Malware Analysis Report

2025-03-14 23:43

Sample ID 240407-w1e44sah5t
Target Soundpad_Mohamed_m4.rar
SHA256 703c98b215698a72cb6de36c33e66c821a470a52565ba79da213243d0aed458b
Tags
persistence upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

703c98b215698a72cb6de36c33e66c821a470a52565ba79da213243d0aed458b

Threat Level: Shows suspicious behavior

The file Soundpad_Mohamed_m4.rar was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence upx

Executes dropped EXE

Registers COM server for autorun

Checks computer location settings

Loads dropped DLL

UPX packed file

Enumerates connected drives

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Opens file in notepad (likely ransom note)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:23

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-04-07 18:23

Reported

2024-04-07 18:26

Platform

win7-20240221-en

Max time kernel

142s

Max time network

129s

Command Line

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\notify\default.m4a"

Signatures

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Processes

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\notify\default.m4a"

Network

N/A

Files

memory/1136-5-0x000000013F950000-0x000000013FA48000-memory.dmp

memory/1136-6-0x000007FEFB210000-0x000007FEFB244000-memory.dmp

memory/1136-7-0x000007FEF6040000-0x000007FEF62F4000-memory.dmp

memory/1136-8-0x000007FEFB560000-0x000007FEFB578000-memory.dmp

memory/1136-9-0x000007FEFB260000-0x000007FEFB277000-memory.dmp

memory/1136-10-0x000007FEF7A60000-0x000007FEF7A71000-memory.dmp

memory/1136-11-0x000007FEF79F0000-0x000007FEF7A07000-memory.dmp

memory/1136-12-0x000007FEF79D0000-0x000007FEF79E1000-memory.dmp

memory/1136-13-0x000007FEF79B0000-0x000007FEF79CD000-memory.dmp

memory/1136-14-0x000007FEF7980000-0x000007FEF7991000-memory.dmp

memory/1136-15-0x000007FEF4D30000-0x000007FEF5DDB000-memory.dmp

memory/1136-16-0x000007FEF5E40000-0x000007FEF6040000-memory.dmp

memory/1136-17-0x000007FEF6C30000-0x000007FEF6C6F000-memory.dmp

memory/1136-18-0x000007FEF7950000-0x000007FEF7971000-memory.dmp

memory/1136-19-0x000007FEF6C10000-0x000007FEF6C28000-memory.dmp

memory/1136-20-0x000007FEF6BF0000-0x000007FEF6C01000-memory.dmp

memory/1136-21-0x000007FEF6760000-0x000007FEF6771000-memory.dmp

memory/1136-22-0x000007FEF6740000-0x000007FEF6751000-memory.dmp

memory/1136-23-0x000007FEF6720000-0x000007FEF673B000-memory.dmp

memory/1136-24-0x000007FEF6700000-0x000007FEF6711000-memory.dmp

memory/1136-25-0x000007FEF66E0000-0x000007FEF66F8000-memory.dmp

memory/1136-26-0x000007FEF66B0000-0x000007FEF66E0000-memory.dmp

memory/1136-27-0x000007FEF4CC0000-0x000007FEF4D27000-memory.dmp

memory/1136-28-0x000007FEF4C50000-0x000007FEF4CBF000-memory.dmp

memory/1136-29-0x000007FEF6690000-0x000007FEF66A1000-memory.dmp

memory/1136-30-0x000007FEF4BF0000-0x000007FEF4C46000-memory.dmp

memory/1136-31-0x000007FEF4A70000-0x000007FEF4BE8000-memory.dmp

memory/1136-32-0x000007FEF6670000-0x000007FEF6687000-memory.dmp

memory/1136-33-0x000007FEFB920000-0x000007FEFB930000-memory.dmp

memory/1136-34-0x000007FEF4A40000-0x000007FEF4A6F000-memory.dmp

memory/1136-36-0x000007FEF4A00000-0x000007FEF4A16000-memory.dmp

memory/1136-35-0x000007FEF4A20000-0x000007FEF4A31000-memory.dmp

memory/1136-37-0x000007FEF4930000-0x000007FEF49F5000-memory.dmp

memory/1136-38-0x000007FEF48B0000-0x000007FEF4925000-memory.dmp

memory/1136-39-0x000007FEF4840000-0x000007FEF48A2000-memory.dmp

memory/1136-40-0x000007FEF47D0000-0x000007FEF483D000-memory.dmp

memory/1136-41-0x000007FEF47B0000-0x000007FEF47C3000-memory.dmp

memory/1136-42-0x000007FEF4790000-0x000007FEF47A4000-memory.dmp

memory/1136-43-0x000007FEF4740000-0x000007FEF4790000-memory.dmp

memory/1136-44-0x000007FEF4720000-0x000007FEF4735000-memory.dmp

memory/1136-45-0x000007FEF46E0000-0x000007FEF46F1000-memory.dmp

memory/1136-46-0x000007FEF46C0000-0x000007FEF46D2000-memory.dmp

memory/1136-47-0x000007FEF4540000-0x000007FEF46BA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:23

Reported

2024-04-07 18:26

Platform

win10v2004-20240226-en

Max time kernel

93s

Max time network

95s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Soundpad_Mohamed_m4.rar

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4128 wrote to memory of 3136 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 4128 wrote to memory of 3136 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Soundpad_Mohamed_m4.rar

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Soundpad_Mohamed_m4.rar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-04-07 18:23

Reported

2024-04-07 18:26

Platform

win7-20240220-en

Max time kernel

122s

Max time network

125s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\UniteFxControl.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 2964 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2156 wrote to memory of 2964 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2156 wrote to memory of 2964 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\UniteFxControl.dll",#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2156 -s 164

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-04-07 18:23

Reported

2024-04-07 18:26

Platform

win10v2004-20231215-en

Max time kernel

91s

Max time network

125s

Command Line

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\UniteFxUpdate.dll"

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\FriendlyName = "UniteFx" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinorVersion = "6" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxInputConnections = "1" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxInstances = "4294967295" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\NumAPOInterfaces = "1" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\Copyright = "Copyright (C) 2016-2019 Leppsoft" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinInputConnections = "1" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinOutputConnections = "1" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxOutputConnections = "1" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\APOInterface0 = "{FD7F2B29-24D0-4B5C-B177-592C39F9CA10}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71} C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MajorVersion = "1" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\Flags = "14" C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\UniteFxUpdate.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-04-07 18:23

Reported

2024-04-07 18:26

Platform

win7-20240221-en

Max time kernel

141s

Max time network

128s

Command Line

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\cue.mp3"

Signatures

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Processes

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\cue.mp3"

