Windows Analysis Report
SoundTune.exe

Overview

General Information

Sample name:	SoundTune.exe
Analysis ID:	1425677
MD5:	9fae2084f15f67cc3549bdcdba10e595
SHA1:	372f1fa71e6956647ed4087f063e9601458f926e
SHA256:	1249e422fd97163201b6a38b48f2220a6262133b4302ad2d850669d71e144b06
Tags:	exe
Infos:

Detection

Amadey

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Amadey

Yara detected Amadeys stealer DLL

Yara detected UAC Bypass using CMSTP

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

Contains functionality to detect virtual machines (STR)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Signatures

AV Detection

Antivirus detection for URL or domain

Source: responsibilitybridge.com/8BvxwQdec3/index.php

Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\nmqufdalfa	Avira: detection malicious, Label: HEUR/AGEN.1319380
Source: C:\Users\user\AppData\Local\Temp\yxh	Avira: detection malicious, Label: HEUR/AGEN.1319380
Source: C:\Users\user\AppData\Local\Temp\hdoumnepq	Avira: detection malicious, Label: HEUR/AGEN.1319380

Found malware configuration

Source: 14.2.cmd.exe.59000c8.7.unpack

Malware Configuration Extractor: Amadey {"C2 url": "responsibilitybridge.com/8BvxwQdec3/index.php", "Version": "4.19"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\hdoumnepq	ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\hdoumnepq	Virustotal: Detection: 57%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\nmqufdalfa	ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\nmqufdalfa	Virustotal: Detection: 57%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\yxh	ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\yxh	Virustotal: Detection: 57%	Perma Link

Multi AV Scanner detection for submitted file

Source: SoundTune.exe

Virustotal: Detection: 22%

Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\nmqufdalfa	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\yxh	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\hdoumnepq	Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: responsibilitybridge.com
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: /8BvxwQdec3/index.php
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: S-%lu-
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: 33a59d2d44
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: Dctooux.exe
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: Startup
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: cmd /C RMDIR /s/q
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: rundll32
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: Programs
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: %USERPROFILE%
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: cred.dll\|clip.dll\|
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: http://
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: https://
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: /Plugins/
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: &unit=
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: shell32.dll
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: kernel32.dll
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: GetNativeSystemInfo
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: ProgramData\
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: AVAST Software
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: Kaspersky Lab
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: Panda Security
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: Doctor Web
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: 360TotalSecurity
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: Bitdefender
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: Norton
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: Sophos
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: Comodo
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: WinDefender
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: 0123456789
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: ------
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: ?scr=1
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: ComputerName
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: -unicode-
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: VideoID
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: DefaultSettings.XResolution
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: DefaultSettings.YResolution
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: ProductName
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: CurrentBuild
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: rundll32.exe
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: "taskkill /f /im "
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: " && timeout 1 && del
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: && Exit"
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: " && ren
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: Powershell.exe
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: -executionpolicy remotesigned -File "
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: shutdown -s -t 0
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: random
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: 64q}cZ

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 5.2.SoundTune.exe.278ae41be5f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.SoundTune.exe.2a37f9e925f.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.532b378.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.explorer.exe.47f3f78.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.explorer.exe.4ca8a8a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SoundTune.exe.22584b96971.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.explorer.exe.47afa8a.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.explorer.exe.491fa8a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SoundTune.exe.22584bdae5f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cmd.exe.4ae3378.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.SoundTune.exe.278ae41b25f.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.SoundTune.exe.2a37f9e9e5f.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.532bf78.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.cmd.exe.5465378.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.cmd.exe.5465f78.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.explorer.exe.4963378.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.explorer.exe.4cec378.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.SoundTune.exe.25b71315e5f.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SoundTune.exe.22584bda25f.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cmd.exe.4a9fa8a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cmd.exe.4ae3f78.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.cmd.exe.5421a8a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.explorer.exe.47f3378.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.SoundTune.exe.25b7131525f.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.explorer.exe.4cecf78.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.explorer.exe.4963f78.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.SoundTune.exe.2a37f9a5971.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.SoundTune.exe.25b712d1971.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.SoundTune.exe.278ae3d7971.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.52e7a8a.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2413913656.000000000541B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2330168207.00000000047A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2478639571.00000000052E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2243163643.00000278AB600000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2254650455.0000025B712CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2478523985.0000000004CA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2414793420.0000000004919000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SoundTune.exe PID: 4404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 3252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SoundTune.exe PID: 6360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SoundTune.exe PID: 2448, type: MEMORYSTR

Source: SoundTune.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\treesheets\treesheets\TS\TreeSheets.pdbP source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2054568199.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000000.00000000.2036588675.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000000.2166738092.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000005.00000002.2246810793.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2202817464.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000000.2168813639.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: SoundTune.exe, 00000000.00000002.2053080712.00000225847BD000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2053813920.00000225854C7000.00000004.00000001.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2053553749.00000225852C0000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2245550366.00000278AE900000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243362804.00000278AB904000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2245920757.00000278AEB03000.00000004.00000001.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200873633.000002A37F5C2000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2199453732.000002A30040E000.00000004.00000001.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2199258711.000002A300200000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: cmd.exe, 00000002.00000002.2330127502.00000000046F5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330397398.0000000004B70000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: SoundTune.exe, 00000000.00000002.2053080712.00000225847BD000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2053813920.00000225854C7000.00000004.00000001.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2053553749.00000225852C0000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2245550366.00000278AE900000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243362804.00000278AB904000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2245920757.00000278AEB03000.00000004.00000001.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200873633.000002A37F5C2000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2199453732.000002A30040E000.00000004.00000001.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2199258711.000002A300200000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: cmd.exe, 00000002.00000002.2330127502.00000000046F5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330397398.0000000004B70000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\treesheets\treesheets\TS\TreeSheets.pdb source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2054568199.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000000.00000000.2036588675.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000000.2166738092.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000005.00000002.2246810793.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2202817464.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000000.2168813639.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: responsibilitybridge.com/8BvxwQdec3/index.php

Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584A36000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A50000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE277000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F845000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitsum.com0/
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2054568199.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000000.00000000.2036588675.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000000.2166738092.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000005.00000002.2246810793.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2202817464.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000000.2168813639.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.wxwidgets.org/latest/classwx_system_options.html
Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2054568199.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000000.00000000.2036588675.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000000.2166738092.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000005.00000002.2246810793.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2202817464.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000000.2168813639.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.wxwidgets.org/latest/plat_msw_install.html#msw_manifest
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.SoundTune.exe.278ae41be5f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.SoundTune.exe.2a37f9e925f.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.cmd.exe.532b378.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 16.2.explorer.exe.47f3f78.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 18.2.explorer.exe.4ca8a8a.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.SoundTune.exe.22584b96971.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 16.2.explorer.exe.47afa8a.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.explorer.exe.491fa8a.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.SoundTune.exe.22584bdae5f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.cmd.exe.4ae3378.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.SoundTune.exe.278ae41b25f.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.SoundTune.exe.2a37f9e9e5f.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.cmd.exe.532bf78.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 7.2.cmd.exe.5465378.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 7.2.cmd.exe.5465f78.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.explorer.exe.4963378.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 18.2.explorer.exe.4cec378.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.SoundTune.exe.25b71315e5f.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.SoundTune.exe.22584bda25f.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.cmd.exe.4a9fa8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.cmd.exe.4ae3f78.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 7.2.cmd.exe.5421a8a.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 16.2.explorer.exe.47f3378.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.SoundTune.exe.25b7131525f.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 18.2.explorer.exe.4cecf78.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.explorer.exe.4963f78.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.SoundTune.exe.2a37f9a5971.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.SoundTune.exe.25b712d1971.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.SoundTune.exe.278ae3d7971.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.cmd.exe.52e7a8a.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen

Creates files inside the system directory

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Windows\Tasks\uiQuick.job

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_00000278A82EA7D0	5_2_00000278A82EA7D0
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_00000278A82EC9D0	5_2_00000278A82EC9D0
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_00000278A83000B8	5_2_00000278A83000B8
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_00000278A82E96D0	5_2_00000278A82E96D0
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_00000278A82EB8D0	5_2_00000278A82EB8D0
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_00000278A82EDAD0	5_2_00000278A82EDAD0
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_00000278AB618700	5_2_00000278AB618700
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_00000278AB618BB0	5_2_00000278AB618BB0
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_00000278AE402D9A	5_2_00000278AE402D9A
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_00000278AE3DA25F	5_2_00000278AE3DA25F
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_00000278AE400F2A	5_2_00000278AE400F2A
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_00000278AE40137A	5_2_00000278AE40137A
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_00000278AE3DC89D	5_2_00000278AE3DC89D
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 6_2_000002A37CD1FFBC	6_2_000002A37CD1FFBC

PE / OLE file has an invalid certificate

Source: SoundTune.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: SoundTune.exe, 00000000.00000002.2053553749.0000022585446000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SoundTune.exe
Source: SoundTune.exe, 00000000.00000002.2053080712.0000022584935000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SoundTune.exe
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamezip.exe( vs SoundTune.exe
Source: SoundTune.exe	Binary or memory string: OriginalFilename vs SoundTune.exe
Source: SoundTune.exe, 00000005.00000002.2245920757.00000278AEC7B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SoundTune.exe
Source: SoundTune.exe, 00000005.00000002.2245550366.00000278AEA86000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SoundTune.exe
Source: SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamezip.exe( vs SoundTune.exe
Source: SoundTune.exe, 00000006.00000002.2199258711.000002A300386000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SoundTune.exe
Source: SoundTune.exe, 00000006.00000002.2200873633.000002A37F73A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SoundTune.exe
Source: SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamezip.exe( vs SoundTune.exe

Yara signature match

Source: 5.2.SoundTune.exe.278ae41be5f.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.SoundTune.exe.2a37f9e925f.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.cmd.exe.532b378.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 16.2.explorer.exe.47f3f78.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 18.2.explorer.exe.4ca8a8a.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.SoundTune.exe.22584b96971.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 16.2.explorer.exe.47afa8a.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.explorer.exe.491fa8a.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.SoundTune.exe.22584bdae5f.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.cmd.exe.4ae3378.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.SoundTune.exe.278ae41b25f.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.SoundTune.exe.2a37f9e9e5f.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.cmd.exe.532bf78.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 7.2.cmd.exe.5465378.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 7.2.cmd.exe.5465f78.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.explorer.exe.4963378.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 18.2.explorer.exe.4cec378.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.SoundTune.exe.25b71315e5f.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.SoundTune.exe.22584bda25f.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.cmd.exe.4a9fa8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.cmd.exe.4ae3f78.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 7.2.cmd.exe.5421a8a.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 16.2.explorer.exe.47f3378.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.SoundTune.exe.25b7131525f.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 18.2.explorer.exe.4cecf78.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.explorer.exe.4963f78.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.SoundTune.exe.2a37f9a5971.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.SoundTune.exe.25b712d1971.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.SoundTune.exe.278ae3d7971.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.cmd.exe.52e7a8a.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Source: SoundTune.exe

Static PE information: Section: .rsrc ZLIB complexity 0.9917615167025862

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@19/11@0/0

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\updatefa

Jump to behavior

Source: C:\Users\user\Desktop\SoundTune.exe	Mutant created: \Sessions\1\BaseNamedObjects\SoundTune-user
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3924:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5248:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4400:120:WilError_03

Source: C:\Users\user\Desktop\SoundTune.exe

File created: C:\Users\user\AppData\Local\Temp\eb40e7d2

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe

Source: SoundTune.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SoundTune.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SoundTune.exe

Virustotal: Detection: 22%

Source: C:\Users\user\Desktop\SoundTune.exe

File read: C:\Users\user\Desktop\SoundTune.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SoundTune.exe "C:\Users\user\Desktop\SoundTune.exe"
Source: C:\Users\user\Desktop\SoundTune.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe "C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe"
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\SoundTune.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe

Source: C:\Users\user\Desktop\SoundTune.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: comsvcs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: cmlua.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: cmutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mstask.dll
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mstask.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior

Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SoundTune.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SoundTune.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SoundTune.exe

Static file information: File size 9888656 > 1048576

Source: SoundTune.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x597600
Source: SoundTune.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x243000
Source: SoundTune.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x122000

