Analysis Overview
SHA256
703c98b215698a72cb6de36c33e66c821a470a52565ba79da213243d0aed458b
Threat Level: Shows suspicious behavior
The file Soundpad_Mohamed_m4.rar was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Registers COM server for autorun
Checks computer location settings
Loads dropped DLL
UPX packed file
Enumerates connected drives
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Opens file in notepad (likely ransom note)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 18:23
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral29
Detonation Overview
Submitted
2024-04-07 18:23
Reported
2024-04-07 18:26
Platform
win7-20240221-en
Max time kernel
142s
Max time network
129s
Command Line
Signatures
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Processes
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\notify\default.m4a"
Network
Files
memory/1136-5-0x000000013F950000-0x000000013FA48000-memory.dmp
memory/1136-6-0x000007FEFB210000-0x000007FEFB244000-memory.dmp
memory/1136-7-0x000007FEF6040000-0x000007FEF62F4000-memory.dmp
memory/1136-8-0x000007FEFB560000-0x000007FEFB578000-memory.dmp
memory/1136-9-0x000007FEFB260000-0x000007FEFB277000-memory.dmp
memory/1136-10-0x000007FEF7A60000-0x000007FEF7A71000-memory.dmp
memory/1136-11-0x000007FEF79F0000-0x000007FEF7A07000-memory.dmp
memory/1136-12-0x000007FEF79D0000-0x000007FEF79E1000-memory.dmp
memory/1136-13-0x000007FEF79B0000-0x000007FEF79CD000-memory.dmp
memory/1136-14-0x000007FEF7980000-0x000007FEF7991000-memory.dmp
memory/1136-15-0x000007FEF4D30000-0x000007FEF5DDB000-memory.dmp
memory/1136-16-0x000007FEF5E40000-0x000007FEF6040000-memory.dmp
memory/1136-17-0x000007FEF6C30000-0x000007FEF6C6F000-memory.dmp
memory/1136-18-0x000007FEF7950000-0x000007FEF7971000-memory.dmp
memory/1136-19-0x000007FEF6C10000-0x000007FEF6C28000-memory.dmp
memory/1136-20-0x000007FEF6BF0000-0x000007FEF6C01000-memory.dmp
memory/1136-21-0x000007FEF6760000-0x000007FEF6771000-memory.dmp
memory/1136-22-0x000007FEF6740000-0x000007FEF6751000-memory.dmp
memory/1136-23-0x000007FEF6720000-0x000007FEF673B000-memory.dmp
memory/1136-24-0x000007FEF6700000-0x000007FEF6711000-memory.dmp
memory/1136-25-0x000007FEF66E0000-0x000007FEF66F8000-memory.dmp
memory/1136-26-0x000007FEF66B0000-0x000007FEF66E0000-memory.dmp
memory/1136-27-0x000007FEF4CC0000-0x000007FEF4D27000-memory.dmp
memory/1136-28-0x000007FEF4C50000-0x000007FEF4CBF000-memory.dmp
memory/1136-29-0x000007FEF6690000-0x000007FEF66A1000-memory.dmp
memory/1136-30-0x000007FEF4BF0000-0x000007FEF4C46000-memory.dmp
memory/1136-31-0x000007FEF4A70000-0x000007FEF4BE8000-memory.dmp
memory/1136-32-0x000007FEF6670000-0x000007FEF6687000-memory.dmp
memory/1136-33-0x000007FEFB920000-0x000007FEFB930000-memory.dmp
memory/1136-34-0x000007FEF4A40000-0x000007FEF4A6F000-memory.dmp
memory/1136-36-0x000007FEF4A00000-0x000007FEF4A16000-memory.dmp
memory/1136-35-0x000007FEF4A20000-0x000007FEF4A31000-memory.dmp
memory/1136-37-0x000007FEF4930000-0x000007FEF49F5000-memory.dmp
memory/1136-38-0x000007FEF48B0000-0x000007FEF4925000-memory.dmp
memory/1136-39-0x000007FEF4840000-0x000007FEF48A2000-memory.dmp
memory/1136-40-0x000007FEF47D0000-0x000007FEF483D000-memory.dmp
memory/1136-41-0x000007FEF47B0000-0x000007FEF47C3000-memory.dmp
memory/1136-42-0x000007FEF4790000-0x000007FEF47A4000-memory.dmp
memory/1136-43-0x000007FEF4740000-0x000007FEF4790000-memory.dmp
memory/1136-44-0x000007FEF4720000-0x000007FEF4735000-memory.dmp
memory/1136-45-0x000007FEF46E0000-0x000007FEF46F1000-memory.dmp
memory/1136-46-0x000007FEF46C0000-0x000007FEF46D2000-memory.dmp
memory/1136-47-0x000007FEF4540000-0x000007FEF46BA000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 18:23
Reported
2024-04-07 18:26
Platform
win10v2004-20240226-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4128 wrote to memory of 3136 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
| PID 4128 wrote to memory of 3136 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Soundpad_Mohamed_m4.rar
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Soundpad_Mohamed_m4.rar"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-04-07 18:23
Reported
2024-04-07 18:26
Platform
win7-20240220-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2156 wrote to memory of 2964 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2156 wrote to memory of 2964 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2156 wrote to memory of 2964 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\UniteFxControl.dll",#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2156 -s 164
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-04-07 18:23
Reported
2024-04-07 18:26
Platform
win10v2004-20231215-en
Max time kernel
91s
Max time network
125s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\FriendlyName = "UniteFx" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinorVersion = "6" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxInputConnections = "1" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxInstances = "4294967295" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\NumAPOInterfaces = "1" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\Copyright = "Copyright (C) 2016-2019 Leppsoft" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinInputConnections = "1" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinOutputConnections = "1" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxOutputConnections = "1" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\APOInterface0 = "{FD7F2B29-24D0-4B5C-B177-592C39F9CA10}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MajorVersion = "1" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\Flags = "14" | C:\Windows\system32\regsvr32.exe | N/A |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\UniteFxUpdate.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-04-07 18:23
Reported
2024-04-07 18:26
Platform
win7-20240221-en
Max time kernel
141s
Max time network
128s
Command Line
Signatures
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Processes
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\cue.mp3"
Network
Files
memory/2104-5-0x000000013F450000-0x000000013F548000-memory.dmp
memory/2104-6-0x000007FEF7C30000-0x000007FEF7C64000-memory.dmp
memory/2104-7-0x000007FEF6290000-0x000007FEF6544000-memory.dmp
memory/2104-9-0x000007FEFAC20000-0x000007FEFAC37000-memory.dmp
memory/2104-8-0x000007FEFB960000-0x000007FEFB978000-memory.dmp
memory/2104-10-0x000007FEF7D10000-0x000007FEF7D21000-memory.dmp
memory/2104-11-0x000007FEF7A60000-0x000007FEF7A77000-memory.dmp
memory/2104-13-0x000007FEF6F10000-0x000007FEF6F2D000-memory.dmp
memory/2104-14-0x000007FEF6EF0000-0x000007FEF6F01000-memory.dmp
memory/2104-12-0x000007FEF7A40000-0x000007FEF7A51000-memory.dmp
memory/2104-15-0x000007FEF6090000-0x000007FEF6290000-memory.dmp
memory/2104-16-0x000007FEF4FE0000-0x000007FEF608B000-memory.dmp
memory/2104-17-0x000007FEF6EB0000-0x000007FEF6EEF000-memory.dmp
memory/2104-18-0x000007FEF69A0000-0x000007FEF69C1000-memory.dmp
memory/2104-19-0x000007FEF6980000-0x000007FEF6998000-memory.dmp
memory/2104-20-0x000007FEF6960000-0x000007FEF6971000-memory.dmp
memory/2104-21-0x000007FEF6940000-0x000007FEF6951000-memory.dmp
memory/2104-22-0x000007FEF6920000-0x000007FEF6931000-memory.dmp
memory/2104-23-0x000007FEF6900000-0x000007FEF691B000-memory.dmp
memory/2104-24-0x000007FEF68E0000-0x000007FEF68F1000-memory.dmp
memory/2104-26-0x000007FEF4FB0000-0x000007FEF4FE0000-memory.dmp