Network

N/A

Files

memory/2104-5-0x000000013F450000-0x000000013F548000-memory.dmp

memory/2104-6-0x000007FEF7C30000-0x000007FEF7C64000-memory.dmp

memory/2104-7-0x000007FEF6290000-0x000007FEF6544000-memory.dmp

memory/2104-9-0x000007FEFAC20000-0x000007FEFAC37000-memory.dmp

memory/2104-8-0x000007FEFB960000-0x000007FEFB978000-memory.dmp

memory/2104-10-0x000007FEF7D10000-0x000007FEF7D21000-memory.dmp

memory/2104-11-0x000007FEF7A60000-0x000007FEF7A77000-memory.dmp

memory/2104-13-0x000007FEF6F10000-0x000007FEF6F2D000-memory.dmp

memory/2104-14-0x000007FEF6EF0000-0x000007FEF6F01000-memory.dmp

memory/2104-12-0x000007FEF7A40000-0x000007FEF7A51000-memory.dmp

memory/2104-15-0x000007FEF6090000-0x000007FEF6290000-memory.dmp

memory/2104-16-0x000007FEF4FE0000-0x000007FEF608B000-memory.dmp

memory/2104-17-0x000007FEF6EB0000-0x000007FEF6EEF000-memory.dmp

memory/2104-18-0x000007FEF69A0000-0x000007FEF69C1000-memory.dmp

memory/2104-19-0x000007FEF6980000-0x000007FEF6998000-memory.dmp

memory/2104-20-0x000007FEF6960000-0x000007FEF6971000-memory.dmp

memory/2104-21-0x000007FEF6940000-0x000007FEF6951000-memory.dmp

memory/2104-22-0x000007FEF6920000-0x000007FEF6931000-memory.dmp

memory/2104-23-0x000007FEF6900000-0x000007FEF691B000-memory.dmp

memory/2104-24-0x000007FEF68E0000-0x000007FEF68F1000-memory.dmp

memory/2104-26-0x000007FEF4FB0000-0x000007FEF4FE0000-memory.dmp

memory/2104-27-0x000007FEF4F40000-0x000007FEF4FA7000-memory.dmp

memory/2104-25-0x000007FEF68C0000-0x000007FEF68D8000-memory.dmp

memory/2104-28-0x000007FEF4ED0000-0x000007FEF4F3F000-memory.dmp

memory/2104-29-0x000007FEF4EB0000-0x000007FEF4EC1000-memory.dmp

memory/2104-30-0x000007FEF4E90000-0x000007FEF4EA7000-memory.dmp

memory/2104-31-0x000007FEF4E70000-0x000007FEF4E81000-memory.dmp

memory/2104-32-0x000007FEF4E10000-0x000007FEF4E67000-memory.dmp

memory/2104-33-0x000007FEF4DE0000-0x000007FEF4E0F000-memory.dmp

memory/2104-34-0x000007FEF4DC0000-0x000007FEF4DD3000-memory.dmp

memory/2104-35-0x000007FEF4DA0000-0x000007FEF4DB1000-memory.dmp

memory/2104-36-0x000007FEF4CD0000-0x000007FEF4D95000-memory.dmp

memory/2104-37-0x000007FEF4CB0000-0x000007FEF4CC2000-memory.dmp

memory/2104-38-0x000007FEF4C90000-0x000007FEF4CA1000-memory.dmp

memory/2104-39-0x000007FEF4C70000-0x000007FEF4C84000-memory.dmp

memory/2104-42-0x000007FEF4C10000-0x000007FEF4C2E000-memory.dmp

memory/2104-43-0x000007FEF4BF0000-0x000007FEF4C06000-memory.dmp

memory/2104-41-0x000007FEF4C30000-0x000007FEF4C44000-memory.dmp

memory/2104-40-0x000007FEF4C50000-0x000007FEF4C62000-memory.dmp

memory/2104-44-0x000007FEF4BD0000-0x000007FEF4BE5000-memory.dmp

memory/2104-45-0x000007FEF4BB0000-0x000007FEF4BC4000-memory.dmp

memory/2104-46-0x000007FEF4B80000-0x000007FEF4BAC000-memory.dmp

memory/2104-47-0x000007FEF4B60000-0x000007FEF4B72000-memory.dmp

memory/2104-48-0x000007FEF4B30000-0x000007FEF4B60000-memory.dmp

memory/2104-49-0x000007FEF4B10000-0x000007FEF4B27000-memory.dmp

memory/2104-50-0x000007FEF3360000-0x000007FEF4B10000-memory.dmp

memory/2104-52-0x000007FEF3320000-0x000007FEF3332000-memory.dmp

memory/2104-51-0x000007FEF3340000-0x000007FEF3351000-memory.dmp

memory/2104-53-0x000007FEF31A0000-0x000007FEF3318000-memory.dmp

memory/2104-54-0x000007FEF3180000-0x000007FEF3197000-memory.dmp

memory/2104-55-0x000007FEF3120000-0x000007FEF3176000-memory.dmp

memory/2104-56-0x000007FEF30F0000-0x000007FEF3118000-memory.dmp

memory/2104-58-0x000007FEFAC70000-0x000007FEFAC80000-memory.dmp

memory/2104-59-0x000007FEF30A0000-0x000007FEF30B6000-memory.dmp

memory/2104-57-0x000007FEF30C0000-0x000007FEF30E4000-memory.dmp

memory/2104-60-0x000007FEF3020000-0x000007FEF3095000-memory.dmp

memory/2104-61-0x000007FEF2FB0000-0x000007FEF3012000-memory.dmp

memory/2104-62-0x000007FEF2F40000-0x000007FEF2FAD000-memory.dmp

memory/2104-63-0x000007FEF2F20000-0x000007FEF2F35000-memory.dmp

memory/2104-65-0x000007FEF2EC0000-0x000007FEF2ED2000-memory.dmp

memory/2104-64-0x000007FEF2EE0000-0x000007FEF2EF1000-memory.dmp

memory/2104-66-0x000007FEF2D40000-0x000007FEF2EBA000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-04-07 18:23

Reported

2024-04-07 18:26

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\System32\regsvr32.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\InprocServer32\ C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\InprocServer32\ = "C:\\Windows\\system32\\UniteFx.dll" C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\UniteFx.dll C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
File created C:\Windows\system32\UniteFx.dll C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Soundpad\ = "URL:Soundpad Protocol" C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\ C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Soundpad\shell\open C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Soundpad.Soundlist C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\.spl\ = "Soundpad.Soundlist" C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\.spl\Content Type = "audio/soundpadlist" C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinorVersion = "6" C:\Windows\System32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxInputConnections = "1" C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\FriendlyName = "UniteFx" C:\Windows\System32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\NumAPOInterfaces = "1" C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinorVersion = "6" C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Soundpad.Soundlist\ = "Soundpad sound list" C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Soundpad.Soundlist\shell C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\.spl\OpenWithList C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\.spl\OpenWithList\ehshell.exe\ C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Soundpad\shell\open\command\ C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71} C:\Windows\System32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Soundpad.Soundlist\shell\open\command C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Soundpad\URL Protocol C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Soundpad\shell C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71} C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Soundpad.Soundlist\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Soundpad Mohamed m4\\Soundpad.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Soundpad C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Soundpad\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Soundpad Mohamed m4\\Soundpad.exe,0" C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Soundpad\shell\open\command C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71} C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\Copyright = "Copyright (C) 2016-2019 Leppsoft" C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\APOInterface0 = "{FD7F2B29-24D0-4B5C-B177-592C39F9CA10}" C:\Windows\System32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\InprocServer32\ C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MajorVersion = "1" C:\Windows\System32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinInputConnections = "1" C:\Windows\System32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxInstances = "4294967295" C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\.spl\OpenWithProgids\Soundpad.Soundlist C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\APOInterface0 = "{FD7F2B29-24D0-4B5C-B177-592C39F9CA10}" C:\Windows\System32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxOutputConnections = "1" C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Soundpad.Soundlist\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Soundpad Mohamed m4\\Soundpad.exe,1" C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\.spl\OpenWithList\ehshell.exe\ C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\FriendlyName = "UniteFx" C:\Windows\System32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxOutputConnections = "1" C:\Windows\System32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Soundpad.Soundlist\shell\open\command\ C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\.spl\OpenWithProgids C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinInputConnections = "1" C:\Windows\System32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Soundpad\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\ = "UniteFx Class" C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\InprocServer32\ = "C:\\Windows\\system32\\UniteFx.dll" C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\.spl\PerceivedType = "audio" C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Soundpad\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Soundpad Mohamed m4\\Soundpad.exe\" -c \"%1\"" C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects C:\Windows\System32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\Flags = "14" C:\Windows\System32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\NumAPOInterfaces = "1" C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\Copyright = "Copyright (C) 2016-2019 Leppsoft" C:\Windows\System32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinOutputConnections = "1" C:\Windows\System32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Soundpad.Soundlist\shell\open C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\.spl C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MajorVersion = "1" C:\Windows\System32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects C:\Windows\System32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Soundpad.Soundlist\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\.spl\OpenWithList\ehshell.exe C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinOutputConnections = "1" C:\Windows\System32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxInstances = "4294967295" C:\Windows\System32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\Flags = "14" C:\Windows\System32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxInputConnections = "1" C:\Windows\System32\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe

"C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe"

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Windows\system32\UniteFx.dll"

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Windows\system32\UniteFx.dll"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4b0 0x480

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

memory/2284-0-0x00007FFF29BE0000-0x00007FFF2AC30000-memory.dmp

memory/2284-4-0x00007FFF07960000-0x00007FFF07961000-memory.dmp

C:\Windows\system32\UniteFx.dll

MD5 0ee743073ee6b68f8222be2661d95315
SHA1 2e642772ec19edf73422fe25a8d45db1a006ff85
SHA256 562b17370c7283e92a3353b76ab2aefd301c2e78782fa60ec9ee35676ad44f96
SHA512 c3f2037bd37cef7978187f67f1d0633ee3067b4837e0ad9ae2a5c8efab8ec4ce6a14c1d88e200ffaa8677f74fd5995789297e6a7b5ac18d19dc9d53b4d9170ba

Analysis: behavioral9

Detonation Overview

Submitted

2024-04-07 18:23

Reported

2024-04-07 18:26

Platform

win7-20240221-en

Max time kernel

119s

Max time network

123s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\SteamConfig.ini"

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\SteamConfig.ini"

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-04-07 18:23

Reported

2024-04-07 18:26

Platform

win10v2004-20240226-en

Max time kernel

91s

Max time network

131s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\SteamConfig.ini"

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\SteamConfig.ini"

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-04-07 18:23

Reported

2024-04-07 18:26

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

150s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\languages\es_ES\translation.mo"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\languages\es_ES\translation.mo"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-04-07 18:23

Reported

2024-04-07 18:26

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

157s

Command Line

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\firework.mp3"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\unregmp2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\unregmp2.exe N/A

Processes

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\firework.mp3"

C:\Program Files (x86)\Windows Media Player\setup_wm.exe

"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\firework.mp3"

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

MD5 5a107dd0e811d7c88e5441e4706e3e5f
SHA1 88bef6ba72ee130dcc2555a313ef1e4a1738eb66
SHA256 7ee3812c35841bde269e2ebe7065bb3ede42f25b453b28cb2bdb6f044d82297d
SHA512 afc21c35f488f2a698c9689601f1fb7247890378d0808121bbb8b21b56f6e78cec563a49c33a0a1e26af4fba813289f0c78fb3d3e5d7d2d9d5aebe69526b39a1

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 fc240c081ec382df4b74d591d7d37a45
SHA1 396e9d8accb2ff8b32e6c3957808cb87d23ad47c
SHA256 8cfeb277627a0fc9f2596c83dc37f9a3d8871293cd88dadd08f32098bf936038
SHA512 d8f83773c330b88b43f9ebc6220aa98368854e44a75b73a8575e7171f6c32e784d404e5a2e2e7787d3c71c0cfecdbb983631b639d9fee879b374d498d2ef0ab7

Analysis: behavioral32

Detonation Overview

Submitted

2024-04-07 18:23

Reported

2024-04-07 18:26

Platform

win10v2004-20240226-en

Max time kernel

93s

Max time network

100s

Command Line

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\notify\disabled.m4a"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\unregmp2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\unregmp2.exe N/A

Processes

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\notify\disabled.m4a"

C:\Program Files (x86)\Windows Media Player\setup_wm.exe

"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\notify\disabled.m4a"

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

MD5 7feffce4dd6d0bcb844829bf03c8b5e6
SHA1 687c37f3a0928f5d18420a6716625232915ef4a1
SHA256 6beb823bf9ef7d51aff88531db21ab543e83d3a563b7a5e01096def61aad48ad
SHA512 e6620ec329dbc737db6d7663aab540d9af182d89016e39831858658ed7b3d80ba13c778fae474e74361463daed983c3f1cad28e1c0490cb4a4fcc6a47fc1bfe9

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 063793e4ba784832026ec8bc3528f7f1
SHA1 687d03823d7ab8954826f753a645426cff3c5db4
SHA256 cb153cb703aea1ba1afe2614cffb086fa781646a285c5ac37354ee933a29cedd
SHA512 225910c24052dfdf7fca574b12ecef4eb68e990167010f80d7136f03ac6e7faa33233685cbf37b38ee626bb22ff3afeee39e597080e429be3ec241fb30af40c6

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:23

Reported

2024-04-07 18:26

Platform

win7-20240221-en

Max time kernel

128s

Max time network

126s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Soundpad_Mohamed_m4.rar

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO45AACD18\Soundpad.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Enumerates physical storage devices

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Soundpad_Mohamed_m4.rar

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Soundpad_Mohamed_m4.rar"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO45A0CE08\Readme.txt

C:\Users\Admin\AppData\Local\Temp\7zO45AACD18\Soundpad.exe

"C:\Users\Admin\AppData\Local\Temp\7zO45AACD18\Soundpad.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\7zO45A0CE08\Readme.txt

MD5 75e1c9f2df88bb43b0171a9cc4869230
SHA1 6153db66cce38bbebfe6b42b42ed65f9afb5ed33
SHA256 e8cd560f199c8e666ec1cfd460e444479eb2f1360040376a4eb03c3c14316b20
SHA512 4a5f57f00889fcb55ec2c7a4204bdd4857ab6bfc41050e50a18452515c31e0dc2dd87aca2bda11840f463ba24c044b1e03a53d4ebe48f8f809ff07b3ee3703b9

\Users\Admin\AppData\Local\Temp\7zO45AACD18\Soundpad.exe

MD5 0ae4f60d72e0d1c159505500b8a08ebb
SHA1 bb352dafd3c3ebebb4414b799010fe5ebddbef44
SHA256 ed3371229647ef876b45cb5940e48b461df58d4e68ad4932f5877eba90c8d379
SHA512 88495911df544a04a4e09828ae10b57d3d945c41d6e28964c2d4d077afa43fec1c82a8ff6dcce57a3c7b9e5d02d1e47f800f557b022866f5f7be4a2db9b07536

Analysis: behavioral22

Detonation Overview

Submitted

2024-04-07 18:23

Reported

2024-04-07 18:26

Platform

win10v2004-20240226-en

Max time kernel

145s

Max time network

161s

Command Line

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\cue.mp3"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\unregmp2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\unregmp2.exe N/A

Processes

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\cue.mp3"

C:\Program Files (x86)\Windows Media Player\setup_wm.exe

"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\cue.mp3"

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

MD5 07d3a46baace81fc07b93d0a4147ae8b
SHA1 1587c0e60703e3820cd191899819cee6c313947c
SHA256 f288ce594f845803bc11cbc48fa5f81a52200ebbf03025a9a328f7c9806f4b6d
SHA512 5ac89788bbdac13c41fd9497e76405d31facfc573a26be7bba1f6c81bce5102af995484ba99d1caa7368cb78bb7d4a7af68ab89e008f71cc310154d18c33572c

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 9c481a94abc7eee23cd5234262e60077
SHA1 2873225e708fb5461ac60c3613fe12112423f0f0
SHA256 681c9665d741ca6ed709cdd79d070ff7f4fdf158e02342f7d47e90a6d962b061
SHA512 0579499b5f01649f7e5e3afad07b4c7924d30fbc56dd12b37d9ad46bdefe35fcb6371694c1eff6c42d56c21b1de4c4f40531b27cd32eca1bdf51c6cac41fe668

Analysis: behavioral30

Detonation Overview

Submitted

2024-04-07 18:23

Reported

2024-04-07 18:26

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\notify\default.m4a"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\unregmp2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\unregmp2.exe N/A

Processes

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\notify\default.m4a"

C:\Program Files (x86)\Windows Media Player\setup_wm.exe

"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\notify\default.m4a"