Source: SoundTune.exe

Static PE information: More than 200 imports for KERNEL32.dll

Source: SoundTune.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SoundTune.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SoundTune.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SoundTune.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SoundTune.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SoundTune.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SoundTune.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SoundTune.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\treesheets\treesheets\TS\TreeSheets.pdbP source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2054568199.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000000.00000000.2036588675.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000000.2166738092.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000005.00000002.2246810793.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2202817464.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000000.2168813639.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: SoundTune.exe, 00000000.00000002.2053080712.00000225847BD000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2053813920.00000225854C7000.00000004.00000001.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2053553749.00000225852C0000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2245550366.00000278AE900000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243362804.00000278AB904000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2245920757.00000278AEB03000.00000004.00000001.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200873633.000002A37F5C2000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2199453732.000002A30040E000.00000004.00000001.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2199258711.000002A300200000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: cmd.exe, 00000002.00000002.2330127502.00000000046F5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330397398.0000000004B70000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: SoundTune.exe, 00000000.00000002.2053080712.00000225847BD000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2053813920.00000225854C7000.00000004.00000001.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2053553749.00000225852C0000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2245550366.00000278AE900000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243362804.00000278AB904000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2245920757.00000278AEB03000.00000004.00000001.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200873633.000002A37F5C2000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2199453732.000002A30040E000.00000004.00000001.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2199258711.000002A300200000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: cmd.exe, 00000002.00000002.2330127502.00000000046F5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330397398.0000000004B70000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\treesheets\treesheets\TS\TreeSheets.pdb source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2054568199.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000000.00000000.2036588675.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000000.2166738092.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000005.00000002.2246810793.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2202817464.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000000.2168813639.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp

PE file contains an invalid checksum

Source: SoundTune.exe	Static PE information: real checksum: 0x97c656 should be: 0x97dc68
Source: nmqufdalfa.2.dr	Static PE information: real checksum: 0x0 should be: 0x6fbf4
Source: hdoumnepq.14.dr	Static PE information: real checksum: 0x0 should be: 0x6fbf4
Source: yxh.7.dr	Static PE information: real checksum: 0x0 should be: 0x6fbf4

PE file contains sections with non-standard names

Source: SoundTune.exe	Static PE information: section name: _RDATA
Source: nmqufdalfa.2.dr	Static PE information: section name: uxcbu
Source: yxh.7.dr	Static PE information: section name: uxcbu
Source: hdoumnepq.14.dr	Static PE information: section name: uxcbu

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CAAF7 pushfd ; ret	5_2_0000009AC39CAB1B
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CC0F8 pushfd ; ret	5_2_0000009AC39CC0FB
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CB0EC pushfd ; ret	5_2_0000009AC39CB12B
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CBEE2 pushfd ; ret	5_2_0000009AC39CBEE3
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CE4E2 pushfd ; ret	5_2_0000009AC39CE4F3
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CF6E2 pushfd ; ret	5_2_0000009AC39CF6E3
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CCCE4 pushfd ; ret	5_2_0000009AC39CCCBB
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CACE4 pushfd ; ret	5_2_0000009AC39CACFB
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CB0DA pushfd ; ret	5_2_0000009AC39CB0DB
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CB4DA pushfd ; ret	5_2_0000009AC39CB4DB
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CE6DB pushfd ; ret	5_2_0000009AC39CE6FB
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39C94DC pushfd ; ret	5_2_0000009AC39C94FB
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CB312 pushfd ; ret	5_2_0000009AC39CB313
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CA314 pushfd ; ret	5_2_0000009AC39CA393
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CF314 pushfd ; ret	5_2_0000009AC39CF323
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CDD0A pushfd ; ret	5_2_0000009AC39CDD13
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39C950C pushfd ; ret	5_2_0000009AC39C951B
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CD10C pushfd ; ret	5_2_0000009AC39CD12B
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CF308 pushfd ; ret	5_2_0000009AC39CF313
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CD101 pushfd ; ret	5_2_0000009AC39CD08B
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39C9AFB pushfd ; ret	5_2_0000009AC39C9B43
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CD538 pushfd ; ret	5_2_0000009AC39CD53B
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CCF32 pushfd ; ret	5_2_0000009AC39CCF33
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39C932C pushfd ; ret	5_2_0000009AC39C93C3
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39C9F2C pushfd ; ret	5_2_0000009AC39C9F3B
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CD32C pushfd ; ret	5_2_0000009AC39CD3EB
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39C9D24 pushfd ; ret	5_2_0000009AC39C9D3B
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CAB1C pushfd ; ret	5_2_0000009AC39CAB1B
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CAB1C pushfd ; ret	5_2_0000009AC39CABBB
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CC11C pushfd ; ret	5_2_0000009AC39CC18B
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CC558 pushfd ; ret	5_2_0000009AC39CC56B

Drops PE files

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\yxh	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\hdoumnepq	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\nmqufdalfa	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\nmqufdalfa	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\yxh	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\hdoumnepq	Jump to dropped file

Creates job files (autostart)

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Windows\Tasks\uiQuick.job

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\NMQUFDALFA
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\YXH
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\HDOUMNEPQ

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\SoundTune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Contains functionality to detect virtual machines (STR)

Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe

Code function: 6_2_000002A37CBF707A str word ptr [eax+00000451h]

6_2_000002A37CBF707A

Found dropped PE file which has not been started or loaded

Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\yxh	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\hdoumnepq	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nmqufdalfa	Jump to dropped file

Source: SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0

Source: C:\Users\user\Desktop\SoundTune.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_00000278AE3F5D97 mov eax, dword ptr fs:[00000030h]	5_2_00000278AE3F5D97
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_00000278AE3F5986 mov eax, dword ptr fs:[00000030h]	5_2_00000278AE3F5986
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_00000278AE3E0F53 mov eax, dword ptr fs:[00000030h]	5_2_00000278AE3E0F53
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_00000278AE3E3FD5 mov eax, dword ptr fs:[00000030h]	5_2_00000278AE3E3FD5
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_00000278AE3E40CF mov eax, dword ptr fs:[00000030h]	5_2_00000278AE3E40CF