memory/2104-27-0x000007FEF4F40000-0x000007FEF4FA7000-memory.dmp
memory/2104-25-0x000007FEF68C0000-0x000007FEF68D8000-memory.dmp
memory/2104-28-0x000007FEF4ED0000-0x000007FEF4F3F000-memory.dmp
memory/2104-29-0x000007FEF4EB0000-0x000007FEF4EC1000-memory.dmp
memory/2104-30-0x000007FEF4E90000-0x000007FEF4EA7000-memory.dmp
memory/2104-31-0x000007FEF4E70000-0x000007FEF4E81000-memory.dmp
memory/2104-32-0x000007FEF4E10000-0x000007FEF4E67000-memory.dmp
memory/2104-33-0x000007FEF4DE0000-0x000007FEF4E0F000-memory.dmp
memory/2104-34-0x000007FEF4DC0000-0x000007FEF4DD3000-memory.dmp
memory/2104-35-0x000007FEF4DA0000-0x000007FEF4DB1000-memory.dmp
memory/2104-36-0x000007FEF4CD0000-0x000007FEF4D95000-memory.dmp
memory/2104-37-0x000007FEF4CB0000-0x000007FEF4CC2000-memory.dmp
memory/2104-38-0x000007FEF4C90000-0x000007FEF4CA1000-memory.dmp
memory/2104-39-0x000007FEF4C70000-0x000007FEF4C84000-memory.dmp
memory/2104-42-0x000007FEF4C10000-0x000007FEF4C2E000-memory.dmp
memory/2104-43-0x000007FEF4BF0000-0x000007FEF4C06000-memory.dmp
memory/2104-41-0x000007FEF4C30000-0x000007FEF4C44000-memory.dmp
memory/2104-40-0x000007FEF4C50000-0x000007FEF4C62000-memory.dmp
memory/2104-44-0x000007FEF4BD0000-0x000007FEF4BE5000-memory.dmp
memory/2104-45-0x000007FEF4BB0000-0x000007FEF4BC4000-memory.dmp
memory/2104-46-0x000007FEF4B80000-0x000007FEF4BAC000-memory.dmp
memory/2104-47-0x000007FEF4B60000-0x000007FEF4B72000-memory.dmp
memory/2104-48-0x000007FEF4B30000-0x000007FEF4B60000-memory.dmp
memory/2104-49-0x000007FEF4B10000-0x000007FEF4B27000-memory.dmp
memory/2104-50-0x000007FEF3360000-0x000007FEF4B10000-memory.dmp
memory/2104-52-0x000007FEF3320000-0x000007FEF3332000-memory.dmp
memory/2104-51-0x000007FEF3340000-0x000007FEF3351000-memory.dmp
memory/2104-53-0x000007FEF31A0000-0x000007FEF3318000-memory.dmp
memory/2104-54-0x000007FEF3180000-0x000007FEF3197000-memory.dmp
memory/2104-55-0x000007FEF3120000-0x000007FEF3176000-memory.dmp
memory/2104-56-0x000007FEF30F0000-0x000007FEF3118000-memory.dmp
memory/2104-58-0x000007FEFAC70000-0x000007FEFAC80000-memory.dmp
memory/2104-59-0x000007FEF30A0000-0x000007FEF30B6000-memory.dmp
memory/2104-57-0x000007FEF30C0000-0x000007FEF30E4000-memory.dmp
memory/2104-60-0x000007FEF3020000-0x000007FEF3095000-memory.dmp
memory/2104-61-0x000007FEF2FB0000-0x000007FEF3012000-memory.dmp
memory/2104-62-0x000007FEF2F40000-0x000007FEF2FAD000-memory.dmp
memory/2104-63-0x000007FEF2F20000-0x000007FEF2F35000-memory.dmp
memory/2104-65-0x000007FEF2EC0000-0x000007FEF2ED2000-memory.dmp
memory/2104-64-0x000007FEF2EE0000-0x000007FEF2EF1000-memory.dmp
memory/2104-66-0x000007FEF2D40000-0x000007FEF2EBA000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-04-07 18:23
Reported
2024-04-07 18:26
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
158s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\InprocServer32\ | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\InprocServer32\ = "C:\\Windows\\system32\\UniteFx.dll" | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\InprocServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\UniteFx.dll | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| File created | C:\Windows\system32\UniteFx.dll | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Soundpad\ = "URL:Soundpad Protocol" | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\ | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Soundpad\shell\open | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Soundpad.Soundlist | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\.spl\ = "Soundpad.Soundlist" | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\.spl\Content Type = "audio/soundpadlist" | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinorVersion = "6" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxInputConnections = "1" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\FriendlyName = "UniteFx" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\NumAPOInterfaces = "1" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\InprocServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinorVersion = "6" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Soundpad.Soundlist\ = "Soundpad sound list" | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Soundpad.Soundlist\shell | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\.spl\OpenWithList | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\.spl\OpenWithList\ehshell.exe\ | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Soundpad\shell\open\command\ | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71} | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Soundpad.Soundlist\shell\open\command | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Soundpad\URL Protocol | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Soundpad\shell | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71} | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Soundpad.Soundlist\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Soundpad Mohamed m4\\Soundpad.exe\" \"%1\"" | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Soundpad | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Soundpad\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Soundpad Mohamed m4\\Soundpad.exe,0" | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Soundpad\shell\open\command | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71} | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\Copyright = "Copyright (C) 2016-2019 Leppsoft" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\APOInterface0 = "{FD7F2B29-24D0-4B5C-B177-592C39F9CA10}" | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\InprocServer32\ | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MajorVersion = "1" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinInputConnections = "1" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxInstances = "4294967295" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\.spl\OpenWithProgids\Soundpad.Soundlist | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\APOInterface0 = "{FD7F2B29-24D0-4B5C-B177-592C39F9CA10}" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxOutputConnections = "1" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Soundpad.Soundlist\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Soundpad Mohamed m4\\Soundpad.exe,1" | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\.spl\OpenWithList\ehshell.exe\ | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\FriendlyName = "UniteFx" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxOutputConnections = "1" | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Soundpad.Soundlist\shell\open\command\ | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\.spl\OpenWithProgids | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinInputConnections = "1" | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Soundpad\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\ = "UniteFx Class" | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\InprocServer32\ = "C:\\Windows\\system32\\UniteFx.dll" | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\.spl\PerceivedType = "audio" | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Soundpad\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Soundpad Mohamed m4\\Soundpad.exe\" -c \"%1\"" | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\Flags = "14" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\NumAPOInterfaces = "1" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\Copyright = "Copyright (C) 2016-2019 Leppsoft" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinOutputConnections = "1" | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Soundpad.Soundlist\shell\open | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\.spl | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MajorVersion = "1" | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Soundpad.Soundlist\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\.spl\OpenWithList\ehshell.exe | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinOutputConnections = "1" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxInstances = "4294967295" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\Flags = "14" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxInputConnections = "1" | C:\Windows\System32\regsvr32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2284 wrote to memory of 1760 | N/A | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | C:\Windows\System32\regsvr32.exe |