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

MD5 aa0f50d9588175b0f3526bedbbff76dc
SHA1 c27b2bcf63be9331779c5a558c5253cf285c0ef7
SHA256 68d101d84a67551693ce67e41c296fc6d8bfba3d1925c7d24de9841e702b0287
SHA512 b1c47cc98a9395080d502560ed93cb7826a7e6de872ea240b32e4e884407f64e9acb9d956b35db143676e4f255e06b302f6c561874f0b6a9dfebf260a5b0615e

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 063793e4ba784832026ec8bc3528f7f1
SHA1 687d03823d7ab8954826f753a645426cff3c5db4
SHA256 cb153cb703aea1ba1afe2614cffb086fa781646a285c5ac37354ee933a29cedd
SHA512 225910c24052dfdf7fca574b12ecef4eb68e990167010f80d7136f03ac6e7faa33233685cbf37b38ee626bb22ff3afeee39e597080e429be3ec241fb30af40c6

Analysis: behavioral17

Detonation Overview

Submitted

2024-04-07 18:23

Reported

2024-04-07 18:26

Platform

win7-20240220-en

Max time kernel

121s

Max time network

125s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\languages\es_ES\translation.mo"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\mo_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\mo_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\mo_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.mo C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.mo\ = "mo_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\mo_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\mo_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\mo_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\languages\es_ES\translation.mo"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\languages\es_ES\translation.mo

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\languages\es_ES\translation.mo"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 cd0f1d5f31605fb9dd562636babae6b8
SHA1 d8e81c32160f04104bb9e3a73130808fbbb3a147
SHA256 60da8dba80e552cab3605c3b0a89567015bb155adfc6c9064cb1522dfcf46102
SHA512 44d986ec415f01539254c1ece2bf1b443ee7f1f1e6178927f8b355bef3993af3196a290c6121f35718a797581e59bc5a897a5d055ff6ba4830f486d84be5e9f5

Analysis: behavioral20

Detonation Overview

Submitted

2024-04-07 18:23

Reported

2024-04-07 18:26

Platform

win10v2004-20231215-en

Max time kernel

87s

Max time network

154s

Command Line

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\ba dum tss.mp3"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\unregmp2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\unregmp2.exe N/A

Processes

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\ba dum tss.mp3"

C:\Program Files (x86)\Windows Media Player\setup_wm.exe

"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\ba dum tss.mp3"

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
NL 72.246.173.187:80 www.microsoft.com tcp
NL 72.246.173.187:80 www.microsoft.com tcp
US 8.8.8.8:53 187.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

MD5 c45ab4efc36d4129586f3bf62fca67d6
SHA1 a5d8441b4817f479d9cb7710949c5bc01f1a0cb2
SHA256 1527549a5f6d65af788ed8c26bb11e4b6fe8e354fec75970035bf677e2f87a66
SHA512 97a8ce5c93b5a716465ce2485755af8c0255c1205329ab9ed817529cc4b12e1946a29c0ff3514c30717d3eb150275b85b80cf5bc35d21f82b50265f8a31535e9

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 987a07b978cfe12e4ce45e513ef86619
SHA1 22eec9a9b2e83ad33bedc59e3205f86590b7d40c
SHA256 f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8
SHA512 39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa

Analysis: behavioral27

Detonation Overview

Submitted

2024-04-07 18:23

Reported

2024-04-07 18:26

Platform

win7-20240221-en

Max time kernel

141s

Max time network

124s

Command Line

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\notify\auto-keys-enabled.m4a"

Signatures

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Processes

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\notify\auto-keys-enabled.m4a"

Network

N/A

Files

memory/2176-5-0x000000013FE30000-0x000000013FF28000-memory.dmp

memory/2176-6-0x000007FEF75C0000-0x000007FEF75F4000-memory.dmp

memory/2176-7-0x000007FEF5C20000-0x000007FEF5ED4000-memory.dmp

memory/2176-8-0x000007FEFB310000-0x000007FEFB328000-memory.dmp

memory/2176-9-0x000007FEF7610000-0x000007FEF7627000-memory.dmp

memory/2176-10-0x000007FEF68E0000-0x000007FEF68F1000-memory.dmp

memory/2176-11-0x000007FEF68C0000-0x000007FEF68D7000-memory.dmp

memory/2176-12-0x000007FEF68A0000-0x000007FEF68B1000-memory.dmp

memory/2176-13-0x000007FEF65D0000-0x000007FEF65ED000-memory.dmp

memory/2176-14-0x000007FEF5A20000-0x000007FEF5C20000-memory.dmp

memory/2176-15-0x000007FEF6340000-0x000007FEF6351000-memory.dmp

memory/2176-16-0x000007FEF6300000-0x000007FEF633F000-memory.dmp

memory/2176-18-0x000007FEF62B0000-0x000007FEF62C8000-memory.dmp

memory/2176-17-0x000007FEF62D0000-0x000007FEF62F1000-memory.dmp

memory/2176-19-0x000007FEF4970000-0x000007FEF5A1B000-memory.dmp

memory/2176-20-0x000007FEF6290000-0x000007FEF62A1000-memory.dmp

memory/2176-21-0x000007FEF6270000-0x000007FEF6281000-memory.dmp

memory/2176-22-0x000007FEF6250000-0x000007FEF6261000-memory.dmp

memory/2176-24-0x000007FEF4930000-0x000007FEF4941000-memory.dmp

memory/2176-23-0x000007FEF4950000-0x000007FEF496B000-memory.dmp

memory/2176-25-0x000007FEF4910000-0x000007FEF4928000-memory.dmp

memory/2176-26-0x000007FEF48E0000-0x000007FEF4910000-memory.dmp

memory/2176-27-0x000007FEF4870000-0x000007FEF48D7000-memory.dmp

memory/2176-28-0x000007FEF4800000-0x000007FEF486F000-memory.dmp

memory/2176-29-0x000007FEF47E0000-0x000007FEF47F1000-memory.dmp

memory/2176-30-0x000007FEF4780000-0x000007FEF47D6000-memory.dmp

memory/2176-31-0x000007FEF4600000-0x000007FEF4778000-memory.dmp

memory/2176-32-0x000007FEF45E0000-0x000007FEF45F7000-memory.dmp

memory/2176-33-0x000007FEF7680000-0x000007FEF7690000-memory.dmp

memory/2176-34-0x000007FEF45B0000-0x000007FEF45DF000-memory.dmp

memory/2176-35-0x000007FEF4590000-0x000007FEF45A1000-memory.dmp

memory/2176-36-0x000007FEF4570000-0x000007FEF4586000-memory.dmp

memory/2176-37-0x000007FEF44A0000-0x000007FEF4565000-memory.dmp

memory/2176-38-0x000007FEF4420000-0x000007FEF4495000-memory.dmp

memory/2176-39-0x000007FEF43B0000-0x000007FEF4412000-memory.dmp

memory/2176-40-0x000007FEF4340000-0x000007FEF43AD000-memory.dmp

memory/2176-41-0x000007FEF4320000-0x000007FEF4333000-memory.dmp

memory/2176-42-0x000007FEF4300000-0x000007FEF4314000-memory.dmp

memory/2176-43-0x000007FEF42B0000-0x000007FEF4300000-memory.dmp

memory/2176-44-0x000007FEF4290000-0x000007FEF42A5000-memory.dmp

memory/2176-45-0x000007FEF4250000-0x000007FEF4261000-memory.dmp

memory/2176-46-0x000007FEF4230000-0x000007FEF4242000-memory.dmp

memory/2176-47-0x000007FEF40B0000-0x000007FEF422A000-memory.dmp

memory/2176-62-0x000007FEF4970000-0x000007FEF5A1B000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-04-07 18:23

Reported

2024-04-07 18:26

Platform

win10v2004-20240226-en

Max time kernel

115s

Max time network

147s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Readme.txt"

