Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SoundTune.exe

Overview

General Information

Sample name:SoundTune.exe
Analysis ID:1425677
MD5:9fae2084f15f67cc3549bdcdba10e595
SHA1:372f1fa71e6956647ed4087f063e9601458f926e
SHA256:1249e422fd97163201b6a38b48f2220a6262133b4302ad2d850669d71e144b06
Tags:exe
Infos:

Detection

Amadey
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected UAC Bypass using CMSTP
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Contains functionality to detect virtual machines (STR)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SoundTune.exe (PID: 4404 cmdline: "C:\Users\user\Desktop\SoundTune.exe" MD5: 9FAE2084F15F67CC3549BDCDBA10E595)
    • cmd.exe (PID: 3252 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • explorer.exe (PID: 5276 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
  • SoundTune.exe (PID: 6360 cmdline: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe MD5: 9FAE2084F15F67CC3549BDCDBA10E595)
  • SoundTune.exe (PID: 2448 cmdline: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe MD5: 9FAE2084F15F67CC3549BDCDBA10E595)
    • cmd.exe (PID: 3500 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • explorer.exe (PID: 2956 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
  • SoundTune.exe (PID: 6332 cmdline: "C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe" MD5: 9FAE2084F15F67CC3549BDCDBA10E595)
    • cmd.exe (PID: 3652 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • explorer.exe (PID: 5516 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": "responsibilitybridge.com/8BvxwQdec3/index.php", "Version": "4.19"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\yxhJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
    C:\Users\user\AppData\Local\Temp\nmqufdalfaJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
      C:\Users\user\AppData\Local\Temp\hdoumnepqJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000007.00000002.2413913656.000000000541B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            00000007.00000002.2414191195.0000000005A20000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
              00000010.00000002.2330168207.00000000047A9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                0000000E.00000002.2479094817.0000000005900000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                  Click to see the 17 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  5.2.SoundTune.exe.278ae41be5f.1.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    5.2.SoundTune.exe.278ae41be5f.1.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                    • 0x1d08e:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                    • 0x1d31a:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                    • 0x1d119:$s1: CoGetObject
                    • 0x1d3a5:$s1: CoGetObject
                    • 0x1d072:$s2: Elevation:Administrator!new:
                    • 0x1d2fe:$s2: Elevation:Administrator!new:
                    6.2.SoundTune.exe.2a37f9e925f.3.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                      6.2.SoundTune.exe.2a37f9e925f.3.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                      • 0x1dc8e:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                      • 0x1df1a:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                      • 0x1dd19:$s1: CoGetObject
                      • 0x1dfa5:$s1: CoGetObject
                      • 0x1dc72:$s2: Elevation:Administrator!new:
                      • 0x1defe:$s2: Elevation:Administrator!new:
                      14.2.cmd.exe.532b378.3.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                        Click to see the 61 entries

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Proxy Execution Via Explorer.exe
                        Source: Process startedAuthor: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative: Data: Command: C:\Windows\SysWOW64\explorer.exe, CommandLine: C:\Windows\SysWOW64\explorer.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\explorer.exe, NewProcessName: C:\Windows\SysWOW64\explorer.exe, OriginalFileName: C:\Windows\SysWOW64\explorer.exe, ParentCommandLine: C:\Windows\SysWOW64\cmd.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3252, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\SysWOW64\explorer.exe, ProcessId: 5276, ProcessName: explorer.exe

                        Snort Signatures

                        No Snort rule has matched

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus detection for URL or domain
                        Source: responsibilitybridge.com/8BvxwQdec3/index.phpAvira URL Cloud: Label: phishing
                        Antivirus detection for dropped file
                        Source: C:\Users\user\AppData\Local\Temp\nmqufdalfaAvira: detection malicious, Label: HEUR/AGEN.1319380
                        Source: C:\Users\user\AppData\Local\Temp\yxhAvira: detection malicious, Label: HEUR/AGEN.1319380
                        Source: C:\Users\user\AppData\Local\Temp\hdoumnepqAvira: detection malicious, Label: HEUR/AGEN.1319380
                        Found malware configuration
                        Source: 14.2.cmd.exe.59000c8.7.unpackMalware Configuration Extractor: Amadey {"C2 url": "responsibilitybridge.com/8BvxwQdec3/index.php", "Version": "4.19"}
                        Multi AV Scanner detection for dropped file
                        Source: C:\Users\user\AppData\Local\Temp\hdoumnepqReversingLabs: Detection: 42%
                        Source: C:\Users\user\AppData\Local\Temp\hdoumnepqVirustotal: Detection: 57%Perma Link
                        Source: C:\Users\user\AppData\Local\Temp\nmqufdalfaReversingLabs: Detection: 42%
                        Source: C:\Users\user\AppData\Local\Temp\nmqufdalfaVirustotal: Detection: 57%Perma Link
                        Source: C:\Users\user\AppData\Local\Temp\yxhReversingLabs: Detection: 42%
                        Source: C:\Users\user\AppData\Local\Temp\yxhVirustotal: Detection: 57%Perma Link
                        Multi AV Scanner detection for submitted file
                        Source: SoundTune.exeVirustotal: Detection: 22%Perma Link
                        Machine Learning detection for dropped file
                        Source: C:\Users\user\AppData\Local\Temp\nmqufdalfaJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\Temp\yxhJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\Temp\hdoumnepqJoe Sandbox ML: detected
                        Sample uses string decryption to hide its real strings
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: responsibilitybridge.com
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: /8BvxwQdec3/index.php
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: S-%lu-
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: 33a59d2d44
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: Dctooux.exe
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: Startup
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: cmd /C RMDIR /s/q
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: rundll32
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: Programs
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: %USERPROFILE%
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: cred.dll|clip.dll|
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: http://
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: https://
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: /Plugins/
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: &unit=
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: shell32.dll
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: kernel32.dll
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: GetNativeSystemInfo
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: ProgramData\
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: AVAST Software
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: Kaspersky Lab
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: Panda Security
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: Doctor Web
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: 360TotalSecurity
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: Bitdefender
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: Norton
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: Sophos
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: Comodo
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: WinDefender
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: 0123456789
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: Content-Type: multipart/form-data; boundary=----
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: ------
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: ?scr=1
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: Content-Type: application/x-www-form-urlencoded
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: ComputerName
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: -unicode-
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: VideoID
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: DefaultSettings.XResolution
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: DefaultSettings.YResolution
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: ProductName
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: CurrentBuild
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: rundll32.exe
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: "taskkill /f /im "
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: " && timeout 1 && del
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: && Exit"
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: " && ren
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: Powershell.exe
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: -executionpolicy remotesigned -File "
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: shutdown -s -t 0
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: random
                        Source: 14.2.cmd.exe.59000c8.7.unpackString decryptor: 64q}cZ

                        Exploits

                        barindex
                        Yara detected UAC Bypass using CMSTP
                        Source: Yara matchFile source: 5.2.SoundTune.exe.278ae41be5f.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.SoundTune.exe.2a37f9e925f.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 14.2.cmd.exe.532b378.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.explorer.exe.47f3f78.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 18.2.explorer.exe.4ca8a8a.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.SoundTune.exe.22584b96971.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.explorer.exe.47afa8a.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.explorer.exe.491fa8a.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.SoundTune.exe.22584bdae5f.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.cmd.exe.4ae3378.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.SoundTune.exe.278ae41b25f.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.SoundTune.exe.2a37f9e9e5f.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 14.2.cmd.exe.532bf78.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.cmd.exe.5465378.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.cmd.exe.5465f78.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.explorer.exe.4963378.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 18.2.explorer.exe.4cec378.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.SoundTune.exe.25b71315e5f.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.SoundTune.exe.22584bda25f.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.cmd.exe.4a9fa8a.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.cmd.exe.4ae3f78.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.cmd.exe.5421a8a.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.explorer.exe.47f3378.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.SoundTune.exe.25b7131525f.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 18.2.explorer.exe.4cecf78.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.explorer.exe.4963f78.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.SoundTune.exe.2a37f9a5971.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.SoundTune.exe.25b712d1971.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.SoundTune.exe.278ae3d7971.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 14.2.cmd.exe.52e7a8a.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000007.00000002.2413913656.000000000541B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.2330168207.00000000047A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.2478639571.00000000052E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.2243163643.00000278AB600000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.2254650455.0000025B712CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000012.00000002.2478523985.0000000004CA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.2414793420.0000000004919000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: SoundTune.exe PID: 4404, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 3252, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: SoundTune.exe PID: 6360, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: SoundTune.exe PID: 2448, type: MEMORYSTR
                        Source: SoundTune.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Source: Binary string: D:\a\treesheets\treesheets\TS\TreeSheets.pdbP source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2054568199.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000000.00000000.2036588675.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000000.2166738092.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000005.00000002.2246810793.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2202817464.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000000.2168813639.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: ntdll.pdb source: SoundTune.exe, 00000000.00000002.2053080712.00000225847BD000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2053813920.00000225854C7000.00000004.00000001.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2053553749.00000225852C0000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2245550366.00000278AE900000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243362804.00000278AB904000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2245920757.00000278AEB03000.00000004.00000001.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200873633.000002A37F5C2000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2199453732.000002A30040E000.00000004.00000001.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2199258711.000002A300200000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: wntdll.pdbUGP source: cmd.exe, 00000002.00000002.2330127502.00000000046F5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330397398.0000000004B70000.00000004.00001000.00020000.00000000.sdmp
                        Source: Binary string: ntdll.pdbUGP source: SoundTune.exe, 00000000.00000002.2053080712.00000225847BD000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2053813920.00000225854C7000.00000004.00000001.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2053553749.00000225852C0000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2245550366.00000278AE900000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243362804.00000278AB904000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2245920757.00000278AEB03000.00000004.00000001.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200873633.000002A37F5C2000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2199453732.000002A30040E000.00000004.00000001.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2199258711.000002A300200000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: wntdll.pdb source: cmd.exe, 00000002.00000002.2330127502.00000000046F5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330397398.0000000004B70000.00000004.00001000.00020000.00000000.sdmp
                        Source: Binary string: D:\a\treesheets\treesheets\TS\TreeSheets.pdb source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2054568199.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000000.00000000.2036588675.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000000.2166738092.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000005.00000002.2246810793.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2202817464.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000000.2168813639.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp

                        Networking

                        barindex
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: responsibilitybridge.com/8BvxwQdec3/index.php
                        Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
                        Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
                        Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                        Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                        Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                        Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                        Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                        Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                        Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
                        Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                        Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
                        Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                        Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                        Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                        Source: SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                        Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
                        Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                        Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
                        Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
                        Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                        Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
                        Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
                        Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                        Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                        Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                        Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                        Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0L
                        Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                        Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                        Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                        Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s2.symcb.com0
                        Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
                        Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
                        Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com0&
                        Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                        Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                        Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584A36000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A50000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE277000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F845000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.info-zip.org/
                        Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps0(
                        Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/rpa00
                        Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0
                        Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0/
                        Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitsum.com0/
                        Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
                        Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
                        Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2054568199.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000000.00000000.2036588675.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000000.2166738092.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000005.00000002.2246810793.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2202817464.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000000.2168813639.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.wxwidgets.org/latest/classwx_system_options.html
                        Source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2054568199.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000000.00000000.2036588675.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000000.2166738092.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000005.00000002.2246810793.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2202817464.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000000.2168813639.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.wxwidgets.org/latest/plat_msw_install.html#msw_manifest
                        Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 5.2.SoundTune.exe.278ae41be5f.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 6.2.SoundTune.exe.2a37f9e925f.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 14.2.cmd.exe.532b378.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 16.2.explorer.exe.47f3f78.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 18.2.explorer.exe.4ca8a8a.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 0.2.SoundTune.exe.22584b96971.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 16.2.explorer.exe.47afa8a.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 17.2.explorer.exe.491fa8a.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 0.2.SoundTune.exe.22584bdae5f.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 2.2.cmd.exe.4ae3378.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 5.2.SoundTune.exe.278ae41b25f.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 6.2.SoundTune.exe.2a37f9e9e5f.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 14.2.cmd.exe.532bf78.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 7.2.cmd.exe.5465378.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 7.2.cmd.exe.5465f78.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 17.2.explorer.exe.4963378.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 18.2.explorer.exe.4cec378.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 13.2.SoundTune.exe.25b71315e5f.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 0.2.SoundTune.exe.22584bda25f.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 2.2.cmd.exe.4a9fa8a.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 2.2.cmd.exe.4ae3f78.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 7.2.cmd.exe.5421a8a.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 16.2.explorer.exe.47f3378.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 13.2.SoundTune.exe.25b7131525f.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 18.2.explorer.exe.4cecf78.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 17.2.explorer.exe.4963f78.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 6.2.SoundTune.exe.2a37f9a5971.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 13.2.SoundTune.exe.25b712d1971.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 5.2.SoundTune.exe.278ae3d7971.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 14.2.cmd.exe.52e7a8a.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\uiQuick.jobJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_00000278A82EA7D05_2_00000278A82EA7D0
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_00000278A82EC9D05_2_00000278A82EC9D0
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_00000278A83000B85_2_00000278A83000B8
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_00000278A82E96D05_2_00000278A82E96D0
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_00000278A82EB8D05_2_00000278A82EB8D0
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_00000278A82EDAD05_2_00000278A82EDAD0
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_00000278AB6187005_2_00000278AB618700
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_00000278AB618BB05_2_00000278AB618BB0
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_00000278AE402D9A5_2_00000278AE402D9A
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_00000278AE3DA25F5_2_00000278AE3DA25F
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_00000278AE400F2A5_2_00000278AE400F2A
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_00000278AE40137A5_2_00000278AE40137A
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_00000278AE3DC89D5_2_00000278AE3DC89D
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 6_2_000002A37CD1FFBC6_2_000002A37CD1FFBC
                        Source: SoundTune.exeStatic PE information: invalid certificate
                        Source: SoundTune.exe, 00000000.00000002.2053553749.0000022585446000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SoundTune.exe
                        Source: SoundTune.exe, 00000000.00000002.2053080712.0000022584935000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SoundTune.exe
                        Source: SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamezip.exe( vs SoundTune.exe
                        Source: SoundTune.exeBinary or memory string: OriginalFilename vs SoundTune.exe
                        Source: SoundTune.exe, 00000005.00000002.2245920757.00000278AEC7B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SoundTune.exe
                        Source: SoundTune.exe, 00000005.00000002.2245550366.00000278AEA86000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SoundTune.exe
                        Source: SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamezip.exe( vs SoundTune.exe
                        Source: SoundTune.exe, 00000006.00000002.2199258711.000002A300386000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SoundTune.exe
                        Source: SoundTune.exe, 00000006.00000002.2200873633.000002A37F73A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SoundTune.exe
                        Source: SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamezip.exe( vs SoundTune.exe
                        Source: 5.2.SoundTune.exe.278ae41be5f.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 6.2.SoundTune.exe.2a37f9e925f.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 14.2.cmd.exe.532b378.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 16.2.explorer.exe.47f3f78.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 18.2.explorer.exe.4ca8a8a.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 0.2.SoundTune.exe.22584b96971.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 16.2.explorer.exe.47afa8a.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 17.2.explorer.exe.491fa8a.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 0.2.SoundTune.exe.22584bdae5f.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 2.2.cmd.exe.4ae3378.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 5.2.SoundTune.exe.278ae41b25f.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 6.2.SoundTune.exe.2a37f9e9e5f.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 14.2.cmd.exe.532bf78.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 7.2.cmd.exe.5465378.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 7.2.cmd.exe.5465f78.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 17.2.explorer.exe.4963378.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 18.2.explorer.exe.4cec378.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 13.2.SoundTune.exe.25b71315e5f.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 0.2.SoundTune.exe.22584bda25f.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 2.2.cmd.exe.4a9fa8a.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 2.2.cmd.exe.4ae3f78.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 7.2.cmd.exe.5421a8a.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 16.2.explorer.exe.47f3378.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 13.2.SoundTune.exe.25b7131525f.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 18.2.explorer.exe.4cecf78.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 17.2.explorer.exe.4963f78.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 6.2.SoundTune.exe.2a37f9a5971.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 13.2.SoundTune.exe.25b712d1971.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 5.2.SoundTune.exe.278ae3d7971.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 14.2.cmd.exe.52e7a8a.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: SoundTune.exeStatic PE information: Section: .rsrc ZLIB complexity 0.9917615167025862
                        Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@19/11@0/0
                        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\updatefaJump to behavior
                        Source: C:\Users\user\Desktop\SoundTune.exeMutant created: \Sessions\1\BaseNamedObjects\SoundTune-user
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3924:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5248:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4400:120:WilError_03
                        Source: C:\Users\user\Desktop\SoundTune.exeFile created: C:\Users\user\AppData\Local\Temp\eb40e7d2Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                        Source: SoundTune.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\SoundTune.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: SoundTune.exeVirustotal: Detection: 22%
                        Source: C:\Users\user\Desktop\SoundTune.exeFile read: C:\Users\user\Desktop\SoundTune.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\SoundTune.exe "C:\Users\user\Desktop\SoundTune.exe"
                        Source: C:\Users\user\Desktop\SoundTune.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe "C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe"
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                        Source: C:\Users\user\Desktop\SoundTune.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                        Source: C:\Users\user\Desktop\SoundTune.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\SoundTune.exeSection loaded: oleacc.dllJump to behavior
                        Source: C:\Users\user\Desktop\SoundTune.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\SoundTune.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\SoundTune.exeSection loaded: msimg32.dllJump to behavior
                        Source: C:\Users\user\Desktop\SoundTune.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\SoundTune.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\SoundTune.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\Desktop\SoundTune.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Users\user\Desktop\SoundTune.exeSection loaded: pla.dllJump to behavior
                        Source: C:\Users\user\Desktop\SoundTune.exeSection loaded: pdh.dllJump to behavior
                        Source: C:\Users\user\Desktop\SoundTune.exeSection loaded: tdh.dllJump to behavior
                        Source: C:\Users\user\Desktop\SoundTune.exeSection loaded: cabinet.dllJump to behavior
                        Source: C:\Users\user\Desktop\SoundTune.exeSection loaded: wevtapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\SoundTune.exeSection loaded: shdocvw.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: shdocvw.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: bitsproxy.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: xmllite.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mstask.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: oleacc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: msimg32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: duser.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: xmllite.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: atlthunk.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: textshaping.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: textinputframework.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: coreuicomponents.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: pla.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: pdh.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: tdh.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: cabinet.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: wevtapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: shdocvw.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: msftedit.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: comsvcs.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: cmlua.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: cmutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: oleacc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: msimg32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: pla.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: pdh.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: tdh.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: cabinet.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: wevtapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: shdocvw.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dll
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dll
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: shdocvw.dll
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mstask.dll
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: oleacc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: msimg32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: pla.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: pdh.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: tdh.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: cabinet.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: wevtapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: shdocvw.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dll
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dll
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: shdocvw.dll
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mstask.dll
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: shdocvw.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: shdocvw.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: shdocvw.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeFile opened: C:\Windows\SYSTEM32\msftedit.dllJump to behavior
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: SoundTune.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                        Source: SoundTune.exeStatic PE information: Image base 0x140000000 > 0x60000000
                        Source: SoundTune.exeStatic file information: File size 9888656 > 1048576
                        Source: SoundTune.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x597600
                        Source: SoundTune.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x243000
                        Source: SoundTune.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x122000
                        Source: SoundTune.exeStatic PE information: More than 200 imports for KERNEL32.dll
                        Source: SoundTune.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                        Source: SoundTune.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                        Source: SoundTune.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                        Source: SoundTune.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: SoundTune.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                        Source: SoundTune.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                        Source: SoundTune.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Source: SoundTune.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: Binary string: D:\a\treesheets\treesheets\TS\TreeSheets.pdbP source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2054568199.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000000.00000000.2036588675.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000000.2166738092.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000005.00000002.2246810793.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2202817464.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000000.2168813639.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: ntdll.pdb source: SoundTune.exe, 00000000.00000002.2053080712.00000225847BD000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2053813920.00000225854C7000.00000004.00000001.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2053553749.00000225852C0000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2245550366.00000278AE900000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243362804.00000278AB904000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2245920757.00000278AEB03000.00000004.00000001.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200873633.000002A37F5C2000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2199453732.000002A30040E000.00000004.00000001.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2199258711.000002A300200000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: wntdll.pdbUGP source: cmd.exe, 00000002.00000002.2330127502.00000000046F5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330397398.0000000004B70000.00000004.00001000.00020000.00000000.sdmp
                        Source: Binary string: ntdll.pdbUGP source: SoundTune.exe, 00000000.00000002.2053080712.00000225847BD000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2053813920.00000225854C7000.00000004.00000001.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2053553749.00000225852C0000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2245550366.00000278AE900000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243362804.00000278AB904000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2245920757.00000278AEB03000.00000004.00000001.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200873633.000002A37F5C2000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2199453732.000002A30040E000.00000004.00000001.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2199258711.000002A300200000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: wntdll.pdb source: cmd.exe, 00000002.00000002.2330127502.00000000046F5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330397398.0000000004B70000.00000004.00001000.00020000.00000000.sdmp
                        Source: Binary string: D:\a\treesheets\treesheets\TS\TreeSheets.pdb source: SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2054568199.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000000.00000000.2036588675.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000000.2166738092.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000005.00000002.2246810793.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2202817464.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000000.2168813639.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmp
                        Source: SoundTune.exeStatic PE information: real checksum: 0x97c656 should be: 0x97dc68
                        Source: nmqufdalfa.2.drStatic PE information: real checksum: 0x0 should be: 0x6fbf4
                        Source: hdoumnepq.14.drStatic PE information: real checksum: 0x0 should be: 0x6fbf4
                        Source: yxh.7.drStatic PE information: real checksum: 0x0 should be: 0x6fbf4
                        Source: SoundTune.exeStatic PE information: section name: _RDATA
                        Source: nmqufdalfa.2.drStatic PE information: section name: uxcbu
                        Source: yxh.7.drStatic PE information: section name: uxcbu
                        Source: hdoumnepq.14.drStatic PE information: section name: uxcbu
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_0000009AC39CAAF7 pushfd ; ret 5_2_0000009AC39CAB1B
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_0000009AC39CC0F8 pushfd ; ret 5_2_0000009AC39CC0FB
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_0000009AC39CB0EC pushfd ; ret 5_2_0000009AC39CB12B
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_0000009AC39CBEE2 pushfd ; ret 5_2_0000009AC39CBEE3
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_0000009AC39CE4E2 pushfd ; ret 5_2_0000009AC39CE4F3
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_0000009AC39CF6E2 pushfd ; ret 5_2_0000009AC39CF6E3
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_0000009AC39CCCE4 pushfd ; ret 5_2_0000009AC39CCCBB
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_0000009AC39CACE4 pushfd ; ret 5_2_0000009AC39CACFB
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_0000009AC39CB0DA pushfd ; ret 5_2_0000009AC39CB0DB
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_0000009AC39CB4DA pushfd ; ret 5_2_0000009AC39CB4DB
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_0000009AC39CE6DB pushfd ; ret 5_2_0000009AC39CE6FB
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_0000009AC39C94DC pushfd ; ret 5_2_0000009AC39C94FB
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_0000009AC39CB312 pushfd ; ret 5_2_0000009AC39CB313
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_0000009AC39CA314 pushfd ; ret 5_2_0000009AC39CA393
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_0000009AC39CF314 pushfd ; ret 5_2_0000009AC39CF323
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_0000009AC39CDD0A pushfd ; ret 5_2_0000009AC39CDD13
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_0000009AC39C950C pushfd ; ret 5_2_0000009AC39C951B
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_0000009AC39CD10C pushfd ; ret 5_2_0000009AC39CD12B
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_0000009AC39CF308 pushfd ; ret 5_2_0000009AC39CF313
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_0000009AC39CD101 pushfd ; ret 5_2_0000009AC39CD08B
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_0000009AC39C9AFB pushfd ; ret 5_2_0000009AC39C9B43
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_0000009AC39CD538 pushfd ; ret 5_2_0000009AC39CD53B
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_0000009AC39CCF32 pushfd ; ret 5_2_0000009AC39CCF33
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_0000009AC39C932C pushfd ; ret 5_2_0000009AC39C93C3
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_0000009AC39C9F2C pushfd ; ret 5_2_0000009AC39C9F3B
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_0000009AC39CD32C pushfd ; ret 5_2_0000009AC39CD3EB
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_0000009AC39C9D24 pushfd ; ret 5_2_0000009AC39C9D3B
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_0000009AC39CAB1C pushfd ; ret 5_2_0000009AC39CAB1B
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_0000009AC39CAB1C pushfd ; ret 5_2_0000009AC39CABBB
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_0000009AC39CC11C pushfd ; ret 5_2_0000009AC39CC18B
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_0000009AC39CC558 pushfd ; ret 5_2_0000009AC39CC56B
                        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\yxhJump to dropped file
                        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\hdoumnepqJump to dropped file
                        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\nmqufdalfaJump to dropped file
                        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\nmqufdalfaJump to dropped file
                        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\yxhJump to dropped file
                        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\hdoumnepqJump to dropped file
                        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\uiQuick.jobJump to behavior