| PID 2284 wrote to memory of 1760 | N/A | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | C:\Windows\System32\regsvr32.exe |
| PID 2284 wrote to memory of 4068 | N/A | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | C:\Windows\System32\regsvr32.exe |
| PID 2284 wrote to memory of 4068 | N/A | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | C:\Windows\System32\regsvr32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe
"C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe"
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Windows\system32\UniteFx.dll"
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Windows\system32\UniteFx.dll"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b0 0x480
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
Files
memory/2284-0-0x00007FFF29BE0000-0x00007FFF2AC30000-memory.dmp
memory/2284-4-0x00007FFF07960000-0x00007FFF07961000-memory.dmp
C:\Windows\system32\UniteFx.dll
| MD5 | 0ee743073ee6b68f8222be2661d95315 |
| SHA1 | 2e642772ec19edf73422fe25a8d45db1a006ff85 |
| SHA256 | 562b17370c7283e92a3353b76ab2aefd301c2e78782fa60ec9ee35676ad44f96 |
| SHA512 | c3f2037bd37cef7978187f67f1d0633ee3067b4837e0ad9ae2a5c8efab8ec4ce6a14c1d88e200ffaa8677f74fd5995789297e6a7b5ac18d19dc9d53b4d9170ba |
Analysis: behavioral9
Detonation Overview
Submitted
2024-04-07 18:23
Reported
2024-04-07 18:26
Platform
win7-20240221-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\SteamConfig.ini"
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-04-07 18:23
Reported
2024-04-07 18:26
Platform
win10v2004-20240226-en
Max time kernel
91s
Max time network
131s
Command Line
Signatures
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\SteamConfig.ini"
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-04-07 18:23
Reported
2024-04-07 18:26
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\languages\es_ES\translation.mo"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-04-07 18:23
Reported
2024-04-07 18:26
Platform
win10v2004-20240226-en
Max time kernel
146s
Max time network
157s
Command Line
Signatures
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\E: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\unregmp2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\firework.mp3"
C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\firework.mp3"
C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
| MD5 | 5a107dd0e811d7c88e5441e4706e3e5f |
| SHA1 | 88bef6ba72ee130dcc2555a313ef1e4a1738eb66 |
| SHA256 | 7ee3812c35841bde269e2ebe7065bb3ede42f25b453b28cb2bdb6f044d82297d |
| SHA512 | afc21c35f488f2a698c9689601f1fb7247890378d0808121bbb8b21b56f6e78cec563a49c33a0a1e26af4fba813289f0c78fb3d3e5d7d2d9d5aebe69526b39a1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | fc240c081ec382df4b74d591d7d37a45 |
| SHA1 | 396e9d8accb2ff8b32e6c3957808cb87d23ad47c |
| SHA256 | 8cfeb277627a0fc9f2596c83dc37f9a3d8871293cd88dadd08f32098bf936038 |
| SHA512 | d8f83773c330b88b43f9ebc6220aa98368854e44a75b73a8575e7171f6c32e784d404e5a2e2e7787d3c71c0cfecdbb983631b639d9fee879b374d498d2ef0ab7 |
Analysis: behavioral32
Detonation Overview
Submitted
2024-04-07 18:23
Reported
2024-04-07 18:26
Platform
win10v2004-20240226-en
Max time kernel
93s
Max time network
100s
Command Line
Signatures
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\N: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\unregmp2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\notify\disabled.m4a"
C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\notify\disabled.m4a"
C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
| MD5 | 7feffce4dd6d0bcb844829bf03c8b5e6 |
| SHA1 | 687c37f3a0928f5d18420a6716625232915ef4a1 |
| SHA256 | 6beb823bf9ef7d51aff88531db21ab543e83d3a563b7a5e01096def61aad48ad |
| SHA512 | e6620ec329dbc737db6d7663aab540d9af182d89016e39831858658ed7b3d80ba13c778fae474e74361463daed983c3f1cad28e1c0490cb4a4fcc6a47fc1bfe9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 063793e4ba784832026ec8bc3528f7f1 |
| SHA1 | 687d03823d7ab8954826f753a645426cff3c5db4 |
| SHA256 | cb153cb703aea1ba1afe2614cffb086fa781646a285c5ac37354ee933a29cedd |
| SHA512 | 225910c24052dfdf7fca574b12ecef4eb68e990167010f80d7136f03ac6e7faa33233685cbf37b38ee626bb22ff3afeee39e597080e429be3ec241fb30af40c6 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 18:23
Reported
2024-04-07 18:26
Platform
win7-20240221-en
Max time kernel
128s
Max time network
126s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO45AACD18\Soundpad.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Enumerates physical storage devices
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Soundpad_Mohamed_m4.rar
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Soundpad_Mohamed_m4.rar"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO45A0CE08\Readme.txt
C:\Users\Admin\AppData\Local\Temp\7zO45AACD18\Soundpad.exe
"C:\Users\Admin\AppData\Local\Temp\7zO45AACD18\Soundpad.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\7zO45A0CE08\Readme.txt
| MD5 | 75e1c9f2df88bb43b0171a9cc4869230 |
| SHA1 | 6153db66cce38bbebfe6b42b42ed65f9afb5ed33 |
| SHA256 | e8cd560f199c8e666ec1cfd460e444479eb2f1360040376a4eb03c3c14316b20 |
| SHA512 | 4a5f57f00889fcb55ec2c7a4204bdd4857ab6bfc41050e50a18452515c31e0dc2dd87aca2bda11840f463ba24c044b1e03a53d4ebe48f8f809ff07b3ee3703b9 |
\Users\Admin\AppData\Local\Temp\7zO45AACD18\Soundpad.exe
| MD5 | 0ae4f60d72e0d1c159505500b8a08ebb |
| SHA1 | bb352dafd3c3ebebb4414b799010fe5ebddbef44 |
| SHA256 | ed3371229647ef876b45cb5940e48b461df58d4e68ad4932f5877eba90c8d379 |
| SHA512 | 88495911df544a04a4e09828ae10b57d3d945c41d6e28964c2d4d077afa43fec1c82a8ff6dcce57a3c7b9e5d02d1e47f800f557b022866f5f7be4a2db9b07536 |
Analysis: behavioral22
Detonation Overview
Submitted
2024-04-07 18:23
Reported
2024-04-07 18:26
Platform
win10v2004-20240226-en
Max time kernel
145s
Max time network
161s
Command Line
Signatures
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\X: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\unregmp2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\cue.mp3"
C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\cue.mp3"
C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
| MD5 | 07d3a46baace81fc07b93d0a4147ae8b |
| SHA1 | 1587c0e60703e3820cd191899819cee6c313947c |
| SHA256 | f288ce594f845803bc11cbc48fa5f81a52200ebbf03025a9a328f7c9806f4b6d |