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtCreateFile: Direct from: 0x8100000080	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	NtAllocateVirtualMemory: Direct from: 0x7FF8B7FF8054	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtReadFile: Direct from: 0x7FF8A88E85FB	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	NtQuerySystemInformation: Direct from: 0x22581CEA630	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtQuerySystemInformation: Direct from: 0x25B6E3CFCA0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtAllocateVirtualMemory: Direct from: 0x25B6E3D4D80	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	NtCreateFile: Direct from: 0x7FF8B7FE78EC	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	NtAllocateVirtualMemory: Direct from: 0x22581CEDD20	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtProtectVirtualMemory: Direct from: 0x278AB606F30	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	NtReadFile: Direct from: 0x7FF8B7FE85FB	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtAllocateVirtualMemory: Direct from: 0x7FF8A88F8054	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtProtectVirtualMemory: Direct from: 0x298	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtAllocateVirtualMemory: Direct from: 0x2A37CC1F722	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	NtProtectVirtualMemory: Direct from: 0x22581CF0760	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtSetTimerEx: Direct from: 0x7FF8C88A26A1	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	NtCreateFile: Direct from: 0x4800000080	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	NtAllocateVirtualMemory: Direct from: 0x22581CF0BB0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtProtectVirtualMemory: Direct from: 0x7FF8A88F9B9C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtProtectVirtualMemory: Direct from: 0x7FF8A88F9BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtProtectVirtualMemory: Direct from: 0x7FF8AC0453D3	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtAllocateVirtualMemory: Direct from: 0x2A37CC19070	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtCreateFile: Direct from: 0x7FF8A88E85AD	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtCreateFile: Direct from: 0xDB00000080	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtWriteFile: Direct from: 0x25B7189DA30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtQuerySystemInformation: Direct from: 0x2A37CC13E60	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	NtProtectVirtualMemory: Direct from: 0x2B0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtProtectVirtualMemory: Direct from: 0x7FF8C6F6FEE0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtProtectVirtualMemory: Direct from: 0x25B6E51BAB0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtWriteFile: Direct from: 0x2A30009DA30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtQueryInformationToken: Direct from: 0x9AC39CDF70	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtQuerySystemInformation: Direct from: 0x9AC39CF4D0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtProtectVirtualMemory: Direct from: 0x7FF8A88F8735	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtProtectVirtualMemory: Direct from: 0x278AE438E74	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	NtCreateFile: Direct from: 0x7FF8B7FE85AD	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtAllocateVirtualMemory: Direct from: 0xA0A76ACB	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtAllocateVirtualMemory: Direct from: 0x278A9BC3CA2	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	NtWriteFile: Direct from: 0x2258515DA30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtProtectVirtualMemory: Direct from: 0x2A37CD2BBB0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtCreateFile: Direct from: 0x7FF8A88E78EC	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtAllocateVirtualMemory: Direct from: 0x25B6E3F5F32	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	NtAllocateVirtualMemory: Direct from: 0x7FF8B7FE856E	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 5276 base: 2580000 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 5276 base: 26902D8 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 5276 base: 26911E8 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 5276 base: 1279C0 value: 55	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 5276 base: 2590000 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 2956 base: 2580000 value: 00
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 2956 base: 26E22D8 value: 00
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 2956 base: 26E31E8 value: 00
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 2956 base: 1279C0 value: 55
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 2956 base: 2590000 value: 00
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 5516 base: 29F0000 value: 00
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 5516 base: 2A5E2D8 value: 00
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 5516 base: 2A5F1E8 value: 00
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 5516 base: 1279C0 value: 55
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 5516 base: 2C40000 value: 00

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\SoundTune.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 1279C0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2590000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 1279C0
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2590000
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 1279C0
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2C40000

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SoundTune.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SoundTune.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\eb40e7d2 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\f5e8013d VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\f3455394 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\f751201f VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SoundTune.exe

Code function: 0_2_00007FF77A4CA264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF77A4CA264

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 14.2.cmd.exe.59000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.cmd.exe.5a200c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cmd.exe.54a00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.cmd.exe.5a200c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.59000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cmd.exe.54a00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2414191195.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2479094817.0000000005900000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2330822665.00000000054A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2477851015.0000000002C41000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2414365443.0000000002591000.00000004.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2329605585.0000000002591000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\yxh, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nmqufdalfa, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\hdoumnepq, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
responsibilitybridge.com/8BvxwQdec3/index.php	true	1%, Virustotal, Browse Avira URL Cloud: phishing	low

AV Detection

Antivirus detection for URL or domain

Source: responsibilitybridge.com/8BvxwQdec3/index.php

Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\nmqufdalfa	Avira: detection malicious, Label: HEUR/AGEN.1319380
Source: C:\Users\user\AppData\Local\Temp\yxh	Avira: detection malicious, Label: HEUR/AGEN.1319380
Source: C:\Users\user\AppData\Local\Temp\hdoumnepq	Avira: detection malicious, Label: HEUR/AGEN.1319380

Found malware configuration

Source: 14.2.cmd.exe.59000c8.7.unpack

Malware Configuration Extractor: Amadey {"C2 url": "responsibilitybridge.com/8BvxwQdec3/index.php", "Version": "4.19"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\hdoumnepq	ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\hdoumnepq	Virustotal: Detection: 57%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\nmqufdalfa	ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\nmqufdalfa	Virustotal: Detection: 57%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\yxh	ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\yxh	Virustotal: Detection: 57%	Perma Link

Multi AV Scanner detection for submitted file

Source: SoundTune.exe

Virustotal: Detection: 22%

Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\nmqufdalfa	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\yxh	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\hdoumnepq	Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: responsibilitybridge.com
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: /8BvxwQdec3/index.php
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: S-%lu-
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: 33a59d2d44
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: Dctooux.exe
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: Startup
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: cmd /C RMDIR /s/q
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: rundll32
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: Programs
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: %USERPROFILE%
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: cred.dll\|clip.dll\|
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: http://
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: https://
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: /Plugins/
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: &unit=
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: shell32.dll
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: kernel32.dll
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: GetNativeSystemInfo
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: ProgramData\
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: AVAST Software
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: Kaspersky Lab
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: Panda Security
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: Doctor Web
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: 360TotalSecurity
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: Bitdefender
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: Norton
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: Sophos
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: Comodo
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: WinDefender
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: 0123456789
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: ------
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: ?scr=1
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: ComputerName
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: -unicode-
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: VideoID
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: DefaultSettings.XResolution
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: DefaultSettings.YResolution
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: ProductName
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: CurrentBuild
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: rundll32.exe
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: "taskkill /f /im "
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: " && timeout 1 && del
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: && Exit"
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: " && ren
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: Powershell.exe
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: -executionpolicy remotesigned -File "
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: shutdown -s -t 0
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: random
Source: 14.2.cmd.exe.59000c8.7.unpack	String decryptor: 64q}cZ

