of 4412	1960	msedge.exe	95
PID 1960 wrote to memory of 4412	1960	msedge.exe	95
PID 1960 wrote to memory of 4412	1960	msedge.exe	95
PID 1960 wrote to memory of 4412	1960	msedge.exe	95
PID 1960 wrote to memory of 4412	1960	msedge.exe	95
PID 1960 wrote to memory of 4412	1960	msedge.exe	95
PID 1960 wrote to memory of 4412	1960	msedge.exe	95
PID 1960 wrote to memory of 4412	1960	msedge.exe	95
PID 1960 wrote to memory of 4412	1960	msedge.exe	95

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/marhau-dev/Soundpad-cracked/releases/download/Soundpad/SoundPad.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa045946f8,0x7ffa04594708,0x7ffa04594718
  2⤵
  PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,13233977155535624614,2235345334012015286,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,13233977155535624614,2235345334012015286,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,13233977155535624614,2235345334012015286,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,13233977155535624614,2235345334012015286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,13233977155535624614,2235345334012015286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,13233977155535624614,2235345334012015286,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  PID:772
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,13233977155535624614,2235345334012015286,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,13233977155535624614,2235345334012015286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
  2⤵
  PID:3312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,13233977155535624614,2235345334012015286,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5100 /prefetch:8
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,13233977155535624614,2235345334012015286,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5784 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,13233977155535624614,2235345334012015286,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,13233977155535624614,2235345334012015286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,13233977155535624614,2235345334012015286,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,13233977155535624614,2235345334012015286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:892

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2308

C:\Users\Admin\Downloads\SoundPad\SoundPad\Soundpad.exe
"C:\Users\Admin\Downloads\SoundPad\SoundPad\Soundpad.exe"
1⤵
- Registers COM server for autorun
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3796
- C:\Windows\System32\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Windows\system32\UniteFx.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:5140
- C:\Windows\System32\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Windows\system32\UniteFx.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:5164

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x52c 0x53c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9ffb5f81e8eccd0963c46cbfea1abc20

SHA1
a02a610afd3543de215565bc488a4343bb5c1a59

SHA256
3a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc

SHA512
2d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1b45169ebca0dceadb0f45697799d62

SHA1
803604277318898e6f5c6fb92270ca83b5609cd5

SHA256
4c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60

SHA512
357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
db83e10153843a0fc369604b26a9f91b

SHA1
7407d4b6e31531c296e210b8969efdbe604e1671

SHA256
e603cf88175efde1a2b333481675d38db820b0c451d056a567bf19a83ebc1252

SHA512
97b0c9627b8404fce96372e537b5f1ead3b4f1db7c34029d7fda5c32b8f578683bc215929b79959ac9de7926d67b795fe00e86920bfe7675ee7c1ddb0d516ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2ec966e4dddb82c2a9feff2e47354300

SHA1
8c788a0986caa21fadafc256d21369d581e6c0c9

SHA256
e63cd85a4bf88f530365d1baef14f4d70b8e6880415ce3db0a61cb00747e8d13

SHA512
778ae7ab3d0b88d679f9be589f89d8d60e6d9115043c633b5a77fc9b3f36c8cd3d89639832cc3ed44eeaa631a27fb5f2cb6814d698f8072f16834a51e9080ba2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c297ff08cb6ec138b37b829033fb405b

SHA1
726986d166f35ff3eda875d329052714b3979bcf

SHA256
3463be9eb212f1965f957f69926a2d52733171606dbd5b1fa92e25bb04556c13

SHA512
c89965777f9a918ac0d570e7416012358d851f70b2326c7176ac6c56287c2d0f86f2363d605aab70a1a3b4a75e41e4d8c285e63fd5902cbb7003c0448cb691d9

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 163454.crdownload

Filesize
8.6MB

MD5
1e8932dc0d1f5a51adc929f8e1cdcc87

SHA1
48742c86266401017ab21ec9511c3fbe3c6ad17b

SHA256
c29eaf1b28f201fdafee9d48cf6c74f12d6b250672f639787220094d377f2ca1

SHA512
5f4cf967c274eef48f9f0711c2288f9637e973a731362bbe51ce48e13806a3e655d1adb3deab65c2ef74dd0124232911b0065c9f8dd866998686e6ee9db847ab

Download Submit
C:\Windows\system32\UniteFx.dll

Filesize
442KB

MD5
0ee743073ee6b68f8222be2661d95315

SHA1
2e642772ec19edf73422fe25a8d45db1a006ff85

SHA256
562b17370c7283e92a3353b76ab2aefd301c2e78782fa60ec9ee35676ad44f96

SHA512
c3f2037bd37cef7978187f67f1d0633ee3067b4837e0ad9ae2a5c8efab8ec4ce6a14c1d88e200ffaa8677f74fd5995789297e6a7b5ac18d19dc9d53b4d9170ba

Download Submit
memory/3796-62-0x00007FF9F0100000-0x00007FF9F1150000-memory.dmp

Filesize
16.3MB

Download
memory/3796-66-0x00007FF9D22E0000-0x00007FF9D22E1000-memory.dmp

Filesize
4KB

Download