| SHA512 | 5ac89788bbdac13c41fd9497e76405d31facfc573a26be7bba1f6c81bce5102af995484ba99d1caa7368cb78bb7d4a7af68ab89e008f71cc310154d18c33572c |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 9c481a94abc7eee23cd5234262e60077 |
| SHA1 | 2873225e708fb5461ac60c3613fe12112423f0f0 |
| SHA256 | 681c9665d741ca6ed709cdd79d070ff7f4fdf158e02342f7d47e90a6d962b061 |
| SHA512 | 0579499b5f01649f7e5e3afad07b4c7924d30fbc56dd12b37d9ad46bdefe35fcb6371694c1eff6c42d56c21b1de4c4f40531b27cd32eca1bdf51c6cac41fe668 |
Analysis: behavioral30
Detonation Overview
Submitted
2024-04-07 18:23
Reported
2024-04-07 18:26
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\B: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\unregmp2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\notify\default.m4a"
C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\notify\default.m4a"
C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
| MD5 | aa0f50d9588175b0f3526bedbbff76dc |
| SHA1 | c27b2bcf63be9331779c5a558c5253cf285c0ef7 |
| SHA256 | 68d101d84a67551693ce67e41c296fc6d8bfba3d1925c7d24de9841e702b0287 |
| SHA512 | b1c47cc98a9395080d502560ed93cb7826a7e6de872ea240b32e4e884407f64e9acb9d956b35db143676e4f255e06b302f6c561874f0b6a9dfebf260a5b0615e |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 063793e4ba784832026ec8bc3528f7f1 |
| SHA1 | 687d03823d7ab8954826f753a645426cff3c5db4 |
| SHA256 | cb153cb703aea1ba1afe2614cffb086fa781646a285c5ac37354ee933a29cedd |
| SHA512 | 225910c24052dfdf7fca574b12ecef4eb68e990167010f80d7136f03ac6e7faa33233685cbf37b38ee626bb22ff3afeee39e597080e429be3ec241fb30af40c6 |
Analysis: behavioral17
Detonation Overview
Submitted
2024-04-07 18:23
Reported
2024-04-07 18:26
Platform
win7-20240220-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\mo_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\mo_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\mo_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.mo | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.mo\ = "mo_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\mo_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\mo_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\mo_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2060 wrote to memory of 2584 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2060 wrote to memory of 2584 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2060 wrote to memory of 2584 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2584 wrote to memory of 2284 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2584 wrote to memory of 2284 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2584 wrote to memory of 2284 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2584 wrote to memory of 2284 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\languages\es_ES\translation.mo"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\languages\es_ES\translation.mo
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\languages\es_ES\translation.mo"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | cd0f1d5f31605fb9dd562636babae6b8 |
| SHA1 | d8e81c32160f04104bb9e3a73130808fbbb3a147 |
| SHA256 | 60da8dba80e552cab3605c3b0a89567015bb155adfc6c9064cb1522dfcf46102 |
| SHA512 | 44d986ec415f01539254c1ece2bf1b443ee7f1f1e6178927f8b355bef3993af3196a290c6121f35718a797581e59bc5a897a5d055ff6ba4830f486d84be5e9f5 |
Analysis: behavioral20
Detonation Overview
Submitted
2024-04-07 18:23
Reported
2024-04-07 18:26
Platform
win10v2004-20231215-en
Max time kernel
87s
Max time network
154s
Command Line
Signatures
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\I: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\unregmp2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\ba dum tss.mp3"
C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\ba dum tss.mp3"
C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| NL | 72.246.173.187:80 | www.microsoft.com | tcp |
| NL | 72.246.173.187:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 187.173.246.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
| MD5 | c45ab4efc36d4129586f3bf62fca67d6 |
| SHA1 | a5d8441b4817f479d9cb7710949c5bc01f1a0cb2 |
| SHA256 | 1527549a5f6d65af788ed8c26bb11e4b6fe8e354fec75970035bf677e2f87a66 |
| SHA512 | 97a8ce5c93b5a716465ce2485755af8c0255c1205329ab9ed817529cc4b12e1946a29c0ff3514c30717d3eb150275b85b80cf5bc35d21f82b50265f8a31535e9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 987a07b978cfe12e4ce45e513ef86619 |
| SHA1 | 22eec9a9b2e83ad33bedc59e3205f86590b7d40c |
| SHA256 | f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8 |
| SHA512 | 39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa |
Analysis: behavioral27
Detonation Overview
Submitted
2024-04-07 18:23
Reported
2024-04-07 18:26
Platform
win7-20240221-en
Max time kernel
141s
Max time network
124s
Command Line
Signatures
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Processes
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\notify\auto-keys-enabled.m4a"
Network
Files
memory/2176-5-0x000000013FE30000-0x000000013FF28000-memory.dmp
memory/2176-6-0x000007FEF75C0000-0x000007FEF75F4000-memory.dmp
memory/2176-7-0x000007FEF5C20000-0x000007FEF5ED4000-memory.dmp
memory/2176-8-0x000007FEFB310000-0x000007FEFB328000-memory.dmp
memory/2176-9-0x000007FEF7610000-0x000007FEF7627000-memory.dmp
memory/2176-10-0x000007FEF68E0000-0x000007FEF68F1000-memory.dmp
memory/2176-11-0x000007FEF68C0000-0x000007FEF68D7000-memory.dmp
memory/2176-12-0x000007FEF68A0000-0x000007FEF68B1000-memory.dmp
memory/2176-13-0x000007FEF65D0000-0x000007FEF65ED000-memory.dmp
memory/2176-14-0x000007FEF5A20000-0x000007FEF5C20000-memory.dmp
memory/2176-15-0x000007FEF6340000-0x000007FEF6351000-memory.dmp
memory/2176-16-0x000007FEF6300000-0x000007FEF633F000-memory.dmp
memory/2176-18-0x000007FEF62B0000-0x000007FEF62C8000-memory.dmp
memory/2176-17-0x000007FEF62D0000-0x000007FEF62F1000-memory.dmp
memory/2176-19-0x000007FEF4970000-0x000007FEF5A1B000-memory.dmp
memory/2176-20-0x000007FEF6290000-0x000007FEF62A1000-memory.dmp
memory/2176-21-0x000007FEF6270000-0x000007FEF6281000-memory.dmp
memory/2176-22-0x000007FEF6250000-0x000007FEF6261000-memory.dmp
memory/2176-24-0x000007FEF4930000-0x000007FEF4941000-memory.dmp
memory/2176-23-0x000007FEF4950000-0x000007FEF496B000-memory.dmp
memory/2176-25-0x000007FEF4910000-0x000007FEF4928000-memory.dmp
memory/2176-26-0x000007FEF48E0000-0x000007FEF4910000-memory.dmp
memory/2176-27-0x000007FEF4870000-0x000007FEF48D7000-memory.dmp
memory/2176-28-0x000007FEF4800000-0x000007FEF486F000-memory.dmp
memory/2176-29-0x000007FEF47E0000-0x000007FEF47F1000-memory.dmp
memory/2176-30-0x000007FEF4780000-0x000007FEF47D6000-memory.dmp
memory/2176-31-0x000007FEF4600000-0x000007FEF4778000-memory.dmp
memory/2176-32-0x000007FEF45E0000-0x000007FEF45F7000-memory.dmp
memory/2176-33-0x000007FEF7680000-0x000007FEF7690000-memory.dmp
memory/2176-34-0x000007FEF45B0000-0x000007FEF45DF000-memory.dmp
memory/2176-35-0x000007FEF4590000-0x000007FEF45A1000-memory.dmp
memory/2176-36-0x000007FEF4570000-0x000007FEF4586000-memory.dmp
memory/2176-37-0x000007FEF44A0000-0x000007FEF4565000-memory.dmp
memory/2176-38-0x000007FEF4420000-0x000007FEF4495000-memory.dmp
memory/2176-39-0x000007FEF43B0000-0x000007FEF4412000-memory.dmp
memory/2176-40-0x000007FEF4340000-0x000007FEF43AD000-memory.dmp
memory/2176-41-0x000007FEF4320000-0x000007FEF4333000-memory.dmp
memory/2176-42-0x000007FEF4300000-0x000007FEF4314000-memory.dmp
memory/2176-43-0x000007FEF42B0000-0x000007FEF4300000-memory.dmp