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 5.2.SoundTune.exe.278ae41be5f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.SoundTune.exe.2a37f9e925f.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.532b378.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.explorer.exe.47f3f78.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.explorer.exe.4ca8a8a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SoundTune.exe.22584b96971.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.explorer.exe.47afa8a.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.explorer.exe.491fa8a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SoundTune.exe.22584bdae5f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cmd.exe.4ae3378.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.SoundTune.exe.278ae41b25f.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.SoundTune.exe.2a37f9e9e5f.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.532bf78.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.cmd.exe.5465378.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.cmd.exe.5465f78.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.explorer.exe.4963378.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.explorer.exe.4cec378.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.SoundTune.exe.25b71315e5f.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SoundTune.exe.22584bda25f.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cmd.exe.4a9fa8a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cmd.exe.4ae3f78.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.cmd.exe.5421a8a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.explorer.exe.47f3378.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.SoundTune.exe.25b7131525f.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.explorer.exe.4cecf78.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.explorer.exe.4963f78.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.SoundTune.exe.2a37f9a5971.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.SoundTune.exe.25b712d1971.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.SoundTune.exe.278ae3d7971.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.52e7a8a.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2413913656.000000000541B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2330168207.00000000047A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2478639571.00000000052E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2243163643.00000278AB600000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2254650455.0000025B712CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2478523985.0000000004CA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2414793420.0000000004919000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SoundTune.exe PID: 4404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 3252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SoundTune.exe PID: 6360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SoundTune.exe PID: 2448, type: MEMORYSTR

Source: SoundTune.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\treesheets\treesheets\TS\TreeSheets.pdbP source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2054568199.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000000.00000000.2036588675.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000000.2166738092.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000005.00000002.2246810793.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2202817464.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000000.2168813639.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: SoundTune.exe, 00000000.00000002.2053080712.00000225847BD000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2053813920.00000225854C7000.00000004.00000001.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2053553749.00000225852C0000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2245550366.00000278AE900000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243362804.00000278AB904000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2245920757.00000278AEB03000.00000004.00000001.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200873633.000002A37F5C2000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2199453732.000002A30040E000.00000004.00000001.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2199258711.000002A300200000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: cmd.exe, 00000002.00000002.2330127502.00000000046F5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330397398.0000000004B70000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: SoundTune.exe, 00000000.00000002.2053080712.00000225847BD000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2053813920.00000225854C7000.00000004.00000001.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2053553749.00000225852C0000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2245550366.00000278AE900000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243362804.00000278AB904000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2245920757.00000278AEB03000.00000004.00000001.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200873633.000002A37F5C2000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2199453732.000002A30040E000.00000004.00000001.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2199258711.000002A300200000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: cmd.exe, 00000002.00000002.2330127502.00000000046F5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330397398.0000000004B70000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\treesheets\treesheets\TS\TreeSheets.pdb source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2054568199.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000000.00000000.2036588675.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000000.2166738092.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000005.00000002.2246810793.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2202817464.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000000.2168813639.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: responsibilitybridge.com/8BvxwQdec3/index.php

Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584A36000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A50000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE277000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F845000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitsum.com0/
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2054568199.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000000.00000000.2036588675.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000000.2166738092.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000005.00000002.2246810793.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2202817464.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000000.2168813639.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.wxwidgets.org/latest/classwx_system_options.html
Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2054568199.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000000.00000000.2036588675.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000000.2166738092.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000005.00000002.2246810793.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2202817464.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000000.2168813639.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.wxwidgets.org/latest/plat_msw_install.html#msw_manifest
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.SoundTune.exe.278ae41be5f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.SoundTune.exe.2a37f9e925f.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.cmd.exe.532b378.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 16.2.explorer.exe.47f3f78.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 18.2.explorer.exe.4ca8a8a.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.SoundTune.exe.22584b96971.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 16.2.explorer.exe.47afa8a.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.explorer.exe.491fa8a.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.SoundTune.exe.22584bdae5f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.cmd.exe.4ae3378.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.SoundTune.exe.278ae41b25f.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.SoundTune.exe.2a37f9e9e5f.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.cmd.exe.532bf78.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 7.2.cmd.exe.5465378.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 7.2.cmd.exe.5465f78.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.explorer.exe.4963378.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 18.2.explorer.exe.4cec378.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.SoundTune.exe.25b71315e5f.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.SoundTune.exe.22584bda25f.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.cmd.exe.4a9fa8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.cmd.exe.4ae3f78.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 7.2.cmd.exe.5421a8a.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 16.2.explorer.exe.47f3378.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.SoundTune.exe.25b7131525f.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 18.2.explorer.exe.4cecf78.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.explorer.exe.4963f78.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.SoundTune.exe.2a37f9a5971.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.SoundTune.exe.25b712d1971.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.SoundTune.exe.278ae3d7971.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.cmd.exe.52e7a8a.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen

Creates files inside the system directory

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Windows\Tasks\uiQuick.job

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_00000278A82EA7D0	5_2_00000278A82EA7D0
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_00000278A82EC9D0	5_2_00000278A82EC9D0
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_00000278A83000B8	5_2_00000278A83000B8
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_00000278A82E96D0	5_2_00000278A82E96D0
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_00000278A82EB8D0	5_2_00000278A82EB8D0
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_00000278A82EDAD0	5_2_00000278A82EDAD0
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_00000278AB618700	5_2_00000278AB618700
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_00000278AB618BB0	5_2_00000278AB618BB0
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_00000278AE402D9A	5_2_00000278AE402D9A
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_00000278AE3DA25F	5_2_00000278AE3DA25F
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_00000278AE400F2A	5_2_00000278AE400F2A
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_00000278AE40137A	5_2_00000278AE40137A
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_00000278AE3DC89D	5_2_00000278AE3DC89D
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 6_2_000002A37CD1FFBC	6_2_000002A37CD1FFBC