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Found hidden mapped module (file has been removed from disk)
                        Source: C:\Windows\SysWOW64\cmd.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\NMQUFDALFA
                        Source: C:\Windows\SysWOW64\cmd.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\YXH
                        Source: C:\Windows\SysWOW64\cmd.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\HDOUMNEPQ
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                        Source: C:\Users\user\Desktop\SoundTune.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 6_2_000002A37CBF707A str word ptr [eax+00000451h]6_2_000002A37CBF707A
                        Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\yxhJump to dropped file
                        Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\hdoumnepqJump to dropped file
                        Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nmqufdalfaJump to dropped file
                        Source: SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: noreply@vmware.com0
                        Source: SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0
                        Source: SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1!0
                        Source: SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0/
                        Source: SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1
                        Source: SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.0
                        Source: C:\Users\user\Desktop\SoundTune.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_00000278AE3F5D97 mov eax, dword ptr fs:[00000030h]5_2_00000278AE3F5D97
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_00000278AE3F5986 mov eax, dword ptr fs:[00000030h]5_2_00000278AE3F5986
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_00000278AE3E0F53 mov eax, dword ptr fs:[00000030h]5_2_00000278AE3E0F53
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_00000278AE3E3FD5 mov eax, dword ptr fs:[00000030h]5_2_00000278AE3E3FD5
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeCode function: 5_2_00000278AE3E40CF mov eax, dword ptr fs:[00000030h]5_2_00000278AE3E40CF

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Found direct / indirect Syscall (likely to bypass EDR)
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeNtCreateFile: Direct from: 0x8100000080Jump to behavior
                        Source: C:\Users\user\Desktop\SoundTune.exeNtAllocateVirtualMemory: Direct from: 0x7FF8B7FF8054Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeNtReadFile: Direct from: 0x7FF8A88E85FBJump to behavior
                        Source: C:\Users\user\Desktop\SoundTune.exeNtQuerySystemInformation: Direct from: 0x22581CEA630Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeNtQuerySystemInformation: Direct from: 0x25B6E3CFCA0Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeNtAllocateVirtualMemory: Direct from: 0x25B6E3D4D80Jump to behavior
                        Source: C:\Users\user\Desktop\SoundTune.exeNtCreateFile: Direct from: 0x7FF8B7FE78ECJump to behavior
                        Source: C:\Users\user\Desktop\SoundTune.exeNtAllocateVirtualMemory: Direct from: 0x22581CEDD20Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeNtProtectVirtualMemory: Direct from: 0x278AB606F30Jump to behavior
                        Source: C:\Users\user\Desktop\SoundTune.exeNtReadFile: Direct from: 0x7FF8B7FE85FBJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeNtAllocateVirtualMemory: Direct from: 0x7FF8A88F8054Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeNtProtectVirtualMemory: Direct from: 0x298Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeNtAllocateVirtualMemory: Direct from: 0x2A37CC1F722Jump to behavior
                        Source: C:\Users\user\Desktop\SoundTune.exeNtProtectVirtualMemory: Direct from: 0x22581CF0760Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeNtSetTimerEx: Direct from: 0x7FF8C88A26A1Jump to behavior
                        Source: C:\Users\user\Desktop\SoundTune.exeNtCreateFile: Direct from: 0x4800000080Jump to behavior
                        Source: C:\Users\user\Desktop\SoundTune.exeNtAllocateVirtualMemory: Direct from: 0x22581CF0BB0Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeNtProtectVirtualMemory: Direct from: 0x7FF8A88F9B9CJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeNtProtectVirtualMemory: Direct from: 0x7FF8A88F9BF0Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeNtProtectVirtualMemory: Direct from: 0x7FF8AC0453D3Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeNtAllocateVirtualMemory: Direct from: 0x2A37CC19070Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeNtCreateFile: Direct from: 0x7FF8A88E85ADJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeNtCreateFile: Direct from: 0xDB00000080Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeNtWriteFile: Direct from: 0x25B7189DA30Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeNtQuerySystemInformation: Direct from: 0x2A37CC13E60Jump to behavior
                        Source: C:\Users\user\Desktop\SoundTune.exeNtProtectVirtualMemory: Direct from: 0x2B0Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeNtProtectVirtualMemory: Direct from: 0x7FF8C6F6FEE0Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeNtProtectVirtualMemory: Direct from: 0x25B6E51BAB0Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeNtWriteFile: Direct from: 0x2A30009DA30Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeNtQueryInformationToken: Direct from: 0x9AC39CDF70Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeNtQuerySystemInformation: Direct from: 0x9AC39CF4D0Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeNtProtectVirtualMemory: Direct from: 0x7FF8A88F8735Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeNtProtectVirtualMemory: Direct from: 0x278AE438E74Jump to behavior
                        Source: C:\Users\user\Desktop\SoundTune.exeNtCreateFile: Direct from: 0x7FF8B7FE85ADJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeNtAllocateVirtualMemory: Direct from: 0xA0A76ACBJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeNtAllocateVirtualMemory: Direct from: 0x278A9BC3CA2Jump to behavior
                        Source: C:\Users\user\Desktop\SoundTune.exeNtWriteFile: Direct from: 0x2258515DA30Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeNtProtectVirtualMemory: Direct from: 0x2A37CD2BBB0Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeNtCreateFile: Direct from: 0x7FF8A88E78ECJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeNtAllocateVirtualMemory: Direct from: 0x25B6E3F5F32Jump to behavior
                        Source: C:\Users\user\Desktop\SoundTune.exeNtAllocateVirtualMemory: Direct from: 0x7FF8B7FE856EJump to behavior
                        Injects code into the Windows Explorer (explorer.exe)
                        Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 5276 base: 2580000 value: 00Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 5276 base: 26902D8 value: 00Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 5276 base: 26911E8 value: 00Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 5276 base: 1279C0 value: 55Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 5276 base: 2590000 value: 00Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 2956 base: 2580000 value: 00
                        Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 2956 base: 26E22D8 value: 00
                        Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 2956 base: 26E31E8 value: 00
                        Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 2956 base: 1279C0 value: 55
                        Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 2956 base: 2590000 value: 00
                        Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 5516 base: 29F0000 value: 00
                        Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 5516 base: 2A5E2D8 value: 00
                        Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 5516 base: 2A5F1E8 value: 00
                        Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 5516 base: 1279C0 value: 55
                        Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 5516 base: 2C40000 value: 00
                        Maps a DLL or memory area into another process
                        Source: C:\Users\user\Desktop\SoundTune.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read writeJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read writeJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read writeJump to behavior
                        Writes to foreign memory regions
                        Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 1279C0Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 2590000Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 1279C0
                        Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 2590000
                        Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 1279C0
                        Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 2C40000
                        Source: C:\Users\user\Desktop\SoundTune.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                        Source: C:\Users\user\Desktop\SoundTune.exeQueries volume information: C:\Users\user\AppData\Local\Temp\eb40e7d2 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeQueries volume information: C:\Users\user\AppData\Local\Temp\f5e8013d VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeQueries volume information: C:\Users\user\AppData\Local\Temp\f3455394 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exeQueries volume information: C:\Users\user\AppData\Local\Temp\f751201f VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\SoundTune.exeCode function: 0_2_00007FF77A4CA264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF77A4CA264

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Amadey
                        Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                        Yara detected Amadeys stealer DLL
                        Source: Yara matchFile source: 14.2.cmd.exe.59000c8.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.cmd.exe.5a200c8.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.cmd.exe.54a00c8.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.cmd.exe.5a200c8.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 14.2.cmd.exe.59000c8.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.cmd.exe.54a00c8.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000007.00000002.2414191195.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.2479094817.0000000005900000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.2330822665.00000000054A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000012.00000002.2477851015.0000000002C41000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.2414365443.0000000002591000.00000004.00000001.01000000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.2329605585.0000000002591000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\yxh, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nmqufdalfa, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\hdoumnepq, type: DROPPED

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                        Scheduled Task/Job                        		1
                        Scheduled Task/Job                        		311
                        Process Injection                        		21
                        Masquerading                        		OS Credential Dumping1
                        System Time Discovery                        		Remote Services1
                        Archive Collected Data                        		1
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault AccountsScheduled Task/Job11
                        DLL Side-Loading                        		1
                        Scheduled Task/Job                        		1
                        Virtualization/Sandbox Evasion                        		LSASS Memory1
                        Query Registry                        		Remote Desktop ProtocolData from Removable Media1
                        Application Layer Protocol                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                        Abuse Elevation Control Mechanism                        		311
                        Process Injection                        		Security Account Manager11
                        Security Software Discovery                        		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook11
                        DLL Side-Loading                        		1
                        Abuse Elevation Control Mechanism                        		NTDS1
                        Virtualization/Sandbox Evasion                        		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Obfuscated Files or Information                        		LSA Secrets1
                        Process Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        Software Packing                        		Cached Domain Credentials12
                        System Information Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                        DLL Side-Loading                        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 signatures2 2 Behavior Graph ID: 1425677 Sample: SoundTune.exe Startdate: 14/04/2024 Architecture: WINDOWS Score: 100 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 54 9 other signatures 2->54 7 SoundTune.exe 2 2->7         started        10 SoundTune.exe 2 2->10         started        12 SoundTune.exe 2 2->12         started        14 SoundTune.exe 1 2->14         started        process3 signatures4 56 Maps a DLL or memory area into another process 7->56 58 Found direct / indirect Syscall (likely to bypass EDR) 7->58 16 cmd.exe 4 7->16         started        20 cmd.exe 10->20         started        22 cmd.exe 12->22         started        process5 file6 36 C:\Users\user\AppData\Local\Temp\nmqufdalfa, PE32 16->36 dropped 42 Injects code into the Windows Explorer (explorer.exe) 16->42 44 Writes to foreign memory regions 16->44 46 Found hidden mapped module (file has been removed from disk) 16->46 24 conhost.exe 16->24         started        26 explorer.exe 16->26         started        38 C:\Users\user\AppData\Local\Temp\hdoumnepq, PE32 20->38 dropped 28 conhost.exe 20->28         started        30 explorer.exe 20->30         started        40 C:\Users\user\AppData\Local\Temp\yxh, PE32 22->40 dropped 32 conhost.exe 22->32         started        34 explorer.exe 22->34         started        signatures7 process8