memory/2176-44-0x000007FEF4290000-0x000007FEF42A5000-memory.dmp
memory/2176-45-0x000007FEF4250000-0x000007FEF4261000-memory.dmp
memory/2176-46-0x000007FEF4230000-0x000007FEF4242000-memory.dmp
memory/2176-47-0x000007FEF40B0000-0x000007FEF422A000-memory.dmp
memory/2176-62-0x000007FEF4970000-0x000007FEF5A1B000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-04-07 18:23
Reported
2024-04-07 18:26
Platform
win10v2004-20240226-en
Max time kernel
115s
Max time network
147s
Command Line
Signatures
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Readme.txt"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3384 --field-trial-handle=3488,i,1267426273081718772,6254127258555406296,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-04-07 18:23
Reported
2024-04-07 18:26
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\installscript.vdf"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.229.138.52.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-04-07 18:23
Reported
2024-04-07 18:26
Platform
win10v2004-20240226-en
Max time kernel
93s
Max time network
100s
Command Line
Signatures
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\O: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\unregmp2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\notify\auto-keys-disabled.m4a"
C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\notify\auto-keys-disabled.m4a"
C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
| MD5 | 21c9937116337e834a39741d801e1ab2 |
| SHA1 | ee45b0dfeb00f3095345baa27bf96d634802a651 |
| SHA256 | 1dd5b99bbdf9c60aad68d3f5aa3d6bc38bf9eaf7f3de7803ef9f39dd76b35577 |
| SHA512 | 3bffbd73677663441f03effa7ccf1e09286e92bc8261939b64f18c60ddb73a589af2742e12407bda4b0bb1b7275831c094bd17c15ee59089dae6877d41702637 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 987a07b978cfe12e4ce45e513ef86619 |
| SHA1 | 22eec9a9b2e83ad33bedc59e3205f86590b7d40c |
| SHA256 | f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8 |
| SHA512 | 39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa |
Analysis: behavioral28
Detonation Overview
Submitted
2024-04-07 18:23
Reported
2024-04-07 18:26
Platform
win10v2004-20231215-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\A: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\unregmp2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\notify\auto-keys-enabled.m4a"
C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\notify\auto-keys-enabled.m4a"
C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
| MD5 | c45ab4efc36d4129586f3bf62fca67d6 |
| SHA1 | a5d8441b4817f479d9cb7710949c5bc01f1a0cb2 |
| SHA256 | 1527549a5f6d65af788ed8c26bb11e4b6fe8e354fec75970035bf677e2f87a66 |
| SHA512 | 97a8ce5c93b5a716465ce2485755af8c0255c1205329ab9ed817529cc4b12e1946a29c0ff3514c30717d3eb150275b85b80cf5bc35d21f82b50265f8a31535e9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | c7ca2711d80cd052da0d98ce7e6dec6b |
| SHA1 | b051f0425224cf70e3a10636c21bf113bd1cd301 |
| SHA256 | a0c1147d7f6adb99735dc3fa370ef6fb8e6ddd3687eb7afd677af5c71df6957f |
| SHA512 | 487b985fe8a4fb9a0cb59ffb0b485133e0b089115e36b9bc3f0cbb64babd899daf1b282a9554b45874a59a4c7d9c07db370650c28a5731bde50f52e66a0fc0af |
Analysis: behavioral5
Detonation Overview
Submitted
2024-04-07 18:23
Reported
2024-04-07 18:26
Platform
win7-20240319-en
Max time kernel
122s
Max time network
130s
Command Line
Signatures
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Readme.txt"
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-04-07 18:23
Reported
2024-04-07 18:26
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\UniteFxControl.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-04-07 18:23
Reported
2024-04-07 18:26
Platform
win7-20240221-en
Max time kernel
140s
Max time network
123s
Command Line
Signatures
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Processes
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\notify\disabled.m4a"
Network
Files
memory/2252-5-0x000000013F2C0000-0x000000013F3B8000-memory.dmp
memory/2252-6-0x000007FEF83E0000-0x000007FEF8414000-memory.dmp
memory/2252-7-0x000007FEF6350000-0x000007FEF6604000-memory.dmp
memory/2252-8-0x000007FEFBB50000-0x000007FEFBB68000-memory.dmp
memory/2252-9-0x000007FEF8530000-0x000007FEF8547000-memory.dmp
memory/2252-10-0x000007FEF8430000-0x000007FEF8441000-memory.dmp
memory/2252-11-0x000007FEF7710000-0x000007FEF7727000-memory.dmp
memory/2252-12-0x000007FEF76F0000-0x000007FEF7701000-memory.dmp
memory/2252-13-0x000007FEF76D0000-0x000007FEF76ED000-memory.dmp
memory/2252-14-0x000007FEF6A60000-0x000007FEF6A71000-memory.dmp
memory/2252-15-0x000007FEF52A0000-0x000007FEF634B000-memory.dmp
memory/2252-16-0x000007FEF50A0000-0x000007FEF52A0000-memory.dmp
memory/2252-17-0x000007FEF6A20000-0x000007FEF6A5F000-memory.dmp
memory/2252-22-0x000007FEF5080000-0x000007FEF5091000-memory.dmp
memory/2252-21-0x000007FEF6990000-0x000007FEF69A1000-memory.dmp
memory/2252-23-0x000007FEF5060000-0x000007FEF507B000-memory.dmp
memory/2252-24-0x000007FEF5040000-0x000007FEF5051000-memory.dmp
memory/2252-20-0x000007FEF69B0000-0x000007FEF69C1000-memory.dmp
memory/2252-25-0x000007FEF5020000-0x000007FEF5038000-memory.dmp
memory/2252-19-0x000007FEF69D0000-0x000007FEF69E8000-memory.dmp
memory/2252-26-0x000007FEF4FF0000-0x000007FEF5020000-memory.dmp
memory/2252-18-0x000007FEF69F0000-0x000007FEF6A11000-memory.dmp
memory/2252-27-0x000007FEF4F80000-0x000007FEF4FE7000-memory.dmp
memory/2252-30-0x000007FEF4E90000-0x000007FEF4EE6000-memory.dmp
memory/2252-29-0x000007FEF4EF0000-0x000007FEF4F01000-memory.dmp
memory/2252-28-0x000007FEF4F10000-0x000007FEF4F7F000-memory.dmp
memory/2252-32-0x000007FEF4CF0000-0x000007FEF4D07000-memory.dmp
memory/2252-33-0x000007FEF84A0000-0x000007FEF84B0000-memory.dmp
memory/2252-36-0x000007FEF4C80000-0x000007FEF4C96000-memory.dmp
memory/2252-35-0x000007FEF4CA0000-0x000007FEF4CB1000-memory.dmp
memory/2252-34-0x000007FEF4CC0000-0x000007FEF4CEF000-memory.dmp
memory/2252-31-0x000007FEF4D10000-0x000007FEF4E88000-memory.dmp
memory/2252-37-0x000007FEF4BB0000-0x000007FEF4C75000-memory.dmp
memory/2252-38-0x000007FEF4B30000-0x000007FEF4BA5000-memory.dmp
memory/2252-39-0x000007FEF4AC0000-0x000007FEF4B22000-memory.dmp
memory/2252-40-0x000007FEF4A50000-0x000007FEF4ABD000-memory.dmp
memory/2252-41-0x000007FEF4A30000-0x000007FEF4A43000-memory.dmp
memory/2252-42-0x000007FEF4A10000-0x000007FEF4A24000-memory.dmp
memory/2252-43-0x000007FEF49C0000-0x000007FEF4A10000-memory.dmp
memory/2252-44-0x000007FEF49A0000-0x000007FEF49B5000-memory.dmp
memory/2252-46-0x000007FEF4940000-0x000007FEF4952000-memory.dmp
memory/2252-45-0x000007FEF4960000-0x000007FEF4971000-memory.dmp
memory/2252-47-0x000007FEF47C0000-0x000007FEF493A000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-07 18:23
Reported
2024-04-07 18:26
Platform
win7-20240221-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\cfg_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\cfg_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.cfg | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\cfg_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\cfg_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\cfg_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.cfg\ = "cfg_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\cfg_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1132 wrote to memory of 2636 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1132 wrote to memory of 2636 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1132 wrote to memory of 2636 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2636 wrote to memory of 2576 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2636 wrote to memory of 2576 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2636 wrote to memory of 2576 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2636 wrote to memory of 2576 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Profile\CRACKED BY Ray_Black\SteamUserID.cfg"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Profile\CRACKED BY Ray_Black\SteamUserID.cfg