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Readme.txt"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3384 --field-trial-handle=3488,i,1267426273081718772,6254127258555406296,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-04-07 18:23

Reported

2024-04-07 18:26

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

154s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\installscript.vdf"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\installscript.vdf"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 66.229.138.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-04-07 18:23

Reported

2024-04-07 18:26

Platform

win10v2004-20240226-en

Max time kernel

93s

Max time network

100s

Command Line

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\notify\auto-keys-disabled.m4a"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\unregmp2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\unregmp2.exe N/A

Processes

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\notify\auto-keys-disabled.m4a"

C:\Program Files (x86)\Windows Media Player\setup_wm.exe

"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\notify\auto-keys-disabled.m4a"

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

MD5 21c9937116337e834a39741d801e1ab2
SHA1 ee45b0dfeb00f3095345baa27bf96d634802a651
SHA256 1dd5b99bbdf9c60aad68d3f5aa3d6bc38bf9eaf7f3de7803ef9f39dd76b35577
SHA512 3bffbd73677663441f03effa7ccf1e09286e92bc8261939b64f18c60ddb73a589af2742e12407bda4b0bb1b7275831c094bd17c15ee59089dae6877d41702637

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 987a07b978cfe12e4ce45e513ef86619
SHA1 22eec9a9b2e83ad33bedc59e3205f86590b7d40c
SHA256 f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8
SHA512 39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa

Analysis: behavioral28

Detonation Overview

Submitted

2024-04-07 18:23

Reported

2024-04-07 18:26

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\notify\auto-keys-enabled.m4a"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\unregmp2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\unregmp2.exe N/A

Processes

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\notify\auto-keys-enabled.m4a"

C:\Program Files (x86)\Windows Media Player\setup_wm.exe

"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\notify\auto-keys-enabled.m4a"

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

MD5 c45ab4efc36d4129586f3bf62fca67d6
SHA1 a5d8441b4817f479d9cb7710949c5bc01f1a0cb2
SHA256 1527549a5f6d65af788ed8c26bb11e4b6fe8e354fec75970035bf677e2f87a66
SHA512 97a8ce5c93b5a716465ce2485755af8c0255c1205329ab9ed817529cc4b12e1946a29c0ff3514c30717d3eb150275b85b80cf5bc35d21f82b50265f8a31535e9

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 c7ca2711d80cd052da0d98ce7e6dec6b
SHA1 b051f0425224cf70e3a10636c21bf113bd1cd301
SHA256 a0c1147d7f6adb99735dc3fa370ef6fb8e6ddd3687eb7afd677af5c71df6957f
SHA512 487b985fe8a4fb9a0cb59ffb0b485133e0b089115e36b9bc3f0cbb64babd899daf1b282a9554b45874a59a4c7d9c07db370650c28a5731bde50f52e66a0fc0af

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-07 18:23

Reported

2024-04-07 18:26

Platform

win7-20240319-en

Max time kernel

122s

Max time network

130s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Readme.txt"

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Readme.txt"

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-04-07 18:23

Reported

2024-04-07 18:26

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

156s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\UniteFxControl.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\UniteFxControl.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-04-07 18:23

Reported

2024-04-07 18:26

Platform

win7-20240221-en

Max time kernel

140s

Max time network

123s

Command Line

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\notify\disabled.m4a"

Signatures

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Processes

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\notify\disabled.m4a"

Network

N/A

Files

memory/2252-5-0x000000013F2C0000-0x000000013F3B8000-memory.dmp

memory/2252-6-0x000007FEF83E0000-0x000007FEF8414000-memory.dmp

memory/2252-7-0x000007FEF6350000-0x000007FEF6604000-memory.dmp

memory/2252-8-0x000007FEFBB50000-0x000007FEFBB68000-memory.dmp

memory/2252-9-0x000007FEF8530000-0x000007FEF8547000-memory.dmp

memory/2252-10-0x000007FEF8430000-0x000007FEF8441000-memory.dmp

memory/2252-11-0x000007FEF7710000-0x000007FEF7727000-memory.dmp

memory/2252-12-0x000007FEF76F0000-0x000007FEF7701000-memory.dmp

memory/2252-13-0x000007FEF76D0000-0x000007FEF76ED000-memory.dmp

memory/2252-14-0x000007FEF6A60000-0x000007FEF6A71000-memory.dmp

memory/2252-15-0x000007FEF52A0000-0x000007FEF634B000-memory.dmp

memory/2252-16-0x000007FEF50A0000-0x000007FEF52A0000-memory.dmp

memory/2252-17-0x000007FEF6A20000-0x000007FEF6A5F000-memory.dmp

memory/2252-22-0x000007FEF5080000-0x000007FEF5091000-memory.dmp

memory/2252-21-0x000007FEF6990000-0x000007FEF69A1000-memory.dmp

memory/2252-23-0x000007FEF5060000-0x000007FEF507B000-memory.dmp

memory/2252-24-0x000007FEF5040000-0x000007FEF5051000-memory.dmp

memory/2252-20-0x000007FEF69B0000-0x000007FEF69C1000-memory.dmp

memory/2252-25-0x000007FEF5020000-0x000007FEF5038000-memory.dmp

memory/2252-19-0x000007FEF69D0000-0x000007FEF69E8000-memory.dmp

memory/2252-26-0x000007FEF4FF0000-0x000007FEF5020000-memory.dmp

memory/2252-18-0x000007FEF69F0000-0x000007FEF6A11000-memory.dmp

memory/2252-27-0x000007FEF4F80000-0x000007FEF4FE7000-memory.dmp

memory/2252-30-0x000007FEF4E90000-0x000007FEF4EE6000-memory.dmp

memory/2252-29-0x000007FEF4EF0000-0x000007FEF4F01000-memory.dmp

memory/2252-28-0x000007FEF4F10000-0x000007FEF4F7F000-memory.dmp

memory/2252-32-0x000007FEF4CF0000-0x000007FEF4D07000-memory.dmp

memory/2252-33-0x000007FEF84A0000-0x000007FEF84B0000-memory.dmp

memory/2252-36-0x000007FEF4C80000-0x000007FEF4C96000-memory.dmp

memory/2252-35-0x000007FEF4CA0000-0x000007FEF4CB1000-memory.dmp

memory/2252-34-0x000007FEF4CC0000-0x000007FEF4CEF000-memory.dmp

memory/2252-31-0x000007FEF4D10000-0x000007FEF4E88000-memory.dmp

memory/2252-37-0x000007FEF4BB0000-0x000007FEF4C75000-memory.dmp

memory/2252-38-0x000007FEF4B30000-0x000007FEF4BA5000-memory.dmp

memory/2252-39-0x000007FEF4AC0000-0x000007FEF4B22000-memory.dmp

memory/2252-40-0x000007FEF4A50000-0x000007FEF4ABD000-memory.dmp

memory/2252-41-0x000007FEF4A30000-0x000007FEF4A43000-memory.dmp

memory/2252-42-0x000007FEF4A10000-0x000007FEF4A24000-memory.dmp

memory/2252-43-0x000007FEF49C0000-0x000007FEF4A10000-memory.dmp

memory/2252-44-0x000007FEF49A0000-0x000007FEF49B5000-memory.dmp

memory/2252-46-0x000007FEF4940000-0x000007FEF4952000-memory.dmp

memory/2252-45-0x000007FEF4960000-0x000007FEF4971000-memory.dmp

memory/2252-47-0x000007FEF47C0000-0x000007FEF493A000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-07 18:23

Reported

2024-04-07 18:26

Platform

win7-20240221-en

Max time kernel

122s

Max time network

126s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Profile\CRACKED BY Ray_Black\SteamUserID.cfg"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\cfg_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\cfg_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.cfg C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\cfg_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\cfg_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\cfg_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.cfg\ = "cfg_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\cfg_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Profile\CRACKED BY Ray_Black\SteamUserID.cfg"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Profile\CRACKED BY Ray_Black\SteamUserID.cfg