PE / OLE file has an invalid certificate

Source: SoundTune.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: SoundTune.exe, 00000000.00000002.2053553749.0000022585446000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SoundTune.exe
Source: SoundTune.exe, 00000000.00000002.2053080712.0000022584935000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SoundTune.exe
Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamezip.exe( vs SoundTune.exe
Source: SoundTune.exe	Binary or memory string: OriginalFilename vs SoundTune.exe
Source: SoundTune.exe, 00000005.00000002.2245920757.00000278AEC7B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SoundTune.exe
Source: SoundTune.exe, 00000005.00000002.2245550366.00000278AEA86000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SoundTune.exe
Source: SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamezip.exe( vs SoundTune.exe
Source: SoundTune.exe, 00000006.00000002.2199258711.000002A300386000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SoundTune.exe
Source: SoundTune.exe, 00000006.00000002.2200873633.000002A37F73A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SoundTune.exe
Source: SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamezip.exe( vs SoundTune.exe

Yara signature match

Source: 5.2.SoundTune.exe.278ae41be5f.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.SoundTune.exe.2a37f9e925f.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.cmd.exe.532b378.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 16.2.explorer.exe.47f3f78.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 18.2.explorer.exe.4ca8a8a.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.SoundTune.exe.22584b96971.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 16.2.explorer.exe.47afa8a.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.explorer.exe.491fa8a.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.SoundTune.exe.22584bdae5f.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.cmd.exe.4ae3378.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.SoundTune.exe.278ae41b25f.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.SoundTune.exe.2a37f9e9e5f.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.cmd.exe.532bf78.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 7.2.cmd.exe.5465378.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 7.2.cmd.exe.5465f78.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.explorer.exe.4963378.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 18.2.explorer.exe.4cec378.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.SoundTune.exe.25b71315e5f.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.SoundTune.exe.22584bda25f.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.cmd.exe.4a9fa8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.cmd.exe.4ae3f78.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 7.2.cmd.exe.5421a8a.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 16.2.explorer.exe.47f3378.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.SoundTune.exe.25b7131525f.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 18.2.explorer.exe.4cecf78.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.explorer.exe.4963f78.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.SoundTune.exe.2a37f9a5971.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.SoundTune.exe.25b712d1971.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.SoundTune.exe.278ae3d7971.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.cmd.exe.52e7a8a.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Source: SoundTune.exe

Static PE information: Section: .rsrc ZLIB complexity 0.9917615167025862

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@19/11@0/0

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\updatefa

Jump to behavior

Source: C:\Users\user\Desktop\SoundTune.exe	Mutant created: \Sessions\1\BaseNamedObjects\SoundTune-user
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3924:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5248:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4400:120:WilError_03

Source: C:\Users\user\Desktop\SoundTune.exe

File created: C:\Users\user\AppData\Local\Temp\eb40e7d2

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe

Source: SoundTune.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SoundTune.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SoundTune.exe

Virustotal: Detection: 22%

Source: C:\Users\user\Desktop\SoundTune.exe

File read: C:\Users\user\Desktop\SoundTune.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SoundTune.exe "C:\Users\user\Desktop\SoundTune.exe"
Source: C:\Users\user\Desktop\SoundTune.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe "C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe"
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\SoundTune.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe

Source: C:\Users\user\Desktop\SoundTune.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: comsvcs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: cmlua.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: cmutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mstask.dll
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mstask.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior

Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SoundTune.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SoundTune.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SoundTune.exe

Static file information: File size 9888656 > 1048576

Source: SoundTune.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x597600
Source: SoundTune.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x243000
Source: SoundTune.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x122000

Source: SoundTune.exe

Static PE information: More than 200 imports for KERNEL32.dll

Source: SoundTune.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SoundTune.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SoundTune.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SoundTune.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SoundTune.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SoundTune.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SoundTune.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SoundTune.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\treesheets\treesheets\TS\TreeSheets.pdbP source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2054568199.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000000.00000000.2036588675.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000000.2166738092.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000005.00000002.2246810793.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2202817464.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000000.2168813639.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: SoundTune.exe, 00000000.00000002.2053080712.00000225847BD000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2053813920.00000225854C7000.00000004.00000001.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2053553749.00000225852C0000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2245550366.00000278AE900000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243362804.00000278AB904000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2245920757.00000278AEB03000.00000004.00000001.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200873633.000002A37F5C2000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2199453732.000002A30040E000.00000004.00000001.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2199258711.000002A300200000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: cmd.exe, 00000002.00000002.2330127502.00000000046F5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330397398.0000000004B70000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: SoundTune.exe, 00000000.00000002.2053080712.00000225847BD000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2053813920.00000225854C7000.00000004.00000001.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2053553749.00000225852C0000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2245550366.00000278AE900000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243362804.00000278AB904000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2245920757.00000278AEB03000.00000004.00000001.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200873633.000002A37F5C2000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2199453732.000002A30040E000.00000004.00000001.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2199258711.000002A300200000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: cmd.exe, 00000002.00000002.2330127502.00000000046F5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330397398.0000000004B70000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\treesheets\treesheets\TS\TreeSheets.pdb source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2054568199.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000000.00000000.2036588675.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000000.2166738092.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000005.00000002.2246810793.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2202817464.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000000.2168813639.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp

PE file contains an invalid checksum

Source: SoundTune.exe	Static PE information: real checksum: 0x97c656 should be: 0x97dc68
Source: nmqufdalfa.2.dr	Static PE information: real checksum: 0x0 should be: 0x6fbf4
Source: hdoumnepq.14.dr	Static PE information: real checksum: 0x0 should be: 0x6fbf4
Source: yxh.7.dr	Static PE information: real checksum: 0x0 should be: 0x6fbf4

PE file contains sections with non-standard names

Source: SoundTune.exe	Static PE information: section name: _RDATA
Source: nmqufdalfa.2.dr	Static PE information: section name: uxcbu
Source: yxh.7.dr	Static PE information: section name: uxcbu
Source: hdoumnepq.14.dr	Static PE information: section name: uxcbu