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Profile\CRACKED BY Ray_Black\SteamUserID.cfg"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 0b3c2e8634cba555e2d5d4e54c1da826 |
| SHA1 | c8edacf306a65cd18548d0fb3b26ccced4f1c6cc |
| SHA256 | fe30277737006b59285192989af8d543d55dc416cfb3e56dd9003062f4183d06 |
| SHA512 | 097c42e7e1ab0f8c4acada0a9348131cbf703a4f00004dcef79aa69601d97d969a60fed5f26df7c1c3487a49b5c8d891865c9e3c3c8d035d9570237c18026335 |
Analysis: behavioral13
Detonation Overview
Submitted
2024-04-07 18:23
Reported
2024-04-07 18:26
Platform
win7-20240221-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\FriendlyName = "UniteFx" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\Flags = "14" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxInstances = "4294967295" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\APOInterface0 = "{FD7F2B29-24D0-4B5C-B177-592C39F9CA10}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinorVersion = "6" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\NumAPOInterfaces = "1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MajorVersion = "1" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinInputConnections = "1" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxInputConnections = "1" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinOutputConnections = "1" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxOutputConnections = "1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\Copyright = "Copyright (C) 2016-2019 Leppsoft" | C:\Windows\system32\regsvr32.exe | N/A |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\UniteFxUpdate.dll"
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-04-07 18:23
Reported
2024-04-07 18:26
Platform
win7-20240221-en
Max time kernel
118s
Max time network
124s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\vdf_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\vdf_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.vdf | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\vdf_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\vdf_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\vdf_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.vdf\ = "vdf_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\vdf_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1308 wrote to memory of 2696 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1308 wrote to memory of 2696 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1308 wrote to memory of 2696 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2696 wrote to memory of 2540 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2696 wrote to memory of 2540 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2696 wrote to memory of 2540 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2696 wrote to memory of 2540 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\installscript.vdf"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\installscript.vdf
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\installscript.vdf"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | d9730b481e4f3e62ebc14cd7de272027 |
| SHA1 | 8910d274f35731a1cd8027a96ba5f70079b34ff9 |
| SHA256 | 49cdc1119662635e740c05818b6e4e57f0be74043218cf7686be49323b92c37a |
| SHA512 | 6aa78f93570b50ba553e8acc9f31f7832177282619c434542c96e01633956ea3aea63a89efc9a691c50518d28fb340482942e5173398bec334d35dad565246df |
Analysis: behavioral19
Detonation Overview
Submitted
2024-04-07 18:23
Reported
2024-04-07 18:26
Platform
win7-20240319-en
Max time kernel
141s
Max time network
132s
Command Line
Signatures
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Processes
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\ba dum tss.mp3"
Network
Files
memory/1192-5-0x000000013F070000-0x000000013F168000-memory.dmp
memory/1192-6-0x000007FEF70D0000-0x000007FEF7104000-memory.dmp
memory/1192-7-0x000007FEF5710000-0x000007FEF59C6000-memory.dmp
memory/1192-9-0x000007FEF7120000-0x000007FEF7137000-memory.dmp
memory/1192-8-0x000007FEFAE50000-0x000007FEFAE68000-memory.dmp
memory/1192-10-0x000007FEF6400000-0x000007FEF6411000-memory.dmp
memory/1192-12-0x000007FEF63C0000-0x000007FEF63D1000-memory.dmp
memory/1192-11-0x000007FEF63E0000-0x000007FEF63F7000-memory.dmp
memory/1192-13-0x000007FEF5F70000-0x000007FEF5F8D000-memory.dmp
memory/1192-14-0x000007FEF5F00000-0x000007FEF5F11000-memory.dmp
memory/1192-15-0x000007FEF5500000-0x000007FEF570B000-memory.dmp
memory/1192-16-0x000007FEF4450000-0x000007FEF5500000-memory.dmp
memory/1192-17-0x000007FEF5E00000-0x000007FEF5E41000-memory.dmp
memory/1192-18-0x000007FEF5DD0000-0x000007FEF5DF1000-memory.dmp
memory/1192-19-0x000007FEF5DB0000-0x000007FEF5DC8000-memory.dmp
memory/1192-20-0x000007FEF5D90000-0x000007FEF5DA1000-memory.dmp
memory/1192-21-0x000007FEF5D70000-0x000007FEF5D81000-memory.dmp
memory/1192-22-0x000007FEF5D50000-0x000007FEF5D61000-memory.dmp
memory/1192-23-0x000007FEF4430000-0x000007FEF444B000-memory.dmp
memory/1192-24-0x000007FEF4410000-0x000007FEF4421000-memory.dmp
memory/1192-27-0x000007FEF4350000-0x000007FEF43B7000-memory.dmp
memory/1192-26-0x000007FEF43C0000-0x000007FEF43F0000-memory.dmp
memory/1192-25-0x000007FEF43F0000-0x000007FEF4408000-memory.dmp
memory/1192-28-0x000007FEF42D0000-0x000007FEF434C000-memory.dmp
memory/1192-29-0x000007FEF42B0000-0x000007FEF42C1000-memory.dmp
memory/1192-30-0x000007FEF4290000-0x000007FEF42A8000-memory.dmp
memory/1192-31-0x000007FEF4270000-0x000007FEF4281000-memory.dmp
memory/1192-32-0x000007FEF4210000-0x000007FEF4267000-memory.dmp
memory/1192-35-0x000007FEF41A0000-0x000007FEF41B1000-memory.dmp
memory/1192-34-0x000007FEF41C0000-0x000007FEF41D3000-memory.dmp
memory/1192-33-0x000007FEF41E0000-0x000007FEF420F000-memory.dmp
memory/1192-36-0x000007FEF40D0000-0x000007FEF4195000-memory.dmp
memory/1192-37-0x000007FEF40B0000-0x000007FEF40C3000-memory.dmp
memory/1192-38-0x000007FEF4090000-0x000007FEF40A1000-memory.dmp
memory/1192-39-0x000007FEF4070000-0x000007FEF4084000-memory.dmp
memory/1192-40-0x000007FEF4050000-0x000007FEF4062000-memory.dmp
memory/1192-41-0x000007FEF4030000-0x000007FEF4044000-memory.dmp
memory/1192-42-0x000007FEF4010000-0x000007FEF402E000-memory.dmp
memory/1192-43-0x000007FEF3FF0000-0x000007FEF4007000-memory.dmp
memory/1192-45-0x000007FEF3FB0000-0x000007FEF3FC4000-memory.dmp
memory/1192-44-0x000007FEF3FD0000-0x000007FEF3FE5000-memory.dmp
memory/1192-46-0x000007FEF3F80000-0x000007FEF3FAC000-memory.dmp
memory/1192-47-0x000007FEF3F60000-0x000007FEF3F73000-memory.dmp
memory/1192-48-0x000007FEF3F20000-0x000007FEF3F51000-memory.dmp
memory/1192-49-0x000007FEF3F00000-0x000007FEF3F16000-memory.dmp
memory/1192-50-0x000007FEF2690000-0x000007FEF3EFF000-memory.dmp
memory/1192-51-0x000007FEF2670000-0x000007FEF2681000-memory.dmp
memory/1192-52-0x000007FEF2650000-0x000007FEF2662000-memory.dmp