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        SoundTune.exe8%ReversingLabs
                        SoundTune.exe23%VirustotalBrowse

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Local\Temp\nmqufdalfa100%AviraHEUR/AGEN.1319380
                        C:\Users\user\AppData\Local\Temp\yxh100%AviraHEUR/AGEN.1319380
                        C:\Users\user\AppData\Local\Temp\hdoumnepq100%AviraHEUR/AGEN.1319380
                        C:\Users\user\AppData\Local\Temp\nmqufdalfa100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\Temp\yxh100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\Temp\hdoumnepq100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\Temp\hdoumnepq42%ReversingLabsWin32.Trojan.Amadey
                        C:\Users\user\AppData\Local\Temp\hdoumnepq58%VirustotalBrowse
                        C:\Users\user\AppData\Local\Temp\nmqufdalfa42%ReversingLabsWin32.Trojan.Amadey
                        C:\Users\user\AppData\Local\Temp\nmqufdalfa58%VirustotalBrowse
                        C:\Users\user\AppData\Local\Temp\yxh42%ReversingLabsWin32.Trojan.Amadey
                        C:\Users\user\AppData\Local\Temp\yxh58%VirustotalBrowse

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        https://bitsum.com0/0%Avira URL Cloudsafe
                        responsibilitybridge.com/8BvxwQdec3/index.php100%Avira URL Cloudphishing
                        responsibilitybridge.com/8BvxwQdec3/index.php1%VirustotalBrowse

                        Domains and IPs

                        Contacted Domains

                        No contacted domains info

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        responsibilitybridge.com/8BvxwQdec3/index.phptrue
                        • 1%, Virustotal, Browse
                        • Avira URL Cloud: phishing
                        		low

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.vmware.com/0/SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://bitsum.com0/SoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.vmware.com/0SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://www.symauth.com/cps0(SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://www.symauth.com/rpa00SoundTune.exe, 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://docs.wxwidgets.org/latest/plat_msw_install.html#msw_manifestSoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2054568199.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000000.00000000.2036588675.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000000.2166738092.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000005.00000002.2246810793.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2202817464.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000000.2168813639.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://docs.wxwidgets.org/latest/classwx_system_options.htmlSoundTune.exe, 00000000.00000002.2052148275.0000022583B6A000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000000.00000002.2054568199.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000000.00000000.2036588675.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmp, SoundTune.exe, 00000005.00000002.2243607521.00000278AD563000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000000.2166738092.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000005.00000002.2246810793.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2202817464.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000000.2168813639.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmp, SoundTune.exe, 00000006.00000002.2200022527.000002A37E98C000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.info-zip.org/SoundTune.exe, 00000000.00000002.2053261362.0000022584A36000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2330278372.0000000004A50000.00000004.00000800.00020000.00000000.sdmp, SoundTune.exe, 00000005.00000002.2244717993.00000278AE277000.00000004.00000020.00020000.00000000.sdmp, SoundTune.exe, 00000006.00000002.2201257984.000002A37F845000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high

                                      World Map of Contacted IPs

                                      No contacted IP infos

                                      General Information

                                      Joe Sandbox version:40.0.0 Tourmaline
                                      Analysis ID:1425677
                                      Start date and time:2024-04-14 07:08:10 +02:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 8m 26s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:19
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:1
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:SoundTune.exe
                                      Detection:MAL
                                      Classification:mal100.troj.spyw.expl.evad.winEXE@19/11@0/0
                                      EGA Information:Failed
                                      HCA Information:Failed
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe

                                      Warnings

                                      • Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                      • Execution Graph export aborted for target SoundTune.exe, PID 2448 because there are no executed function
                                      • Execution Graph export aborted for target SoundTune.exe, PID 4404 because there are no executed function
                                      • Execution Graph export aborted for target SoundTune.exe, PID 6332 because there are no executed function
                                      • Execution Graph export aborted for target SoundTune.exe, PID 6360 because there are no executed function
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      07:09:01API Interceptor3x Sleep call for process: SoundTune.exe modified
                                      07:09:12Task SchedulerRun new task: SoundTune path: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe
                                      07:09:13Task SchedulerRun new task: uiQuick path: C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe
                                      07:09:29API Interceptor3x Sleep call for process: cmd.exe modified
                                      07:09:37API Interceptor1x Sleep call for process: explorer.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      No context

                                      Domains

                                      No context

                                      ASNs

                                      No context

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Temp\eb40e7d2

                                      Download File
                                      Process:C:\Users\user\Desktop\SoundTune.exe
                                      File Type:PNG image data, 4480 x 508, 8-bit/color RGB, non-interlaced
                                      Category:dropped
                                      Size (bytes):1185377
                                      Entropy (8bit):7.993121928768052
                                      Encrypted:true
                                      SSDEEP:24576:1maY2XFmPdz7lbpV9Py2djrzzoIuCHVoF7idaHWdv:caYDzZbpVgsEdmoF72a2dv
                                      MD5:FFAF71D4A621E899C82C865F34E937D6
                                      SHA1:1468830BEE8AFB3ADCE79FDB0BDE3CCB599102D3
                                      SHA-256:74740FC70974DDC8B2B2ACE5E5098273E3B0DE77071FD6444F197F69AF8415F1
                                      SHA-512:56C3E369D876234C46368D7D4E782ADAE3A1D77728EFC4F2253A1C6733B00A7CA04F810A14C671E8120187F728A3F270127D06D907982B5B4637FAAE1C5A5419
                                      Malicious:false
                                      Reputation:low
                                      Preview:.PNG........IHDR...............+... .IDATx..;...&z.....{...w....Kb....Pc.H[$..D...d........gl..5.........<..UY].]......tfeT.....`?.....\..._@@@@...n....m0..@k.._&....._7."....M....uM..?.4.....? ?.9g..@S.~.1.?..&?".0w.......`)%0..UU.K.TUE....K..K)..eY:/U.u...RZkrw)%>{UV.A...&..J)|..,.o....n_.1&......]I.Xw.Kp.q..&.w...._...H@.6.......#.....I..I....k...H>c...H....|B5..|..G...N.;$.........`H..w......f..Ck]..e..^....4...lA........{..K0..a.m.~...a.}.M..c8....c.?F.=....7...I>..3.l2..@.......$..7..RJ.XwW...eI.....6w._..)....\.@5..cL*.......2z.....#...`!.J....8.....}...u.[...E......0...v..}$_.&?"..K......D....i.n.s.)8..4...H> 3w..1..t..w.&.|9J.Y..w.......n..!...+....ea..p.Q....#........b......z.@.......~a?.....J..O..J|.,......1<0.Y>N....KyY....,_k.....v.S.{....J2.'.|.$..D............1.,_J.9.vi....{.......$....Dx....... p......{..&^.......}H...0N..`.....N.'..t{\=$.............o.....@Q..A.$..K5.!...$g..a.-F...K-$;K.. .ij....o......~...5.g.o..

                                      C:\Users\user\AppData\Local\Temp\ebb9eca0

                                      Download File
                                      Process:C:\Users\user\Desktop\SoundTune.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):1159305
                                      Entropy (8bit):7.629665445129676
                                      Encrypted:false
                                      SSDEEP:24576:poSKVXfYCLaLoFG+evn0wq+epoIpibue6yJiK4BI/9zUU9orGDXwh+z:poSKRBaLXls0Ipibue6yJiK4BI/9zUUJ
                                      MD5:CB139E19EA3CC76B4EA91677CCC6E55F
                                      SHA1:4A33B1E52EE29A8C3C7EE02BBF1ACC03A14E0C61
                                      SHA-256:17CFCEA0B3B34CD8C52B20C18F069EF09A7D366BEFAF66F3DFFA8508CC2CB995
                                      SHA-512:4D7D967F05E2333B3355A5B24D6B39A7A4C0CD3128238FEF86B6E9BE64AB1F2448943B0CD64377E28C33F08BBC1E8255105F110814153FDE837DEAC80F54DB9E
                                      Malicious:false
                                      Reputation:low
                                      Preview:<...<...>...?...>...{...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?.......{.......\...P...h...P...l...K...Q...M...^...l...K...?...?...?...?...?...?...?...?...?...?...?...|...V...S...z...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...|...Z...v...^...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?.......{...c...M...Y..z...M...H...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...I...........?...?...?...?...?...?...?...?...?...?...

                                      C:\Users\user\AppData\Local\Temp\f3455394

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe
                                      File Type:PNG image data, 4480 x 508, 8-bit/color RGB, non-interlaced
                                      Category:dropped
                                      Size (bytes):1185377
                                      Entropy (8bit):7.993121928768052
                                      Encrypted:true
                                      SSDEEP:24576:1maY2XFmPdz7lbpV9Py2djrzzoIuCHVoF7idaHWdv:caYDzZbpVgsEdmoF72a2dv
                                      MD5:FFAF71D4A621E899C82C865F34E937D6
                                      SHA1:1468830BEE8AFB3ADCE79FDB0BDE3CCB599102D3
                                      SHA-256:74740FC70974DDC8B2B2ACE5E5098273E3B0DE77071FD6444F197F69AF8415F1
                                      SHA-512:56C3E369D876234C46368D7D4E782ADAE3A1D77728EFC4F2253A1C6733B00A7CA04F810A14C671E8120187F728A3F270127D06D907982B5B4637FAAE1C5A5419
                                      Malicious:false
                                      Reputation:low
                                      Preview:.PNG........IHDR...............+... .IDATx..;...&z.....{...w....Kb....Pc.H[$..D...d........gl..5.........<..UY].]......tfeT.....`?.....\..._@@@@...n....m0..@k.._&....._7."....M....uM..?.4.....? ?.9g..@S.~.1.?..&?".0w.......`)%0..UU.K.TUE....K..K)..eY:/U.u...RZkrw)%>{UV.A...&..J)|..,.o....n_.1&......]I.Xw.Kp.q..&.w...._...H@.6.......#.....I..I....k...H>c...H....|B5..|..G...N.;$.........`H..w......f..Ck]..e..^....4...lA........{..K0..a.m.~...a.}.M..c8....c.?F.=....7...I>..3.l2..@.......$..7..RJ.XwW...eI.....6w._..)....\.@5..cL*.......2z.....#...`!.J....8.....}...u.[...E......0...v..}$_.&?"..K......D....i.n.s.)8..4...H> 3w..1..t..w.&.|9J.Y..w.......n..!...+....ea..p.Q....#........b......z.@.......~a?.....J..O..J|.,......1<0.Y>N....KyY....,_k.....v.S.{....J2.'.|.$..D............1.,_J.9.vi....{.......$....Dx....... p......{..&^.......}H...0N..`.....N.'..t{\=$.............o.....@Q..A.$..K5.!...$g..a.-F...K-$;K.. .ij....o......~...5.g.o..