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Profile\CRACKED BY Ray_Black\SteamUserID.cfg"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 0b3c2e8634cba555e2d5d4e54c1da826
SHA1 c8edacf306a65cd18548d0fb3b26ccced4f1c6cc
SHA256 fe30277737006b59285192989af8d543d55dc416cfb3e56dd9003062f4183d06
SHA512 097c42e7e1ab0f8c4acada0a9348131cbf703a4f00004dcef79aa69601d97d969a60fed5f26df7c1c3487a49b5c8d891865c9e3c3c8d035d9570237c18026335

Analysis: behavioral13

Detonation Overview

Submitted

2024-04-07 18:23

Reported

2024-04-07 18:26

Platform

win7-20240221-en

Max time kernel

119s

Max time network

123s

Command Line

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\UniteFxUpdate.dll"

Signatures

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\FriendlyName = "UniteFx" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\Flags = "14" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxInstances = "4294967295" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\APOInterface0 = "{FD7F2B29-24D0-4B5C-B177-592C39F9CA10}" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinorVersion = "6" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\NumAPOInterfaces = "1" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MajorVersion = "1" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinInputConnections = "1" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxInputConnections = "1" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinOutputConnections = "1" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxOutputConnections = "1" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\Copyright = "Copyright (C) 2016-2019 Leppsoft" C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\UniteFxUpdate.dll"

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-04-07 18:23

Reported

2024-04-07 18:26

Platform

win7-20240221-en

Max time kernel

118s

Max time network

124s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\installscript.vdf"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\vdf_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\vdf_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.vdf C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\vdf_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\vdf_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\vdf_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.vdf\ = "vdf_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\vdf_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\installscript.vdf"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\installscript.vdf

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\installscript.vdf"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 d9730b481e4f3e62ebc14cd7de272027
SHA1 8910d274f35731a1cd8027a96ba5f70079b34ff9
SHA256 49cdc1119662635e740c05818b6e4e57f0be74043218cf7686be49323b92c37a
SHA512 6aa78f93570b50ba553e8acc9f31f7832177282619c434542c96e01633956ea3aea63a89efc9a691c50518d28fb340482942e5173398bec334d35dad565246df

Analysis: behavioral19

Detonation Overview

Submitted

2024-04-07 18:23

Reported

2024-04-07 18:26

Platform

win7-20240319-en

Max time kernel

141s

Max time network

132s

Command Line

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\ba dum tss.mp3"

Signatures

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Processes

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\ba dum tss.mp3"

Network

N/A

Files

memory/1192-5-0x000000013F070000-0x000000013F168000-memory.dmp

memory/1192-6-0x000007FEF70D0000-0x000007FEF7104000-memory.dmp

memory/1192-7-0x000007FEF5710000-0x000007FEF59C6000-memory.dmp

memory/1192-9-0x000007FEF7120000-0x000007FEF7137000-memory.dmp

memory/1192-8-0x000007FEFAE50000-0x000007FEFAE68000-memory.dmp

memory/1192-10-0x000007FEF6400000-0x000007FEF6411000-memory.dmp

memory/1192-12-0x000007FEF63C0000-0x000007FEF63D1000-memory.dmp

memory/1192-11-0x000007FEF63E0000-0x000007FEF63F7000-memory.dmp

memory/1192-13-0x000007FEF5F70000-0x000007FEF5F8D000-memory.dmp

memory/1192-14-0x000007FEF5F00000-0x000007FEF5F11000-memory.dmp

memory/1192-15-0x000007FEF5500000-0x000007FEF570B000-memory.dmp

memory/1192-16-0x000007FEF4450000-0x000007FEF5500000-memory.dmp

memory/1192-17-0x000007FEF5E00000-0x000007FEF5E41000-memory.dmp

memory/1192-18-0x000007FEF5DD0000-0x000007FEF5DF1000-memory.dmp

memory/1192-19-0x000007FEF5DB0000-0x000007FEF5DC8000-memory.dmp

memory/1192-20-0x000007FEF5D90000-0x000007FEF5DA1000-memory.dmp

memory/1192-21-0x000007FEF5D70000-0x000007FEF5D81000-memory.dmp

memory/1192-22-0x000007FEF5D50000-0x000007FEF5D61000-memory.dmp

memory/1192-23-0x000007FEF4430000-0x000007FEF444B000-memory.dmp

memory/1192-24-0x000007FEF4410000-0x000007FEF4421000-memory.dmp

memory/1192-27-0x000007FEF4350000-0x000007FEF43B7000-memory.dmp

memory/1192-26-0x000007FEF43C0000-0x000007FEF43F0000-memory.dmp

memory/1192-25-0x000007FEF43F0000-0x000007FEF4408000-memory.dmp

memory/1192-28-0x000007FEF42D0000-0x000007FEF434C000-memory.dmp

memory/1192-29-0x000007FEF42B0000-0x000007FEF42C1000-memory.dmp

memory/1192-30-0x000007FEF4290000-0x000007FEF42A8000-memory.dmp

memory/1192-31-0x000007FEF4270000-0x000007FEF4281000-memory.dmp

memory/1192-32-0x000007FEF4210000-0x000007FEF4267000-memory.dmp

memory/1192-35-0x000007FEF41A0000-0x000007FEF41B1000-memory.dmp

memory/1192-34-0x000007FEF41C0000-0x000007FEF41D3000-memory.dmp

memory/1192-33-0x000007FEF41E0000-0x000007FEF420F000-memory.dmp

memory/1192-36-0x000007FEF40D0000-0x000007FEF4195000-memory.dmp

memory/1192-37-0x000007FEF40B0000-0x000007FEF40C3000-memory.dmp

memory/1192-38-0x000007FEF4090000-0x000007FEF40A1000-memory.dmp

memory/1192-39-0x000007FEF4070000-0x000007FEF4084000-memory.dmp

memory/1192-40-0x000007FEF4050000-0x000007FEF4062000-memory.dmp

memory/1192-41-0x000007FEF4030000-0x000007FEF4044000-memory.dmp

memory/1192-42-0x000007FEF4010000-0x000007FEF402E000-memory.dmp

memory/1192-43-0x000007FEF3FF0000-0x000007FEF4007000-memory.dmp

memory/1192-45-0x000007FEF3FB0000-0x000007FEF3FC4000-memory.dmp

memory/1192-44-0x000007FEF3FD0000-0x000007FEF3FE5000-memory.dmp

memory/1192-46-0x000007FEF3F80000-0x000007FEF3FAC000-memory.dmp

memory/1192-47-0x000007FEF3F60000-0x000007FEF3F73000-memory.dmp

memory/1192-48-0x000007FEF3F20000-0x000007FEF3F51000-memory.dmp

memory/1192-49-0x000007FEF3F00000-0x000007FEF3F16000-memory.dmp

memory/1192-50-0x000007FEF2690000-0x000007FEF3EFF000-memory.dmp

memory/1192-51-0x000007FEF2670000-0x000007FEF2681000-memory.dmp

memory/1192-52-0x000007FEF2650000-0x000007FEF2662000-memory.dmp

memory/1192-53-0x000007FEF24D0000-0x000007FEF2650000-memory.dmp

memory/1192-54-0x000007FEF24B0000-0x000007FEF24C7000-memory.dmp

memory/1192-55-0x000007FEF2450000-0x000007FEF24A7000-memory.dmp

memory/1192-56-0x000007FEF2420000-0x000007FEF2448000-memory.dmp

memory/1192-57-0x000007FEF23F0000-0x000007FEF2414000-memory.dmp

memory/1192-58-0x000007FEF7190000-0x000007FEF71A0000-memory.dmp

memory/1192-59-0x000007FEF23D0000-0x000007FEF23E6000-memory.dmp

memory/1192-60-0x000007FEF2380000-0x000007FEF23C2000-memory.dmp

memory/1192-61-0x000007FEF2310000-0x000007FEF2372000-memory.dmp

memory/1192-62-0x000007FEF22A0000-0x000007FEF230D000-memory.dmp

memory/1192-63-0x000007FEF2280000-0x000007FEF2295000-memory.dmp

memory/1192-64-0x000007FEF2240000-0x000007FEF2251000-memory.dmp

memory/1192-65-0x000007FEF2220000-0x000007FEF2232000-memory.dmp

memory/1192-66-0x000007FEF20A0000-0x000007FEF221A000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-04-07 18:23