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CAAF7 pushfd ; ret	5_2_0000009AC39CAB1B
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CC0F8 pushfd ; ret	5_2_0000009AC39CC0FB
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CB0EC pushfd ; ret	5_2_0000009AC39CB12B
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CBEE2 pushfd ; ret	5_2_0000009AC39CBEE3
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CE4E2 pushfd ; ret	5_2_0000009AC39CE4F3
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CF6E2 pushfd ; ret	5_2_0000009AC39CF6E3
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CCCE4 pushfd ; ret	5_2_0000009AC39CCCBB
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CACE4 pushfd ; ret	5_2_0000009AC39CACFB
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CB0DA pushfd ; ret	5_2_0000009AC39CB0DB
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CB4DA pushfd ; ret	5_2_0000009AC39CB4DB
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CE6DB pushfd ; ret	5_2_0000009AC39CE6FB
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39C94DC pushfd ; ret	5_2_0000009AC39C94FB
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CB312 pushfd ; ret	5_2_0000009AC39CB313
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CA314 pushfd ; ret	5_2_0000009AC39CA393
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CF314 pushfd ; ret	5_2_0000009AC39CF323
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CDD0A pushfd ; ret	5_2_0000009AC39CDD13
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39C950C pushfd ; ret	5_2_0000009AC39C951B
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CD10C pushfd ; ret	5_2_0000009AC39CD12B
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CF308 pushfd ; ret	5_2_0000009AC39CF313
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CD101 pushfd ; ret	5_2_0000009AC39CD08B
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39C9AFB pushfd ; ret	5_2_0000009AC39C9B43
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CD538 pushfd ; ret	5_2_0000009AC39CD53B
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CCF32 pushfd ; ret	5_2_0000009AC39CCF33
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39C932C pushfd ; ret	5_2_0000009AC39C93C3
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39C9F2C pushfd ; ret	5_2_0000009AC39C9F3B
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CD32C pushfd ; ret	5_2_0000009AC39CD3EB
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39C9D24 pushfd ; ret	5_2_0000009AC39C9D3B
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CAB1C pushfd ; ret	5_2_0000009AC39CAB1B
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CAB1C pushfd ; ret	5_2_0000009AC39CABBB
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CC11C pushfd ; ret	5_2_0000009AC39CC18B
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_0000009AC39CC558 pushfd ; ret	5_2_0000009AC39CC56B

Drops PE files

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\yxh	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\hdoumnepq	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\nmqufdalfa	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\nmqufdalfa	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\yxh	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\hdoumnepq	Jump to dropped file

Creates job files (autostart)

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Windows\Tasks\uiQuick.job

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\NMQUFDALFA
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\YXH
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\HDOUMNEPQ

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\SoundTune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Contains functionality to detect virtual machines (STR)

Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe

Code function: 6_2_000002A37CBF707A str word ptr [eax+00000451h]

6_2_000002A37CBF707A

Found dropped PE file which has not been started or loaded

Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\yxh	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\hdoumnepq	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nmqufdalfa	Jump to dropped file

Source: SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0

Source: C:\Users\user\Desktop\SoundTune.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_00000278AE3F5D97 mov eax, dword ptr fs:[00000030h]	5_2_00000278AE3F5D97
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_00000278AE3F5986 mov eax, dword ptr fs:[00000030h]	5_2_00000278AE3F5986
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_00000278AE3E0F53 mov eax, dword ptr fs:[00000030h]	5_2_00000278AE3E0F53
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_00000278AE3E3FD5 mov eax, dword ptr fs:[00000030h]	5_2_00000278AE3E3FD5
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Code function: 5_2_00000278AE3E40CF mov eax, dword ptr fs:[00000030h]	5_2_00000278AE3E40CF

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtCreateFile: Direct from: 0x8100000080	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	NtAllocateVirtualMemory: Direct from: 0x7FF8B7FF8054	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtReadFile: Direct from: 0x7FF8A88E85FB	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	NtQuerySystemInformation: Direct from: 0x22581CEA630	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtQuerySystemInformation: Direct from: 0x25B6E3CFCA0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtAllocateVirtualMemory: Direct from: 0x25B6E3D4D80	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	NtCreateFile: Direct from: 0x7FF8B7FE78EC	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	NtAllocateVirtualMemory: Direct from: 0x22581CEDD20	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtProtectVirtualMemory: Direct from: 0x278AB606F30	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	NtReadFile: Direct from: 0x7FF8B7FE85FB	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtAllocateVirtualMemory: Direct from: 0x7FF8A88F8054	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtProtectVirtualMemory: Direct from: 0x298	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtAllocateVirtualMemory: Direct from: 0x2A37CC1F722	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	NtProtectVirtualMemory: Direct from: 0x22581CF0760	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtSetTimerEx: Direct from: 0x7FF8C88A26A1	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	NtCreateFile: Direct from: 0x4800000080	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	NtAllocateVirtualMemory: Direct from: 0x22581CF0BB0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtProtectVirtualMemory: Direct from: 0x7FF8A88F9B9C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtProtectVirtualMemory: Direct from: 0x7FF8A88F9BF0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtProtectVirtualMemory: Direct from: 0x7FF8AC0453D3	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtAllocateVirtualMemory: Direct from: 0x2A37CC19070	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtCreateFile: Direct from: 0x7FF8A88E85AD	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtCreateFile: Direct from: 0xDB00000080	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtWriteFile: Direct from: 0x25B7189DA30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtQuerySystemInformation: Direct from: 0x2A37CC13E60	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	NtProtectVirtualMemory: Direct from: 0x2B0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtProtectVirtualMemory: Direct from: 0x7FF8C6F6FEE0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtProtectVirtualMemory: Direct from: 0x25B6E51BAB0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtWriteFile: Direct from: 0x2A30009DA30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtQueryInformationToken: Direct from: 0x9AC39CDF70	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtQuerySystemInformation: Direct from: 0x9AC39CF4D0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtProtectVirtualMemory: Direct from: 0x7FF8A88F8735	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtProtectVirtualMemory: Direct from: 0x278AE438E74	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	NtCreateFile: Direct from: 0x7FF8B7FE85AD	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtAllocateVirtualMemory: Direct from: 0xA0A76ACB	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtAllocateVirtualMemory: Direct from: 0x278A9BC3CA2	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	NtWriteFile: Direct from: 0x2258515DA30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtProtectVirtualMemory: Direct from: 0x2A37CD2BBB0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtCreateFile: Direct from: 0x7FF8A88E78EC	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	NtAllocateVirtualMemory: Direct from: 0x25B6E3F5F32	Jump to behavior
Source: C:\Users\user\Desktop\SoundTune.exe	NtAllocateVirtualMemory: Direct from: 0x7FF8B7FE856E	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 5276 base: 2580000 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 5276 base: 26902D8 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 5276 base: 26911E8 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 5276 base: 1279C0 value: 55	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 5276 base: 2590000 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 2956 base: 2580000 value: 00
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 2956 base: 26E22D8 value: 00
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 2956 base: 26E31E8 value: 00
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 2956 base: 1279C0 value: 55
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 2956 base: 2590000 value: 00
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 5516 base: 29F0000 value: 00
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 5516 base: 2A5E2D8 value: 00
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 5516 base: 2A5F1E8 value: 00
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 5516 base: 1279C0 value: 55
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 5516 base: 2C40000 value: 00