                                      C:\Users\user\AppData\Local\Temp\f4062f52

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):1159305
                                      Entropy (8bit):7.62970789197951
                                      Encrypted:false
                                      SSDEEP:24576:doSKVXfYCLaLoFG+evn0wq+epoIpibue6yJiK4BI/9zUU9orGDXwh+z:doSKRBaLXls0Ipibue6yJiK4BI/9zUUJ
                                      MD5:FF32599363A0D7C18019FBF9E1E129D0
                                      SHA1:A58B84A63F0FF213819AB86FDAE3B2DC42199192
                                      SHA-256:605957F1C4A8AFB62B678AC3E068E178D69E72103702FE8132ECFEA81CB2ED3D
                                      SHA-512:8C78BD67313A6B7C94236E3F3B9D19B33A69A152B189F5753F3FAE382D89B4FFDB365BACF2DAE38EC9CB27DE96A1CB725B1685E96442A45D615B5A258B036236
                                      Malicious:false
                                      Preview:<...<...>...?...>...{...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?.......{.......\...P...h...P...l...K...Q...M...^...l...K...?...?...?...?...?...?...?...?...?...?...?...|...V...S...z...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...|...Z...v...^...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?.......{...c...M...Y..z...M...H...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...I...........?...?...?...?...?...?...?...?...?...?...

                                      C:\Users\user\AppData\Local\Temp\f5e8013d

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe
                                      File Type:PNG image data, 4480 x 508, 8-bit/color RGB, non-interlaced
                                      Category:dropped
                                      Size (bytes):1185377
                                      Entropy (8bit):7.993121928768052
                                      Encrypted:true
                                      SSDEEP:24576:1maY2XFmPdz7lbpV9Py2djrzzoIuCHVoF7idaHWdv:caYDzZbpVgsEdmoF72a2dv
                                      MD5:FFAF71D4A621E899C82C865F34E937D6
                                      SHA1:1468830BEE8AFB3ADCE79FDB0BDE3CCB599102D3
                                      SHA-256:74740FC70974DDC8B2B2ACE5E5098273E3B0DE77071FD6444F197F69AF8415F1
                                      SHA-512:56C3E369D876234C46368D7D4E782ADAE3A1D77728EFC4F2253A1C6733B00A7CA04F810A14C671E8120187F728A3F270127D06D907982B5B4637FAAE1C5A5419
                                      Malicious:false
                                      Preview:.PNG........IHDR...............+... .IDATx..;...&z.....{...w....Kb....Pc.H[$..D...d........gl..5.........<..UY].]......tfeT.....`?.....\..._@@@@...n....m0..@k.._&....._7."....M....uM..?.4.....? ?.9g..@S.~.1.?..&?".0w.......`)%0..UU.K.TUE....K..K)..eY:/U.u...RZkrw)%>{UV.A...&..J)|..,.o....n_.1&......]I.Xw.Kp.q..&.w...._...H@.6.......#.....I..I....k...H>c...H....|B5..|..G...N.;$.........`H..w......f..Ck]..e..^....4...lA........{..K0..a.m.~...a.}.M..c8....c.?F.=....7...I>..3.l2..@.......$..7..RJ.XwW...eI.....6w._..)....\.@5..cL*.......2z.....#...`!.J....8.....}...u.[...E......0...v..}$_.&?"..K......D....i.n.s.)8..4...H> 3w..1..t..w.&.|9J.Y..w.......n..!...+....ea..p.Q....#........b......z.@.......~a?.....J..O..J|.,......1<0.Y>N....KyY....,_k.....v.S.{....J2.'.|.$..D............1.,_J.9.vi....{.......$....Dx....... p......{..&^.......}H...0N..`.....N.'..t{\=$.............o.....@Q..A.$..K5.!...$g..a.-F...K-$;K.. .ij....o......~...5.g.o..

                                      C:\Users\user\AppData\Local\Temp\f751201f

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe
                                      File Type:PNG image data, 4480 x 508, 8-bit/color RGB, non-interlaced
                                      Category:dropped
                                      Size (bytes):1185377
                                      Entropy (8bit):7.993121928768052
                                      Encrypted:true
                                      SSDEEP:24576:1maY2XFmPdz7lbpV9Py2djrzzoIuCHVoF7idaHWdv:caYDzZbpVgsEdmoF72a2dv
                                      MD5:FFAF71D4A621E899C82C865F34E937D6
                                      SHA1:1468830BEE8AFB3ADCE79FDB0BDE3CCB599102D3
                                      SHA-256:74740FC70974DDC8B2B2ACE5E5098273E3B0DE77071FD6444F197F69AF8415F1
                                      SHA-512:56C3E369D876234C46368D7D4E782ADAE3A1D77728EFC4F2253A1C6733B00A7CA04F810A14C671E8120187F728A3F270127D06D907982B5B4637FAAE1C5A5419
                                      Malicious:false
                                      Preview:.PNG........IHDR...............+... .IDATx..;...&z.....{...w....Kb....Pc.H[$..D...d........gl..5.........<..UY].]......tfeT.....`?.....\..._@@@@...n....m0..@k.._&....._7."....M....uM..?.4.....? ?.9g..@S.~.1.?..&?".0w.......`)%0..UU.K.TUE....K..K)..eY:/U.u...RZkrw)%>{UV.A...&..J)|..,.o....n_.1&......]I.Xw.Kp.q..&.w...._...H@.6.......#.....I..I....k...H>c...H....|B5..|..G...N.;$.........`H..w......f..Ck]..e..^....4...lA........{..K0..a.m.~...a.}.M..c8....c.?F.=....7...I>..3.l2..@.......$..7..RJ.XwW...eI.....6w._..)....\.@5..cL*.......2z.....#...`!.J....8.....}...u.[...E......0...v..}$_.&?"..K......D....i.n.s.)8..4...H> 3w..1..t..w.&.|9J.Y..w.......n..!...+....ea..p.Q....#........b......z.@.......~a?.....J..O..J|.,......1<0.Y>N....KyY....,_k.....v.S.{....J2.'.|.$..D............1.,_J.9.vi....{.......$....Dx....... p......{..&^.......}H...0N..`.....N.'..t{\=$.............o.....@Q..A.$..K5.!...$g..a.-F...K-$;K.. .ij....o......~...5.g.o..

                                      C:\Users\user\AppData\Local\Temp\f7e11b31

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):1159305
                                      Entropy (8bit):7.62970789197951
                                      Encrypted:false
                                      SSDEEP:24576:doSKVXfYCLaLoFG+evn0wq+epoIpibue6yJiK4BI/9zUU9orGDXwh+z:doSKRBaLXls0Ipibue6yJiK4BI/9zUUJ
                                      MD5:FF32599363A0D7C18019FBF9E1E129D0
                                      SHA1:A58B84A63F0FF213819AB86FDAE3B2DC42199192
                                      SHA-256:605957F1C4A8AFB62B678AC3E068E178D69E72103702FE8132ECFEA81CB2ED3D
                                      SHA-512:8C78BD67313A6B7C94236E3F3B9D19B33A69A152B189F5753F3FAE382D89B4FFDB365BACF2DAE38EC9CB27DE96A1CB725B1685E96442A45D615B5A258B036236
                                      Malicious:false
                                      Preview:<...<...>...?...>...{...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?.......{.......\...P...h...P...l...K...Q...M...^...l...K...?...?...?...?...?...?...?...?...?...?...?...|...V...S...z...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...|...Z...v...^...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?.......{...c...M...Y..z...M...H...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...I...........?...?...?...?...?...?...?...?...?...?...

                                      C:\Users\user\AppData\Local\Temp\hdoumnepq

                                      Download File
                                      Process:C:\Windows\SysWOW64\cmd.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):431104
                                      Entropy (8bit):6.522083819371716
                                      Encrypted:false
                                      SSDEEP:6144:ypvAjIqqzCYJuahsPf1X7izHrmTo2S2PMr7AwkuF6i38CmzBt6uZewcYW95vZntv:ypvJzlhnzzZ7A3+6i+Bt6uZewcLfv5Bf
                                      MD5:44F8838F92D5960BC83F091F83A35A63
                                      SHA1:782415A855EA654A36EE0A9DC455DC75FF6835E5
                                      SHA-256:2AE0648BB0B6EC4A74952596463338FB939048924EC5926A0FB8F6E9A0CDAF63
                                      SHA-512:FE3D239C08AAB249E3418BBABA995B0BC52EAA048F6387C044E44B598B5E60D37A03BBFCAD29890E6459F6F0CBA28293FC59EEAB28098D80E7D2C5AABB484964
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Temp\hdoumnepq, Author: Joe Security
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 42%
                                      • Antivirus: Virustotal, Detection: 58%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.Y@...@...@....m..Q....m.......h..R....h..W....h..5....m..U....m..S...@........k..A....k1.A....k..A...Rich@...........PE..L...s.[_..........................................@.......................................@.................................l........p...........................K..0...8...........................h...@............................................text...:........................... ..`.rdata..N...........................@..@.data....E... ...2..................@....rsrc........p.......:..............@..@.reloc...K.......L...<..............@..Buxcbu...............................@...........................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\nmqufdalfa

                                      Download File
                                      Process:C:\Windows\SysWOW64\cmd.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):431104
                                      Entropy (8bit):6.522083819371716
                                      Encrypted:false
                                      SSDEEP:6144:ypvAjIqqzCYJuahsPf1X7izHrmTo2S2PMr7AwkuF6i38CmzBt6uZewcYW95vZntv:ypvJzlhnzzZ7A3+6i+Bt6uZewcLfv5Bf
                                      MD5:44F8838F92D5960BC83F091F83A35A63
                                      SHA1:782415A855EA654A36EE0A9DC455DC75FF6835E5
                                      SHA-256:2AE0648BB0B6EC4A74952596463338FB939048924EC5926A0FB8F6E9A0CDAF63
                                      SHA-512:FE3D239C08AAB249E3418BBABA995B0BC52EAA048F6387C044E44B598B5E60D37A03BBFCAD29890E6459F6F0CBA28293FC59EEAB28098D80E7D2C5AABB484964
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Temp\nmqufdalfa, Author: Joe Security
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 42%
                                      • Antivirus: Virustotal, Detection: 58%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.Y@...@...@....m..Q....m.......h..R....h..W....h..5....m..U....m..S...@........k..A....k1.A....k..A...Rich@...........PE..L...s.[_..........................................@.......................................@.................................l........p...........................K..0...8...........................h...@............................................text...:........................... ..`.rdata..N...........................@..@.data....E... ...2..................@....rsrc........p.......:..............@..@.reloc...K.......L...<..............@..Buxcbu...............................@...........................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\yxh

                                      Download File
                                      Process:C:\Windows\SysWOW64\cmd.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):431104
                                      Entropy (8bit):6.522083819371716
                                      Encrypted:false
                                      SSDEEP:6144:ypvAjIqqzCYJuahsPf1X7izHrmTo2S2PMr7AwkuF6i38CmzBt6uZewcYW95vZntv:ypvJzlhnzzZ7A3+6i+Bt6uZewcLfv5Bf
                                      MD5:44F8838F92D5960BC83F091F83A35A63
                                      SHA1:782415A855EA654A36EE0A9DC455DC75FF6835E5
                                      SHA-256:2AE0648BB0B6EC4A74952596463338FB939048924EC5926A0FB8F6E9A0CDAF63
                                      SHA-512:FE3D239C08AAB249E3418BBABA995B0BC52EAA048F6387C044E44B598B5E60D37A03BBFCAD29890E6459F6F0CBA28293FC59EEAB28098D80E7D2C5AABB484964
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Temp\yxh, Author: Joe Security
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 42%
                                      • Antivirus: Virustotal, Detection: 58%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.Y@...@...@....m..Q....m.......h..R....h..W....h..5....m..U....m..S...@........k..A....k1.A....k..A...Rich@...........PE..L...s.[_..........................................@.......................................@.................................l........p...........................K..0...8...........................h...@............................................text...:........................... ..`.rdata..N...........................@..@.data....E... ...2..................@....rsrc........p.......:..............@..@.reloc...K.......L...<..............@..Buxcbu...............................@...........................................................................................................................................................................................................................................................................