Reported

2024-04-07 18:26

Platform

win7-20240221-en

Max time kernel

140s

Max time network

126s

Command Line

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\firework.mp3"

Signatures

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Processes

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\firework.mp3"

Network

N/A

Files

memory/1736-5-0x000000013F2C0000-0x000000013F3B8000-memory.dmp

memory/1736-6-0x000007FEF8130000-0x000007FEF8164000-memory.dmp

memory/1736-7-0x000007FEF6080000-0x000007FEF6334000-memory.dmp

memory/1736-8-0x000007FEFB940000-0x000007FEFB958000-memory.dmp

memory/1736-9-0x000007FEFA8C0000-0x000007FEFA8D7000-memory.dmp

memory/1736-10-0x000007FEF8110000-0x000007FEF8121000-memory.dmp

memory/1736-11-0x000007FEF7330000-0x000007FEF7347000-memory.dmp

memory/1736-12-0x000007FEF7310000-0x000007FEF7321000-memory.dmp

memory/1736-13-0x000007FEF72F0000-0x000007FEF730D000-memory.dmp

memory/1736-14-0x000007FEF5E80000-0x000007FEF6080000-memory.dmp

memory/1736-15-0x000007FEF67A0000-0x000007FEF67B1000-memory.dmp

memory/1736-16-0x000007FEF6760000-0x000007FEF679F000-memory.dmp

memory/1736-17-0x000007FEF6730000-0x000007FEF6751000-memory.dmp

memory/1736-18-0x000007FEF6710000-0x000007FEF6728000-memory.dmp

memory/1736-19-0x000007FEF4DD0000-0x000007FEF5E7B000-memory.dmp

memory/1736-20-0x000007FEF66F0000-0x000007FEF6701000-memory.dmp

memory/1736-21-0x000007FEF66D0000-0x000007FEF66E1000-memory.dmp

memory/1736-22-0x000007FEF66B0000-0x000007FEF66C1000-memory.dmp

memory/1736-25-0x000007FEF4D70000-0x000007FEF4D88000-memory.dmp

memory/1736-26-0x000007FEF4D40000-0x000007FEF4D70000-memory.dmp

memory/1736-27-0x000007FEF4CD0000-0x000007FEF4D37000-memory.dmp

memory/1736-24-0x000007FEF4D90000-0x000007FEF4DA1000-memory.dmp

memory/1736-28-0x000007FEF4C60000-0x000007FEF4CCF000-memory.dmp

memory/1736-29-0x000007FEF4C40000-0x000007FEF4C51000-memory.dmp

memory/1736-30-0x000007FEF4C20000-0x000007FEF4C37000-memory.dmp

memory/1736-23-0x000007FEF4DB0000-0x000007FEF4DCB000-memory.dmp

memory/1736-31-0x000007FEF4C00000-0x000007FEF4C11000-memory.dmp

memory/1736-32-0x000007FEF4BA0000-0x000007FEF4BF7000-memory.dmp

memory/1736-33-0x000007FEF4B70000-0x000007FEF4B9F000-memory.dmp

memory/1736-34-0x000007FEF4B50000-0x000007FEF4B63000-memory.dmp

memory/1736-35-0x000007FEF4B30000-0x000007FEF4B41000-memory.dmp

memory/1736-36-0x000007FEF4A60000-0x000007FEF4B25000-memory.dmp

memory/1736-37-0x000007FEF4A40000-0x000007FEF4A52000-memory.dmp

memory/1736-38-0x000007FEF4A20000-0x000007FEF4A31000-memory.dmp

memory/1736-39-0x000007FEF4A00000-0x000007FEF4A14000-memory.dmp

memory/1736-40-0x000007FEF49E0000-0x000007FEF49F2000-memory.dmp

memory/1736-42-0x000007FEF49A0000-0x000007FEF49BE000-memory.dmp

memory/1736-41-0x000007FEF49C0000-0x000007FEF49D4000-memory.dmp

memory/1736-45-0x000007FEF4940000-0x000007FEF4954000-memory.dmp

memory/1736-44-0x000007FEF4960000-0x000007FEF4975000-memory.dmp

memory/1736-46-0x000007FEF4910000-0x000007FEF493C000-memory.dmp

memory/1736-43-0x000007FEF4980000-0x000007FEF4996000-memory.dmp

memory/1736-48-0x000007FEF48C0000-0x000007FEF48F0000-memory.dmp

memory/1736-49-0x000007FEF48A0000-0x000007FEF48B7000-memory.dmp

memory/1736-47-0x000007FEF48F0000-0x000007FEF4902000-memory.dmp

memory/1736-50-0x000007FEF30F0000-0x000007FEF48A0000-memory.dmp

memory/1736-52-0x000007FEF30B0000-0x000007FEF30C2000-memory.dmp

memory/1736-51-0x000007FEF30D0000-0x000007FEF30E1000-memory.dmp

memory/1736-53-0x000007FEF2F30000-0x000007FEF30A8000-memory.dmp

memory/1736-54-0x000007FEF2F10000-0x000007FEF2F27000-memory.dmp

memory/1736-55-0x000007FEF2EB0000-0x000007FEF2F06000-memory.dmp

memory/1736-56-0x000007FEF2E80000-0x000007FEF2EA8000-memory.dmp

memory/1736-58-0x000007FEFA8B0000-0x000007FEFA8C0000-memory.dmp

memory/1736-57-0x000007FEF2E50000-0x000007FEF2E74000-memory.dmp

memory/1736-59-0x000007FEF2E30000-0x000007FEF2E46000-memory.dmp

memory/1736-60-0x000007FEF2DB0000-0x000007FEF2E25000-memory.dmp

memory/1736-61-0x000007FEF2D40000-0x000007FEF2DA2000-memory.dmp

memory/1736-62-0x000007FEF2CD0000-0x000007FEF2D3D000-memory.dmp

memory/1736-63-0x000007FEF2CB0000-0x000007FEF2CC5000-memory.dmp

memory/1736-65-0x000007FEF2C50000-0x000007FEF2C62000-memory.dmp

memory/1736-64-0x000007FEF2C70000-0x000007FEF2C81000-memory.dmp

memory/1736-66-0x000007FEF2AD0000-0x000007FEF2C4A000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-04-07 18:23

Reported

2024-04-07 18:26

Platform

win7-20240221-en

Max time kernel

141s

Max time network

127s

Command Line

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\notify\auto-keys-disabled.m4a"

Signatures

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Processes

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\sounds\notify\auto-keys-disabled.m4a"