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\SoundTune.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 1279C0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2590000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 1279C0
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2590000
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 1279C0
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2C40000

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SoundTune.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SoundTune.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\eb40e7d2 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\f5e8013d VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\f3455394 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\f751201f VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SoundTune.exe

Code function: 0_2_00007FF77A4CA264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF77A4CA264

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 14.2.cmd.exe.59000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.cmd.exe.5a200c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cmd.exe.54a00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.cmd.exe.5a200c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.59000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cmd.exe.54a00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2414191195.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2479094817.0000000005900000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2330822665.00000000054A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2477851015.0000000002C41000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2414365443.0000000002591000.00000004.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2329605585.0000000002591000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\yxh, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nmqufdalfa, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\hdoumnepq, type: DROPPED

ID:	1425677
Product:	CloudBasic
Start time:	07:08:10
Start date:	14.04.2024
Sample:	SoundTune.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	9fae2084f15f67cc3549bdcdba10e595
SHA1:	372f1fa71e6956647ed4087f063e9601458f926e
SHA256:	1249e422fd97163201b6a38b48f2220a6262133b4302ad2d850669d71e144b06
Filetype:	Win64 Executable GUI (202006/5) 92.65%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\eb40e7d2	PNG image data, 4480 x 508, 8-bit/color RGB, non-interlaced	FFAF71D4A621E899C82C865F34E937D6	1468830BEE8AFB3ADCE79FDB0BDE3CCB599102D3	74740FC70974DDC8B2B2ACE5E5098273E3B0DE77071FD6444F197F69AF8415F1
C:\Users\user\AppData\Local\Temp\ebb9eca0	data	CB139E19EA3CC76B4EA91677CCC6E55F	4A33B1E52EE29A8C3C7EE02BBF1ACC03A14E0C61	17CFCEA0B3B34CD8C52B20C18F069EF09A7D366BEFAF66F3DFFA8508CC2CB995
C:\Users\user\AppData\Local\Temp\f3455394	PNG image data, 4480 x 508, 8-bit/color RGB, non-interlaced	FFAF71D4A621E899C82C865F34E937D6	1468830BEE8AFB3ADCE79FDB0BDE3CCB599102D3	74740FC70974DDC8B2B2ACE5E5098273E3B0DE77071FD6444F197F69AF8415F1
C:\Users\user\AppData\Local\Temp\f4062f52	data	FF32599363A0D7C18019FBF9E1E129D0	A58B84A63F0FF213819AB86FDAE3B2DC42199192	605957F1C4A8AFB62B678AC3E068E178D69E72103702FE8132ECFEA81CB2ED3D
C:\Users\user\AppData\Local\Temp\f5e8013d	PNG image data, 4480 x 508, 8-bit/color RGB, non-interlaced	FFAF71D4A621E899C82C865F34E937D6	1468830BEE8AFB3ADCE79FDB0BDE3CCB599102D3	74740FC70974DDC8B2B2ACE5E5098273E3B0DE77071FD6444F197F69AF8415F1
C:\Users\user\AppData\Local\Temp\f751201f	PNG image data, 4480 x 508, 8-bit/color RGB, non-interlaced	FFAF71D4A621E899C82C865F34E937D6	1468830BEE8AFB3ADCE79FDB0BDE3CCB599102D3	74740FC70974DDC8B2B2ACE5E5098273E3B0DE77071FD6444F197F69AF8415F1
C:\Users\user\AppData\Local\Temp\f7e11b31	data	FF32599363A0D7C18019FBF9E1E129D0	A58B84A63F0FF213819AB86FDAE3B2DC42199192	605957F1C4A8AFB62B678AC3E068E178D69E72103702FE8132ECFEA81CB2ED3D
C:\Users\user\AppData\Local\Temp\hdoumnepq	PE32 executable (GUI) Intel 80386, for MS Windows	44F8838F92D5960BC83F091F83A35A63	782415A855EA654A36EE0A9DC455DC75FF6835E5	2AE0648BB0B6EC4A74952596463338FB939048924EC5926A0FB8F6E9A0CDAF63
C:\Users\user\AppData\Local\Temp\nmqufdalfa	PE32 executable (GUI) Intel 80386, for MS Windows	44F8838F92D5960BC83F091F83A35A63	782415A855EA654A36EE0A9DC455DC75FF6835E5	2AE0648BB0B6EC4A74952596463338FB939048924EC5926A0FB8F6E9A0CDAF63
C:\Users\user\AppData\Local\Temp\yxh	PE32 executable (GUI) Intel 80386, for MS Windows	44F8838F92D5960BC83F091F83A35A63	782415A855EA654A36EE0A9DC455DC75FF6835E5	2AE0648BB0B6EC4A74952596463338FB939048924EC5926A0FB8F6E9A0CDAF63
C:\Windows\Tasks\uiQuick.job	data	3BCB09ED48E87598D7499A0B5EC7B56F	BCD5908B188D874E3826811D7B35745C5924111D	E27F3897B2094197944F9C82CAF44FC4EF78311F1C39F4B4C0674416ABBE87BF

Windows Analysis Report
SoundTune.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Exploits

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted URLs

Windows Analysis Report SoundTune.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Exploits

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted URLs

Windows Analysis Report
SoundTune.exe

Malware Threat Intel
Provided by