                                      C:\Windows\Tasks\uiQuick.job

                                      Download File
                                      Process:C:\Windows\SysWOW64\cmd.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):286
                                      Entropy (8bit):3.476602724803168
                                      Encrypted:false
                                      SSDEEP:6:pam8fX5ZsUEZglJPZzKnslmc6tFXqYEp5t/uy0l5sBq/11:pTmcMJ4E4fXV5sBa
                                      MD5:3BCB09ED48E87598D7499A0B5EC7B56F
                                      SHA1:BCD5908B188D874E3826811D7B35745C5924111D
                                      SHA-256:E27F3897B2094197944F9C82CAF44FC4EF78311F1C39F4B4C0674416ABBE87BF
                                      SHA-512:2A6EF38B5D7FB2971A4A49BDA398B118FFF6B8D0E74055216EBBA64774B6DA6C1B9893F0B7F919B94FA56C2935B177D7057E05B51A9B596E409EEA3287762F1B
                                      Malicious:false
                                      Preview:........@.L.u(...:)F.......<... ................ ....................7.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.u.p.d.a.t.e.f.a.\.S.o.u.n.d.T.u.n.e...e.x.e.........A.L.F.O.N.S.-.P.C.\.a.l.f.o.n.s...................0...............................................

                                      Static File Info

                                      General

                                      File type:PE32+ executable (GUI) x86-64, for MS Windows
                                      Entropy (8bit):6.811333933290262
                                      TrID:
                                      • Win64 Executable GUI (202006/5) 92.65%
                                      • Win64 Executable (generic) (12005/4) 5.51%
                                      • Generic Win/DOS Executable (2004/3) 0.92%
                                      • DOS Executable Generic (2002/1) 0.92%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:SoundTune.exe
                                      File size:9'888'656 bytes
                                      MD5:9fae2084f15f67cc3549bdcdba10e595
                                      SHA1:372f1fa71e6956647ed4087f063e9601458f926e
                                      SHA256:1249e422fd97163201b6a38b48f2220a6262133b4302ad2d850669d71e144b06
                                      SHA512:b710b89aaae2f58eaa382b7f3322f26c2f138a21086a90effebfe411c96c71d68dd976677d64d78ba088ffbf71f7bcec71b6757f4049246eac3279c2eb80c797
                                      SSDEEP:98304:A9MGsP1O5ytaNopUeCEnOX0a4GXgt6RHVHSNzQpvzk1bpbEd5QDc:AI1O5ytqQw0a4GXgt63HIzj1aoc
                                      TLSH:CDA6AE16A3E901F8E1F6D1BC8A579907E3B238160731A7EF069146275F27BE49D3B720
                                      File Content Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........./`..A3..A3..A3..B2..A3..D2..A3..A3..A3..E2..A3..G2..A3.BE2..A3..@2..A3..@3Q.A3.B.3..A3.BD2..A3.BE2..A3.BB2..A3.BH2..A3.BD2..A

                                      File Icon

                                      Icon Hash:88838e869a92908a

                                      Static PE Info

                                      General

                                      Entrypoint:0x140179b7c
                                      Entrypoint Section:.text
                                      Digitally signed:true
                                      Imagebase:0x140000000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x65EE81C4 [Mon Mar 11 04:00:04 2024 UTC]
                                      TLS Callbacks:0x40558cc0, 0x1, 0x40558b80, 0x1
                                      CLR (.Net) Version:
                                      OS Version Major:6
                                      OS Version Minor:0
                                      File Version Major:6
                                      File Version Minor:0
                                      Subsystem Version Major:6
                                      Subsystem Version Minor:0
                                      Import Hash:92ad1eef9d9db8bbe25d3fde9a911af8

                                      Authenticode Signature

                                      Signature Valid:false
                                      Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                      Signature Validation Error:The digital signature of the object did not verify
                                      Error Number:-2146869232
                                      Not Before, Not After
                                      • 07/02/2023 01:00:00 09/03/2025 00:59:59
                                      Subject Chain
                                      • CN=Bitsum LLC, O=Bitsum LLC, L=Morristown, S=Tennessee, C=US, SERIALNUMBER=000681038, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Tennessee, OID.1.3.6.1.4.1.311.60.2.1.3=US
                                      Version:3
                                      Thumbprint MD5:FB9B0227584CEEB65B18E46C16D44130
                                      Thumbprint SHA-1:D711D20586F0E0C654A9B0D3AA5EC9BC4295B5DC
                                      Thumbprint SHA-256:B309179E6516E33D374264683B0751DB5F23B09E625FF0B6A4163DF28051D08C
                                      Serial:0B494D7DF02097107B9065025133FE92

                                      Entrypoint Preview

                                      Instruction
                                      dec eax
                                      sub esp, 28h
                                      call 00007F43E0D160F4h
                                      dec eax
                                      add esp, 28h
                                      jmp 00007F43E0D1588Fh
                                      int3
                                      int3
                                      jmp 00007F43E10C3088h
                                      int3
                                      int3
                                      int3
                                      inc eax
                                      push ebx
                                      dec eax
                                      sub esp, 20h
                                      dec eax
                                      mov ebx, ecx
                                      dec eax
                                      lea ecx, dword ptr [0067D938h]
                                      call dword ptr [0041FDF2h]
                                      and dword ptr [ebx], 00000000h
                                      dec eax
                                      lea ecx, dword ptr [0067D928h]
                                      call dword ptr [0041FDEAh]
                                      dec eax
                                      lea ecx, dword ptr [0067D913h]
                                      dec eax
                                      add esp, 20h
                                      pop ebx
                                      dec eax
                                      jmp dword ptr [0041FDC7h]
                                      int3
                                      int3
                                      int3
                                      inc eax
                                      push ebx
                                      dec eax
                                      sub esp, 20h
                                      dec eax
                                      mov ebx, ecx
                                      dec eax
                                      lea ecx, dword ptr [0067D8FCh]
                                      call dword ptr [0041FDB6h]
                                      mov eax, dword ptr [006626F8h]
                                      dec eax
                                      lea ecx, dword ptr [0067D8E9h]
                                      mov edx, dword ptr [0067DE73h]
                                      inc eax
                                      mov dword ptr [006626E3h], eax
                                      mov dword ptr [ebx], eax
                                      dec eax
                                      mov eax, dword ptr [00000058h]
                                      inc ecx
                                      mov ecx, 00000010h
                                      dec esp
                                      mov eax, dword ptr [eax+edx*8]
                                      mov eax, dword ptr [006626C8h]
                                      inc ebx
                                      mov dword ptr [ecx+eax], eax
                                      call dword ptr [0041FD7Eh]
                                      dec eax
                                      lea ecx, dword ptr [0067D8A7h]
                                      dec eax
                                      add esp, 20h
                                      pop ebx
                                      dec eax
                                      jmp dword ptr [0041FD5Bh]
                                      int3
                                      int3
                                      int3
                                      inc eax
                                      push ebx
                                      dec eax

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x7d7f140x140.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x8850000x121ed4.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x84c0000x378cc.pdata
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x96ba000x2990.rsrc
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x9a70000x1c50e
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x733d700x70.rdata
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x733f800x28.rdata
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x733c300x140.rdata
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x5990000x1350.rdata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x59755c0x597600a2ba293ff3f59b6467682e8b471acf26unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rdata0x5990000x242ef20x243000adb73c7b524b6fa4246578b9129f16c3unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0x7dc0000x6fb580x1ae004bed99239f8098e46bfddde8fab4c538False0.16521620639534884data4.282858204960616IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .pdata0x84c0000x378cc0x37a006166b1f90e7e7958e8d78411836d9e96False0.484936797752809data6.405501267802734IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      _RDATA0x8840000x1f40x200a312e392362d19855ae5db508e76d480False0.52734375data4.206794279284555IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .rsrc0x8850000x121ed40x122000e6f6f382c2cb2f8b28d51e63114c50e1False0.9917615167025862data7.992020517788216IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x9a70000x1c5080x1c60059572eb07d851d58f325167286748692False0.07543192455947137data5.45142939957041IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      IQ0x8851680x121661PNG image data, 4480 x 508, 8-bit/color RGB, non-interlaced0.9965143203735352
                                      RT_ICON0x9a67cc0x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishUnited States0.30743243243243246
                                      RT_ICON0x9a68f40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512, 16 important colorsEnglishUnited States0.16801075268817203
                                      RT_GROUP_ICON0x9a6bdc0x22dataEnglishUnited States1.0
                                      RT_MANIFEST0x9a6c000x2d4XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4972375690607735