Network

N/A

Files

memory/2700-5-0x000000013F3F0000-0x000000013F4E8000-memory.dmp

memory/2700-6-0x000007FEFAAA0000-0x000007FEFAAD4000-memory.dmp

memory/2700-7-0x000007FEF5BA0000-0x000007FEF5E54000-memory.dmp

memory/2700-8-0x000007FEFB6F0000-0x000007FEFB708000-memory.dmp

memory/2700-11-0x000007FEFAA60000-0x000007FEFAA77000-memory.dmp

memory/2700-10-0x000007FEFAA80000-0x000007FEFAA91000-memory.dmp

memory/2700-9-0x000007FEFAD20000-0x000007FEFAD37000-memory.dmp

memory/2700-12-0x000007FEF73B0000-0x000007FEF73C1000-memory.dmp

memory/2700-13-0x000007FEF7390000-0x000007FEF73AD000-memory.dmp

memory/2700-14-0x000007FEF72F0000-0x000007FEF7301000-memory.dmp

memory/2700-15-0x000007FEF4AF0000-0x000007FEF5B9B000-memory.dmp

memory/2700-16-0x000007FEF48F0000-0x000007FEF4AF0000-memory.dmp

memory/2700-17-0x000007FEF6790000-0x000007FEF67CF000-memory.dmp

memory/2700-18-0x000007FEF6760000-0x000007FEF6781000-memory.dmp

memory/2700-19-0x000007FEF72D0000-0x000007FEF72E8000-memory.dmp

memory/2700-20-0x000007FEF6740000-0x000007FEF6751000-memory.dmp

memory/2700-21-0x000007FEF62C0000-0x000007FEF62D1000-memory.dmp

memory/2700-22-0x000007FEF62A0000-0x000007FEF62B1000-memory.dmp

memory/2700-24-0x000007FEF6260000-0x000007FEF6271000-memory.dmp

memory/2700-23-0x000007FEF6280000-0x000007FEF629B000-memory.dmp

memory/2700-25-0x000007FEF6240000-0x000007FEF6258000-memory.dmp

memory/2700-26-0x000007FEF6210000-0x000007FEF6240000-memory.dmp

memory/2700-27-0x000007FEF4880000-0x000007FEF48E7000-memory.dmp

memory/2700-28-0x000007FEF4810000-0x000007FEF487F000-memory.dmp

memory/2700-29-0x000007FEF61F0000-0x000007FEF6201000-memory.dmp

memory/2700-30-0x000007FEF47B0000-0x000007FEF4806000-memory.dmp

memory/2700-31-0x000007FEF4630000-0x000007FEF47A8000-memory.dmp

memory/2700-32-0x000007FEF61D0000-0x000007FEF61E7000-memory.dmp

memory/2700-33-0x000007FEFADC0000-0x000007FEFADD0000-memory.dmp

memory/2700-34-0x000007FEF4600000-0x000007FEF462F000-memory.dmp

memory/2700-35-0x000007FEF45E0000-0x000007FEF45F1000-memory.dmp

memory/2700-36-0x000007FEF45C0000-0x000007FEF45D6000-memory.dmp

memory/2700-37-0x000007FEF44F0000-0x000007FEF45B5000-memory.dmp

memory/2700-38-0x000007FEF4470000-0x000007FEF44E5000-memory.dmp

memory/2700-39-0x000007FEF4400000-0x000007FEF4462000-memory.dmp

memory/2700-40-0x000007FEF4390000-0x000007FEF43FD000-memory.dmp

memory/2700-41-0x000007FEF4370000-0x000007FEF4383000-memory.dmp

memory/2700-42-0x000007FEF4350000-0x000007FEF4364000-memory.dmp

memory/2700-43-0x000007FEF4300000-0x000007FEF4350000-memory.dmp

memory/2700-44-0x000007FEF42E0000-0x000007FEF42F5000-memory.dmp

memory/2700-45-0x000007FEF42A0000-0x000007FEF42B1000-memory.dmp

memory/2700-46-0x000007FEF4280000-0x000007FEF4292000-memory.dmp

memory/2700-47-0x000007FEF4100000-0x000007FEF427A000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-07 18:23

Reported

2024-04-07 18:26

Platform

win10v2004-20240226-en

Max time kernel

92s

Max time network

129s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Profile\CRACKED BY Ray_Black\SteamUserID.cfg"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Profile\CRACKED BY Ray_Black\SteamUserID.cfg"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-04-07 18:23

Reported

2024-04-07 18:26

Platform

win7-20240221-en

Max time kernel

118s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\System32\regsvr32.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\InprocServer32\ C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\InprocServer32\ = "C:\\Windows\\system32\\UniteFx.dll" C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\UniteFx.dll C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
File opened for modification C:\Windows\system32\UniteFx.dll C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects C:\Windows\System32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxInputConnections = "1" C:\Windows\System32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad.Soundlist\\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.spl\OpenWithList C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad\URL Protocol C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71} C:\Windows\System32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxOutputConnections = "1" C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\InprocServer32\ = "C:\\Windows\\system32\\UniteFx.dll" C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinInputConnections = "1" C:\Windows\System32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.spl\OpenWithList\ehshell.exe\ C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.spl\OpenWithProgids\Soundpad.Soundlist C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad\shell\open\command C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.spl\PerceivedType = "audio" C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\NumAPOInterfaces = "1" C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\Copyright = "Copyright (C) 2016-2019 Leppsoft" C:\Windows\System32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad.Soundlist C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad.Soundlist\\shell\open\command C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad.Soundlist\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Soundpad Mohamed m4\\Soundpad.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\InprocServer32\ C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\Flags = "14" C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad.Soundlist\ = "Soundpad sound list" C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.spl\ = "Soundpad.Soundlist" C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.spl\Content Type = "audio/soundpadlist" C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad\shell C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad\shell\open C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinorVersion = "6" C:\Windows\System32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxInstances = "4294967295" C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\APOInterface0 = "{FD7F2B29-24D0-4B5C-B177-592C39F9CA10}" C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad.Soundlist\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Soundpad Mohamed m4\\Soundpad.exe,1" C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.spl C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad.Soundlist\shell\open C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxInputConnections = "1" C:\Windows\System32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\NumAPOInterfaces = "1" C:\Windows\System32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad\shell\open\command\ C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad.Soundlist\shell C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\FriendlyName = "UniteFx" C:\Windows\System32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinOutputConnections = "1" C:\Windows\System32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\ C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\ = "UniteFx Class" C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71} C:\Windows\System32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71} C:\Windows\System32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MajorVersion = "1" C:\Windows\System32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad.Soundlist\shell\open\command\ C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.spl\OpenWithList\ehshell.exe C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MajorVersion = "1" C:\Windows\System32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxOutputConnections = "1" C:\Windows\System32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.spl\OpenWithProgids C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinInputConnections = "1" C:\Windows\System32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinOutputConnections = "1" C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\Copyright = "Copyright (C) 2016-2019 Leppsoft" C:\Windows\System32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinorVersion = "6" C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.spl\OpenWithList\ehshell.exe\ C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad\ = "URL:Soundpad Protocol" C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Soundpad Mohamed m4\\Soundpad.exe,0" C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\FriendlyName = "UniteFx" C:\Windows\System32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\Flags = "14" C:\Windows\System32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxInstances = "4294967295" C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\APOInterface0 = "{FD7F2B29-24D0-4B5C-B177-592C39F9CA10}" C:\Windows\System32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad.Soundlist\shell\open\command C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Soundpad\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Soundpad Mohamed m4\\Soundpad.exe\" -c \"%1\"" C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects C:\Windows\System32\regsvr32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe

"C:\Users\Admin\AppData\Local\Temp\Soundpad Mohamed m4\Soundpad.exe"

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Windows\system32\UniteFx.dll"

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Windows\system32\UniteFx.dll"

Network

N/A

Files

memory/2856-0-0x000007FEF5490000-0x000007FEF64E0000-memory.dmp

memory/2856-4-0x000007FEBF050000-0x000007FEBF051000-memory.dmp

memory/2856-5-0x000007FEBF040000-0x000007FEBF041000-memory.dmp

C:\Windows\system32\UniteFx.dll

MD5 0ee743073ee6b68f8222be2661d95315
SHA1 2e642772ec19edf73422fe25a8d45db1a006ff85
SHA256 562b17370c7283e92a3353b76ab2aefd301c2e78782fa60ec9ee35676ad44f96
SHA512 c3f2037bd37cef7978187f67f1d0633ee3067b4837e0ad9ae2a5c8efab8ec4ce6a14c1d88e200ffaa8677f74fd5995789297e6a7b5ac18d19dc9d53b4d9170ba