memory/1192-53-0x000007FEF24D0000-0x000007FEF2650000-memory.dmp
memory/1192-54-0x000007FEF24B0000-0x000007FEF24C7000-memory.dmp
memory/1192-55-0x000007FEF2450000-0x000007FEF24A7000-memory.dmp
memory/1192-56-0x000007FEF2420000-0x000007FEF2448000-memory.dmp
memory/1192-57-0x000007FEF23F0000-0x000007FEF2414000-memory.dmp
memory/1192-58-0x000007FEF7190000-0x000007FEF71A0000-memory.dmp
memory/1192-59-0x000007FEF23D0000-0x000007FEF23E6000-memory.dmp
memory/1192-60-0x000007FEF2380000-0x000007FEF23C2000-memory.dmp
memory/1192-61-0x000007FEF2310000-0x000007FEF2372000-memory.dmp
memory/1192-62-0x000007FEF22A0000-0x000007FEF230D000-memory.dmp
memory/1192-63-0x000007FEF2280000-0x000007FEF2295000-memory.dmp
memory/1192-64-0x000007FEF2240000-0x000007FEF2251000-memory.dmp
memory/1192-65-0x000007FEF2220000-0x000007FEF2232000-memory.dmp
memory/1192-66-0x000007FEF20A0000-0x000007FEF221A000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-04-07 18:23
Reported
2024-04-07 18:26
Platform
win7-20240221-en
Max time kernel
140s
Max time network
126s
Command Line
Signatures
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Processes
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\firework.mp3"
Network
Files
memory/1736-5-0x000000013F2C0000-0x000000013F3B8000-memory.dmp
memory/1736-6-0x000007FEF8130000-0x000007FEF8164000-memory.dmp
memory/1736-7-0x000007FEF6080000-0x000007FEF6334000-memory.dmp
memory/1736-8-0x000007FEFB940000-0x000007FEFB958000-memory.dmp
memory/1736-9-0x000007FEFA8C0000-0x000007FEFA8D7000-memory.dmp
memory/1736-10-0x000007FEF8110000-0x000007FEF8121000-memory.dmp
memory/1736-11-0x000007FEF7330000-0x000007FEF7347000-memory.dmp
memory/1736-12-0x000007FEF7310000-0x000007FEF7321000-memory.dmp
memory/1736-13-0x000007FEF72F0000-0x000007FEF730D000-memory.dmp
memory/1736-14-0x000007FEF5E80000-0x000007FEF6080000-memory.dmp
memory/1736-15-0x000007FEF67A0000-0x000007FEF67B1000-memory.dmp
memory/1736-16-0x000007FEF6760000-0x000007FEF679F000-memory.dmp
memory/1736-17-0x000007FEF6730000-0x000007FEF6751000-memory.dmp
memory/1736-18-0x000007FEF6710000-0x000007FEF6728000-memory.dmp
memory/1736-19-0x000007FEF4DD0000-0x000007FEF5E7B000-memory.dmp
memory/1736-20-0x000007FEF66F0000-0x000007FEF6701000-memory.dmp
memory/1736-21-0x000007FEF66D0000-0x000007FEF66E1000-memory.dmp
memory/1736-22-0x000007FEF66B0000-0x000007FEF66C1000-memory.dmp
memory/1736-25-0x000007FEF4D70000-0x000007FEF4D88000-memory.dmp
memory/1736-26-0x000007FEF4D40000-0x000007FEF4D70000-memory.dmp
memory/1736-27-0x000007FEF4CD0000-0x000007FEF4D37000-memory.dmp
memory/1736-24-0x000007FEF4D90000-0x000007FEF4DA1000-memory.dmp
memory/1736-28-0x000007FEF4C60000-0x000007FEF4CCF000-memory.dmp
memory/1736-29-0x000007FEF4C40000-0x000007FEF4C51000-memory.dmp
memory/1736-30-0x000007FEF4C20000-0x000007FEF4C37000-memory.dmp
memory/1736-23-0x000007FEF4DB0000-0x000007FEF4DCB000-memory.dmp
memory/1736-31-0x000007FEF4C00000-0x000007FEF4C11000-memory.dmp
memory/1736-32-0x000007FEF4BA0000-0x000007FEF4BF7000-memory.dmp
memory/1736-33-0x000007FEF4B70000-0x000007FEF4B9F000-memory.dmp
memory/1736-34-0x000007FEF4B50000-0x000007FEF4B63000-memory.dmp
memory/1736-35-0x000007FEF4B30000-0x000007FEF4B41000-memory.dmp
memory/1736-36-0x000007FEF4A60000-0x000007FEF4B25000-memory.dmp
memory/1736-37-0x000007FEF4A40000-0x000007FEF4A52000-memory.dmp
memory/1736-38-0x000007FEF4A20000-0x000007FEF4A31000-memory.dmp
memory/1736-39-0x000007FEF4A00000-0x000007FEF4A14000-memory.dmp
memory/1736-40-0x000007FEF49E0000-0x000007FEF49F2000-memory.dmp
memory/1736-42-0x000007FEF49A0000-0x000007FEF49BE000-memory.dmp
memory/1736-41-0x000007FEF49C0000-0x000007FEF49D4000-memory.dmp
memory/1736-45-0x000007FEF4940000-0x000007FEF4954000-memory.dmp
memory/1736-44-0x000007FEF4960000-0x000007FEF4975000-memory.dmp
memory/1736-46-0x000007FEF4910000-0x000007FEF493C000-memory.dmp
memory/1736-43-0x000007FEF4980000-0x000007FEF4996000-memory.dmp
memory/1736-48-0x000007FEF48C0000-0x000007FEF48F0000-memory.dmp
memory/1736-49-0x000007FEF48A0000-0x000007FEF48B7000-memory.dmp
memory/1736-47-0x000007FEF48F0000-0x000007FEF4902000-memory.dmp
memory/1736-50-0x000007FEF30F0000-0x000007FEF48A0000-memory.dmp
memory/1736-52-0x000007FEF30B0000-0x000007FEF30C2000-memory.dmp
memory/1736-51-0x000007FEF30D0000-0x000007FEF30E1000-memory.dmp
memory/1736-53-0x000007FEF2F30000-0x000007FEF30A8000-memory.dmp
memory/1736-54-0x000007FEF2F10000-0x000007FEF2F27000-memory.dmp
memory/1736-55-0x000007FEF2EB0000-0x000007FEF2F06000-memory.dmp
memory/1736-56-0x000007FEF2E80000-0x000007FEF2EA8000-memory.dmp
memory/1736-58-0x000007FEFA8B0000-0x000007FEFA8C0000-memory.dmp
memory/1736-57-0x000007FEF2E50000-0x000007FEF2E74000-memory.dmp
memory/1736-59-0x000007FEF2E30000-0x000007FEF2E46000-memory.dmp
memory/1736-60-0x000007FEF2DB0000-0x000007FEF2E25000-memory.dmp
memory/1736-61-0x000007FEF2D40000-0x000007FEF2DA2000-memory.dmp
memory/1736-62-0x000007FEF2CD0000-0x000007FEF2D3D000-memory.dmp
memory/1736-63-0x000007FEF2CB0000-0x000007FEF2CC5000-memory.dmp
memory/1736-65-0x000007FEF2C50000-0x000007FEF2C62000-memory.dmp
memory/1736-64-0x000007FEF2C70000-0x000007FEF2C81000-memory.dmp
memory/1736-66-0x000007FEF2AD0000-0x000007FEF2C4A000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-04-07 18:23
Reported
2024-04-07 18:26
Platform
win7-20240221-en
Max time kernel
141s
Max time network
127s
Command Line
Signatures
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Processes
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\notify\auto-keys-disabled.m4a"
Network
Files
memory/2700-5-0x000000013F3F0000-0x000000013F4E8000-memory.dmp
memory/2700-6-0x000007FEFAAA0000-0x000007FEFAAD4000-memory.dmp
memory/2700-7-0x000007FEF5BA0000-0x000007FEF5E54000-memory.dmp
memory/2700-8-0x000007FEFB6F0000-0x000007FEFB708000-memory.dmp
memory/2700-11-0x000007FEFAA60000-0x000007FEFAA77000-memory.dmp
memory/2700-10-0x000007FEFAA80000-0x000007FEFAA91000-memory.dmp
memory/2700-9-0x000007FEFAD20000-0x000007FEFAD37000-memory.dmp
memory/2700-12-0x000007FEF73B0000-0x000007FEF73C1000-memory.dmp
memory/2700-13-0x000007FEF7390000-0x000007FEF73AD000-memory.dmp
memory/2700-14-0x000007FEF72F0000-0x000007FEF7301000-memory.dmp
memory/2700-15-0x000007FEF4AF0000-0x000007FEF5B9B000-memory.dmp
memory/2700-16-0x000007FEF48F0000-0x000007FEF4AF0000-memory.dmp
memory/2700-17-0x000007FEF6790000-0x000007FEF67CF000-memory.dmp
memory/2700-18-0x000007FEF6760000-0x000007FEF6781000-memory.dmp
memory/2700-19-0x000007FEF72D0000-0x000007FEF72E8000-memory.dmp
memory/2700-20-0x000007FEF6740000-0x000007FEF6751000-memory.dmp
memory/2700-21-0x000007FEF62C0000-0x000007FEF62D1000-memory.dmp
memory/2700-22-0x000007FEF62A0000-0x000007FEF62B1000-memory.dmp
memory/2700-24-0x000007FEF6260000-0x000007FEF6271000-memory.dmp
memory/2700-23-0x000007FEF6280000-0x000007FEF629B000-memory.dmp
memory/2700-25-0x000007FEF6240000-0x000007FEF6258000-memory.dmp
memory/2700-26-0x000007FEF6210000-0x000007FEF6240000-memory.dmp
memory/2700-27-0x000007FEF4880000-0x000007FEF48E7000-memory.dmp
memory/2700-28-0x000007FEF4810000-0x000007FEF487F000-memory.dmp
memory/2700-29-0x000007FEF61F0000-0x000007FEF6201000-memory.dmp
memory/2700-30-0x000007FEF47B0000-0x000007FEF4806000-memory.dmp
memory/2700-31-0x000007FEF4630000-0x000007FEF47A8000-memory.dmp
memory/2700-32-0x000007FEF61D0000-0x000007FEF61E7000-memory.dmp
memory/2700-33-0x000007FEFADC0000-0x000007FEFADD0000-memory.dmp
memory/2700-34-0x000007FEF4600000-0x000007FEF462F000-memory.dmp