                                      Imports

                                      DLLImport
                                      ADVAPI32.dllGetUserNameA, RegEnumValueW, RegEnumKeyW, RegDeleteValueW, RegDeleteKeyExW, RegCreateKeyExW, RegCloseKey, RegQueryValueExW, RegSetValueExW, GetUserNameW, RegOpenKeyExW
                                      KERNEL32.dllCreateMutexW, SetThreadPriority, TerminateThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FormatMessageW, GetFileType, ExpandEnvironmentStringsW, GetFileTime, GetLongPathNameW, GetTempFileNameW, CreateIoCompletionPort, GetQueuedCompletionStatus, PostQueuedCompletionStatus, ReadDirectoryChangesW, GetEnvironmentVariableW, GetVersionExW, GetModuleFileNameW, LoadResource, LockResource, SizeofResource, FindResourceW, IsValidCodePage, GetCommandLineW, GetModuleHandleExW, SetEvent, CreateEventW, PeekNamedPipe, WaitForMultipleObjects, CreateThread, GetDriveTypeW, GetLogicalDriveStringsW, IsBadReadPtr, IsBadStringPtrA, GetUserPreferredUILanguages, SetThreadPreferredUILanguages, GetUserDefaultLocaleName, GetFileSizeEx, LocalAlloc, OutputDebugStringW, FreeLibrary, GetProcAddress, LoadLibraryA, RtlCaptureContext, GetThreadLocale, GetLocaleInfoW, GetACP, SetErrorMode, LoadLibraryW, GlobalFree, GlobalHandle, GlobalLock, GlobalUnlock, GlobalSize, GlobalAlloc, ExitProcess, ReadConsoleOutputCharacterA, SetConsoleCursorPosition, GetConsoleScreenBufferInfo, FillConsoleOutputCharacterW, GetEnvironmentVariableA, GetCurrentDirectoryA, GetFileAttributesA, OutputDebugStringA, CloseHandle, GetLastError, SetLastError, RtlUnwindEx, InterlockedPushEntrySList, RtlUnwind, InitializeCriticalSectionAndSpinCount, LoadLibraryExW, ExitThread, FreeLibraryAndExitThread, SetStdHandle, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetTimeZoneInformation, DeleteFileW, FlushFileBuffers, GetConsoleMode, ReadConsoleW, GetConsoleOutputCP, SetFilePointerEx, HeapFree, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, HeapReAlloc, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, GetCommandLineA, GetProcessHeap, WriteConsoleW, WriteConsoleA, AttachConsole, GetStdHandle, MulDiv, GetCPInfo, CompareStringEx, SetEndOfFile, HeapSize, LCMapStringEx, DeleteCriticalSection, InitializeCriticalSectionEx, DecodePointer, EncodePointer, GetFileInformationByHandleEx, MoveFileExW, CopyFileW, AreFileApisANSI, GetTempPathW, GetCurrentThread, GetFullPathNameW, GetFileInformationByHandle, GetFileAttributesExW, SuspendThread, GetFileAttributesW, FindNextFileW, FindFirstFileExW, FindFirstFileW, CreateFileW, CreateDirectoryW, GetCurrentDirectoryW, SetCurrentDirectoryW, GetStringTypeW, MultiByteToWideChar, WideCharToMultiByte, WakeConditionVariable, TryAcquireSRWLockExclusive, GetNativeSystemInfo, GetExitCodeThread, Sleep, WaitForSingleObjectEx, GetLocaleInfoEx, FormatMessageA, LocalFree, RaiseException, RtlPcToFileHeader, InitializeSListHead, GetSystemTimeAsFileTime, TerminateProcess, GetModuleHandleW, IsProcessorFeaturePresent, GetStartupInfoW, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, SleepConditionVariableSRW, WakeAllConditionVariable, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, IsDebuggerPresent, GetFullPathNameA, RtlDeleteFunctionTable, GetSystemDirectoryA, InitializeCriticalSection, LeaveCriticalSection, RtlAddFunctionTable, EnterCriticalSection, FreeConsole, AllocConsole, FindClose, FindNextFileA, FindFirstFileA, GetConsoleWindow, GetLogicalProcessorInformation, QueryPerformanceCounter, QueryPerformanceFrequency, GetOverlappedResult, ReadFile, GetExitCodeProcess, WaitForSingleObject, CreateProcessA, CreateEventA, SetHandleInformation, CreatePipe, CreateNamedPipeA, GetCurrentThreadId, WriteProcessMemory, VirtualProtect, GetCurrentProcessId, GetCurrentProcess, FatalAppExitA, SetUnhandledExceptionFilter, WriteFile, CreateFileA, GetModuleFileNameA, ReadProcessMemory, GetVersionExA, GetThreadContext, ResumeThread
                                      USER32.dllFindWindowExW, ChildWindowFromPoint, GetDesktopWindow, UnionRect, GetComboBoxInfo, IsRectEmpty, ValidateRgn, ValidateRect, PostThreadMessageW, GetMessageW, GetMenuBarInfo, GetWindowDC, HideCaret, keybd_event, IsMenu, CheckMenuRadioItem, GetSysColorBrush, GetMenuItemID, CheckMenuItem, DrawFrameControl, DrawEdge, DrawIconEx, GetCaretBlinkTime, GetDoubleClickTime, TranslateAcceleratorW, DestroyAcceleratorTable, CreateAcceleratorTableW, GetClassNameW, MessageBeep, GetWindowTextLengthW, GetWindowTextW, GetClipboardFormatNameW, RegisterClipboardFormatW, SetForegroundWindow, GetSystemMenu, GetDialogBaseUnits, CreateDialogIndirectParamW, IsZoomed, BringWindowToTop, IsIconic, FlashWindowEx, SetLayeredWindowAttributes, GetMonitorInfoW, MonitorFromWindow, GetWindowPlacement, SetWindowRgn, InsertMenuItemW, SetMenuInfo, RemoveMenu, ModifyMenuW, AppendMenuW, InsertMenuW, EnableMenuItem, DestroyMenu, CreatePopupMenu, CreateMenu, DrawMenuBar, GetMenuState, GetDlgItem, CreateDialogParamW, SystemParametersInfoW, GetScrollInfo, SetScrollInfo, IsDialogMessageW, CallNextHookEx, UnhookWindowsHookEx, SetWindowsHookExW, GetWindow, SetParent, SetWindowLongW, PtInRect, ChildWindowFromPointEx, WindowFromPoint, MapWindowPoints, ScreenToClient, DdeQueryStringW, GetCursorPos, SetCursorPos, GetClientRect, DefMDIChildProcW, DefFrameProcW, AdjustWindowRectEx, EnableScrollBar, ScrollWindow, RedrawWindow, InvalidateRect, GetUpdateRgn, UpdateWindow, GetMenuItemInfoW, TrackPopupMenu, GetMenuItemCount, EnableWindow, ReleaseCapture, IsClipboardFormatAvailable, GetPropW, ChangeDisplaySettingsExW, EnumDisplaySettingsW, MonitorFromPoint, MonitorFromRect, EnumDisplayMonitors, wsprintfW, DdeInitializeW, DdeUninitialize, DdeConnect, DdeDisconnect, DdePostAdvise, DdeNameService, DdeClientTransaction, DdeCreateDataHandle, DdeGetData, SetCapture, GetCapture, MapVirtualKeyW, VkKeyScanW, GetAsyncKeyState, GetFocus, GetActiveWindow, SetFocus, IsWindowVisible, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, SetWindowPos, MoveWindow, AnimateWindow, ShowWindow, IsWindow, CallWindowProcW, DdeFreeStringHandle, PostQuitMessage, DefWindowProcW, GetMessageTime, GetMessagePos, UnregisterHotKey, RegisterHotKey, PeekMessageW, DispatchMessageW, TranslateMessage, CreateIconIndirect, DestroyCursor, GetIconInfo, LoadImageW, LoadBitmapW, SetWindowTextW, ReleaseDC, GetDC, SetWindowLongPtrW, GetWindowLongPtrW, OffsetRect, InflateRect, CopyRect, SetRectEmpty, SetRect, FillRect, DrawFocusRect, GetSysColor, DrawStateW, TranslateMDISysAccel, MessageBoxA, DdeFreeDataHandle, DdeGetLastError, GetParent, DdeCreateStringHandleW, DrawTextW, IsWindowEnabled, GetWindowRect, SetMenu, PostMessageW, RegisterWindowMessageW, GetWindowLongW, EndPaint, BeginPaint, DestroyWindow, CreateWindowExW, SendMessageW, LoadIconW, LoadCursorW, GetProcessDefaultLayout, MessageBoxW, GetKeyState, UnregisterClassW, KillTimer, SetTimer, MsgWaitForMultipleObjects, ClientToScreen, RegisterClassW, DestroyIcon, SetCursor, GetSystemMetrics, SetMenuItemInfoW, GetSubMenu, UpdateLayeredWindow
                                      GDI32.dllGdiFlush, ExtCreateRegion, GetRegionData, OffsetRgn, GetBkColor, LineTo, MoveToEx, ExtTextOutW, GetStockObject, CreateHatchBrush, CreatePatternBrush, CreatePen, ExtCreatePen, Arc, Ellipse, ExtFloodFill, GetClipBox, GetObjectType, GetPixel, MaskBlt, Pie, PolyPolygon, Rectangle, RoundRect, SelectClipRgn, ExtSelectClipRgn, SetGraphicsMode, SetMapMode, SetLayout, GetLayout, SetPixel, SetPolyFillMode, StretchDIBits, SetROP2, GetWorldTransform, SetWorldTransform, ModifyWorldTransform, CreatePolygonRgn, DPtoLP, LPtoDP, Polygon, SetBrushOrgEx, PolyBezier, SetViewportExtEx, SetWindowExtEx, SetWindowOrgEx, GetTextExtentPoint32W, CreatePalette, GetNearestPaletteIndex, GetPaletteEntries, GetCharABCWidthsW, GetTextExtentExPointW, CombineRgn, CreateRectRgnIndirect, RectInRegion, EqualRgn, GetRgnBox, PtInRegion, CreateDIBitmap, GetDIBits, CreateDIBSection, GetDIBColorTable, SetDIBColorTable, CreateICW, SetAbortProc, CreateDCW, StartDocW, EndDoc, StartPage, EndPage, EnumFontFamiliesExW, GetSystemPaletteEntries, CloseEnhMetaFile, CreateEnhMetaFileW, DeleteEnhMetaFile, GetEnhMetaFileW, GetEnhMetaFileHeader, PlayEnhMetaFile, SelectPalette, RealizePalette, ExcludeClipRect, CreateRectRgn, CreateCompatibleBitmap, CreateBitmapIndirect, CreateBitmap, SetStretchBltMode, BitBlt, StretchBlt, DeleteDC, CreateCompatibleDC, GetObjectW, GetTextMetricsW, SelectObject, GetOutlineTextMetricsW, GetDeviceCaps, CreateFontIndirectW, SetTextColor, SetBkMode, SetBkColor, GetWindowExtEx, GetViewportExtEx, GetGraphicsMode, DeleteObject, Polyline, CreateSolidBrush
                                      WINSPOOL.DRVOpenPrinterW, DocumentPropertiesW, ClosePrinter, GetPrinterW
                                      COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW, PageSetupDlgW, PrintDlgExW, PrintDlgW, CommDlgExtendedError, ChooseFontW, ChooseColorW
                                      SHELL32.dllExtractIconExW, DragQueryFileW, DragQueryPoint, SHGetFolderPathW, CommandLineToArgvW, SHCreateItemFromParsingName, ExtractIconW, SHGetStockIconInfo, SHGetFileInfoW, Shell_NotifyIconW, ShellExecuteExW, DragAcceptFiles, DragFinish
                                      ole32.dllDoDragDrop, CoInitializeEx, CoTaskMemAlloc, RevokeDragDrop, OleGetClipboard, CoCreateInstance, CoLockObjectExternal, ReleaseStgMedium, OleUninitialize, OleInitialize, OleSetClipboard, OleFlushClipboard, OleIsCurrentClipboard, RegisterDragDrop, CoUninitialize, CoTaskMemFree
                                      OLEACC.dllLresultFromObject
                                      UxTheme.dllCloseThemeData, IsThemeBackgroundPartiallyTransparent, GetThemeMargins, DrawThemeParentBackground, GetThemeBackgroundContentRect, GetThemePartSize, GetCurrentThemeName, GetThemeBackgroundExtent, IsThemePartDefined, GetThemeTextExtent, GetThemeFont, IsAppThemed, IsThemeActive, GetThemeColor, DrawThemeBackground, OpenThemeData, DrawThemeTextEx, SetWindowTheme, GetThemeSysFont, GetThemeSysColor, GetThemeInt
                                      VERSION.dllGetFileVersionInfoA, VerQueryValueA, GetFileVersionInfoSizeA
                                      MSIMG32.dllGradientFill, AlphaBlend
                                      SHLWAPI.dllPathMatchSpecW, SHAutoComplete
                                      COMCTL32.dllImageList_GetImageInfo, ImageList_GetIconSize, ImageList_GetIcon, ImageList_Remove, ImageList_AddMasked, ImageList_Replace, ImageList_Draw, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
                                      RPCRT4.dllUuidToStringW, RpcStringFreeW

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States

                                      Network Behavior

                                      No network behavior found

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:07:08:59
                                      Start date:14/04/2024
                                      Path:C:\Users\user\Desktop\SoundTune.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\Desktop\SoundTune.exe"
                                      Imagebase:0x7ff77a350000
                                      File size:9'888'656 bytes
                                      MD5 hash:9FAE2084F15F67CC3549BDCDBA10E595
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2053261362.0000022584B90000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:07:09:01
                                      Start date:14/04/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\cmd.exe
                                      Imagebase:0x790000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.2330278372.0000000004A99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000002.2330822665.00000000054A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:07:09:01
                                      Start date:14/04/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:5
                                      Start time:07:09:12
                                      Start date:14/04/2024
                                      Path:C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe
                                      Imagebase:0x7ff6fde40000
                                      File size:9'888'656 bytes
                                      MD5 hash:9FAE2084F15F67CC3549BDCDBA10E595
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000005.00000002.2243163643.00000278AB600000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:6
                                      Start time:07:09:13
                                      Start date:14/04/2024
                                      Path:C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe
                                      Imagebase:0x7ff6fde40000
                                      File size:9'888'656 bytes
                                      MD5 hash:9FAE2084F15F67CC3549BDCDBA10E595
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000002.2201257984.000002A37F99F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:7
                                      Start time:07:09:14
                                      Start date:14/04/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\cmd.exe
                                      Imagebase:0x790000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000007.00000002.2413913656.000000000541B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000007.00000002.2414191195.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:8
                                      Start time:07:09:15
                                      Start date:14/04/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:13
                                      Start time:07:09:20
                                      Start date:14/04/2024
                                      Path:C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Roaming\updatefa\SoundTune.exe"
                                      Imagebase:0x7ff6fde40000
                                      File size:9'888'656 bytes
                                      MD5 hash:9FAE2084F15F67CC3549BDCDBA10E595
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000002.2254650455.0000025B712CB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:14
                                      Start time:07:09:21
                                      Start date:14/04/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\cmd.exe
                                      Imagebase:0x790000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000000E.00000002.2479094817.0000000005900000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000E.00000002.2478639571.00000000052E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:15
                                      Start time:07:09:21
                                      Start date:14/04/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:16
                                      Start time:07:09:22
                                      Start date:14/04/2024
                                      Path:C:\Windows\SysWOW64\explorer.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\explorer.exe
                                      Imagebase:0x40000
                                      File size:4'514'184 bytes
                                      MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000010.00000002.2330168207.00000000047A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000010.00000002.2329605585.0000000002591000.00000020.00000001.01000000.00000000.sdmp, Author: Joe Security
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:17
                                      Start time:07:09:29
                                      Start date:14/04/2024
                                      Path:C:\Windows\SysWOW64\explorer.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\explorer.exe
                                      Imagebase:0x40000
                                      File size:4'514'184 bytes
                                      MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000011.00000002.2414365443.0000000002591000.00000004.00000001.01000000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000011.00000002.2414793420.0000000004919000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:18
                                      Start time:07:09:35
                                      Start date:14/04/2024
                                      Path:C:\Windows\SysWOW64\explorer.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\explorer.exe
                                      Imagebase:0x40000
                                      File size:4'514'184 bytes
                                      MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000012.00000002.2478523985.0000000004CA2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000012.00000002.2477851015.0000000002C41000.00000020.00000001.01000000.00000000.sdmp, Author: Joe Security
                                      Reputation:moderate
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Non-executed Functions