memory/2700-35-0x000007FEF45E0000-0x000007FEF45F1000-memory.dmp
memory/2700-36-0x000007FEF45C0000-0x000007FEF45D6000-memory.dmp
memory/2700-37-0x000007FEF44F0000-0x000007FEF45B5000-memory.dmp
memory/2700-38-0x000007FEF4470000-0x000007FEF44E5000-memory.dmp
memory/2700-39-0x000007FEF4400000-0x000007FEF4462000-memory.dmp
memory/2700-40-0x000007FEF4390000-0x000007FEF43FD000-memory.dmp
memory/2700-41-0x000007FEF4370000-0x000007FEF4383000-memory.dmp
memory/2700-42-0x000007FEF4350000-0x000007FEF4364000-memory.dmp
memory/2700-43-0x000007FEF4300000-0x000007FEF4350000-memory.dmp
memory/2700-44-0x000007FEF42E0000-0x000007FEF42F5000-memory.dmp
memory/2700-45-0x000007FEF42A0000-0x000007FEF42B1000-memory.dmp
memory/2700-46-0x000007FEF4280000-0x000007FEF4292000-memory.dmp
memory/2700-47-0x000007FEF4100000-0x000007FEF427A000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-07 18:23
Reported
2024-04-07 18:26
Platform
win10v2004-20240226-en
Max time kernel
92s
Max time network
129s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Profile\CRACKED BY Ray_Black\SteamUserID.cfg"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-04-07 18:23
Reported
2024-04-07 18:26
Platform
win7-20240221-en
Max time kernel
118s
Max time network
126s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\InprocServer32\ | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\InprocServer32\ = "C:\\Windows\\system32\\UniteFx.dll" | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\InprocServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\UniteFx.dll | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| File opened for modification | C:\Windows\system32\UniteFx.dll | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\InprocServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxInputConnections = "1" | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad.Soundlist\\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.spl\OpenWithList | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad\URL Protocol | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71} | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxOutputConnections = "1" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\InprocServer32\ = "C:\\Windows\\system32\\UniteFx.dll" | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinInputConnections = "1" | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.spl\OpenWithList\ehshell.exe\ | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.spl\OpenWithProgids\Soundpad.Soundlist | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad\shell\open\command | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.spl\PerceivedType = "audio" | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\NumAPOInterfaces = "1" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\Copyright = "Copyright (C) 2016-2019 Leppsoft" | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad.Soundlist | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad.Soundlist\\shell\open\command | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad.Soundlist\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Soundpad Mohamed m4\\Soundpad.exe\" \"%1\"" | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\InprocServer32\ | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\Flags = "14" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad.Soundlist\ = "Soundpad sound list" | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.spl\ = "Soundpad.Soundlist" | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.spl\Content Type = "audio/soundpadlist" | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad\shell | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad\shell\open | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinorVersion = "6" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxInstances = "4294967295" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\APOInterface0 = "{FD7F2B29-24D0-4B5C-B177-592C39F9CA10}" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad.Soundlist\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Soundpad Mohamed m4\\Soundpad.exe,1" | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.spl | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad.Soundlist\shell\open | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxInputConnections = "1" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\NumAPOInterfaces = "1" | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad\shell\open\command\ | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad.Soundlist\shell | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\FriendlyName = "UniteFx" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinOutputConnections = "1" | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\ | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\ = "UniteFx Class" | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71} | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71} | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MajorVersion = "1" | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad.Soundlist\shell\open\command\ | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.spl\OpenWithList\ehshell.exe | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MajorVersion = "1" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxOutputConnections = "1" | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.spl\OpenWithProgids | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinInputConnections = "1" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinOutputConnections = "1" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\Copyright = "Copyright (C) 2016-2019 Leppsoft" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinorVersion = "6" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.spl\OpenWithList\ehshell.exe\ | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad\ = "URL:Soundpad Protocol" | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Soundpad Mohamed m4\\Soundpad.exe,0" | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\FriendlyName = "UniteFx" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\Flags = "14" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxInstances = "4294967295" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\APOInterface0 = "{FD7F2B29-24D0-4B5C-B177-592C39F9CA10}" | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad.Soundlist\shell\open\command | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Soundpad Mohamed m4\\Soundpad.exe\" -c \"%1\"" | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects | C:\Windows\System32\regsvr32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe
"C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe"
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Windows\system32\UniteFx.dll"
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Windows\system32\UniteFx.dll"
Network
Files
memory/2856-0-0x000007FEF5490000-0x000007FEF64E0000-memory.dmp
memory/2856-4-0x000007FEBF050000-0x000007FEBF051000-memory.dmp
memory/2856-5-0x000007FEBF040000-0x000007FEBF041000-memory.dmp
C:\Windows\system32\UniteFx.dll
| MD5 | 0ee743073ee6b68f8222be2661d95315 |
| SHA1 | 2e642772ec19edf73422fe25a8d45db1a006ff85 |
| SHA256 | 562b17370c7283e92a3353b76ab2aefd301c2e78782fa60ec9ee35676ad44f96 |
| SHA512 | c3f2037bd37cef7978187f67f1d0633ee3067b4837e0ad9ae2a5c8efab8ec4ce6a14c1d88e200ffaa8677f74fd5995789297e6a7b5ac18d19dc9d53b4d9170ba |