                                        Function 00007FF77A4CA264 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2054106831.00007FF77A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A350000, based on PE: true
                                        • Associated: 00000000.00000002.2054084454.00007FF77A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2054568199.00007FF77A8E9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2054789704.00007FF77AB2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2054821048.00007FF77AB33000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2054853341.00007FF77AB46000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2054853341.00007FF77AB52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2054853341.00007FF77AB74000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2054939920.00007FF77AB9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff77a350000_SoundTune.jbxd
                                        Similarity
                                        • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                        • String ID:
                                        • API String ID: 2933794660-0
                                        • Opcode ID: d24632a9d7cbfeac47ec91ea4afc9551f528e4bafdd956463c956835574216d6
                                        • Instruction ID: 114739ecf774822932b71b029816236804458216cc47fe4a0f76f695fe55340b
                                        • Opcode Fuzzy Hash: d24632a9d7cbfeac47ec91ea4afc9551f528e4bafdd956463c956835574216d6
                                        • Instruction Fuzzy Hash: CF111C23B28F0189FB009B64E8542A8B3A4FB59758F840E31EA6D46BA4DF7CD1648350
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 00000278A82EA7D0 Relevance: 15.4, APIs: 6, Strings: 2, Instructions: 1382COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2238113527.00000278A82D4000.00000004.00000020.00020000.00000000.sdmp, Offset: 00000278A82D4000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_278a82d4000_SoundTune.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: F$F
                                        • API String ID: 0-3842059619
                                        • Opcode ID: 4ee8cd6e0099949ee7e3de4809a1d67a6e3a3d3dda47f7623f4c4ef407459fc0
                                        • Instruction ID: 592b6115601777a03f9d273a82e1a71b97f3c3b6cad5b717c0e81dc2abf4408d
                                        • Opcode Fuzzy Hash: 4ee8cd6e0099949ee7e3de4809a1d67a6e3a3d3dda47f7623f4c4ef407459fc0
                                        • Instruction Fuzzy Hash: D4B2917159CA498FE762DB68C88E3A67AE1FBA5300F54412BD04AC72E1EF34C485CB95
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00000278A82EC9D0 Relevance: 15.4, APIs: 6, Strings: 2, Instructions: 1382COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2238113527.00000278A82D4000.00000004.00000020.00020000.00000000.sdmp, Offset: 00000278A82D4000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_278a82d4000_SoundTune.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: N$N
                                        • API String ID: 0-3855217897
                                        • Opcode ID: ee48e87e63c0dfedfa4d5318cedfa5ca47cce991329359ddbdce0cfcca9fc923
                                        • Instruction ID: 03ce9f71c9ccc9281112035d30aba12ea52bd376e54005c1ce44076d0eca6d19
                                        • Opcode Fuzzy Hash: ee48e87e63c0dfedfa4d5318cedfa5ca47cce991329359ddbdce0cfcca9fc923
                                        • Instruction Fuzzy Hash: DAB29F3159CA498FE762EB28C84E7B67AE1FBA5300F54412BD04DC72E1EF748981CB95
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00000278A82E96D0 Relevance: 15.4, APIs: 6, Strings: 2, Instructions: 1382COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2238113527.00000278A82D4000.00000004.00000020.00020000.00000000.sdmp, Offset: 00000278A82D4000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_278a82d4000_SoundTune.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: A$A
                                        • API String ID: 0-2116726341
                                        • Opcode ID: cc709553d37fb9f742f60e05f6f9532686fe4be471f2e81f3f8d64585817493e
                                        • Instruction ID: c149c9b0eaac1d0d0e3fbaf0c91b4eb6ff9cb1604c60ceebf0dd35a6e77258ad
                                        • Opcode Fuzzy Hash: cc709553d37fb9f742f60e05f6f9532686fe4be471f2e81f3f8d64585817493e
                                        • Instruction Fuzzy Hash: 70B2923159CA498FE762DB28C88A7AA7BE0FBA5300F54416BD04EC71E1FF748485CB95
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00000278A82EB8D0 Relevance: 15.4, APIs: 6, Strings: 2, Instructions: 1382COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2238113527.00000278A82D4000.00000004.00000020.00020000.00000000.sdmp, Offset: 00000278A82D4000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_278a82d4000_SoundTune.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: I$I
                                        • API String ID: 0-2128771023
                                        • Opcode ID: 9d629832e2347b0e85e4e90e9fab74ea1ae34d6c0a7c66158f31fbb2b7efbab1
                                        • Instruction ID: 1973aa326f15ea990c9fb9c01b6db2bbfb4ed590b0d2a69b469cab640f3edbd8
                                        • Opcode Fuzzy Hash: 9d629832e2347b0e85e4e90e9fab74ea1ae34d6c0a7c66158f31fbb2b7efbab1
                                        • Instruction Fuzzy Hash: 14B293315A8A498FE762DB68C84E3BA7BE0FBA5301F54412BD049C71E1FF748885CB95
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00000278A82EDAD0 Relevance: 15.4, APIs: 6, Strings: 2, Instructions: 1382COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2238113527.00000278A82D4000.00000004.00000020.00020000.00000000.sdmp, Offset: 00000278A82D4000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_278a82d4000_SoundTune.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: A$A
                                        • API String ID: 0-2116726341
                                        • Opcode ID: 13a9e0c9c5d3a4d7b9cdafbb92186155365882b569e8a2d2909a03f4d75ef840
                                        • Instruction ID: 151353e295102e71f58c0d1962f32d528601eb6f2c2a77ed32f17685a72dea8d
                                        • Opcode Fuzzy Hash: 13a9e0c9c5d3a4d7b9cdafbb92186155365882b569e8a2d2909a03f4d75ef840
                                        • Instruction Fuzzy Hash: F1B2B375558A488FE772EB28D84E3BA7AE1FB91300F54412BD04AC71E2FF748885CB95
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00000278AE3DC89D Relevance: 5.7, Strings: 4, Instructions: 661COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, Offset: 00000278AE3D1000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_278ae3d1000_SoundTune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: ?$G$Mb=L$r
                                        • API String ID: 0-3654495462
                                        • Opcode ID: 8f6580deefc9ef82fb16fd9907306da5e85ba4bdcd4373a521f3b78b7fee00db
                                        • Instruction ID: 5200eec9a41f271ece7d1a0248862c9533e83b4da8447af816d3b56546e3ef42
                                        • Opcode Fuzzy Hash: 8f6580deefc9ef82fb16fd9907306da5e85ba4bdcd4373a521f3b78b7fee00db
                                        • Instruction Fuzzy Hash: BD420D3111CB888FE7A4EB18C499B9AB7E5FBA9300F50496EE0CDC72A1DB74D545CB42
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00000278AE3DA25F Relevance: 5.5, Strings: 4, Instructions: 538COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, Offset: 00000278AE3D1000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_278ae3d1000_SoundTune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: ?$G$Mb=L$r
                                        • API String ID: 0-3654495462
                                        • Opcode ID: 48b1b01cc0f6f2c6672f808714e99a76ab20513145e0672fad2e55d988f32716
                                        • Instruction ID: 02dcc4be7a684770d8607017d65c800caebc07fa26edc63a65a13d842ffe4c2a
                                        • Opcode Fuzzy Hash: 48b1b01cc0f6f2c6672f808714e99a76ab20513145e0672fad2e55d988f32716
                                        • Instruction Fuzzy Hash: E9326D75E04208DFDB04CFA8C585BEEBBB5FF89300F208559E559AB391D735AA42CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00000278AB618BB0 Relevance: .3, Instructions: 334COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2243163643.00000278AB600000.00000004.00000020.00020000.00000000.sdmp, Offset: 00000278AB600000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_278ab600000_SoundTune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 74e99f7be9754a4167ea69dca9a5031b767fcc4f5de38cfc64e6778bbb43c050
                                        • Instruction ID: 137570d70a1223c4c837720bade577927c1d9a7dcfa7c96a0d99f39a62d9d390
                                        • Opcode Fuzzy Hash: 74e99f7be9754a4167ea69dca9a5031b767fcc4f5de38cfc64e6778bbb43c050
                                        • Instruction Fuzzy Hash: 80C1A974268A489FDBC4EF5CD498F66BBE1FFA9300F941499F04DCB2A1DA25E801DB11
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00000278A83000B8 Relevance: .3, Instructions: 313COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2238113527.00000278A82D4000.00000004.00000020.00020000.00000000.sdmp, Offset: 00000278A82D4000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_278a82d4000_SoundTune.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e4dfddccc88188192dd0ef26447d97251ced8e11b36c8ed9b66b0a98952fcd64
                                        • Instruction ID: 041ac4dba5c495d116231748777083bd7e0600013c03cace135737deeaf30009
                                        • Opcode Fuzzy Hash: e4dfddccc88188192dd0ef26447d97251ced8e11b36c8ed9b66b0a98952fcd64
                                        • Instruction Fuzzy Hash: 93A19F8288E3D01FEB4387B848BD6913FB09F17154B1E45DBC4C98F4B3DA48595AD762
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00000278AE40137A Relevance: .3, Instructions: 266COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, Offset: 00000278AE3D1000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_278ae3d1000_SoundTune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0584256760886f1c0de052bda9cb983dfa805c86c380863e95e061973f17d90d
                                        • Instruction ID: 40f66af078e4c565d7c67893b19362f168eca241db5d0816073b20d2520f6409
                                        • Opcode Fuzzy Hash: 0584256760886f1c0de052bda9cb983dfa805c86c380863e95e061973f17d90d
                                        • Instruction Fuzzy Hash: E4B18679645604AFEB08DF20C49AE6937A6BF89350F108969FD4D4F392DB39ED41CB80
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00000278AE402D9A Relevance: .3, Instructions: 261COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, Offset: 00000278AE3D1000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_278ae3d1000_SoundTune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5f0188eab908d132f09881b594e4668dde1a15273a1c878c0fa1d29f8a98a688
                                        • Instruction ID: b702c6761b154d6b9e75b9f73fee4ff0421d0dd26a85c3769f803dfea2b62177
                                        • Opcode Fuzzy Hash: 5f0188eab908d132f09881b594e4668dde1a15273a1c878c0fa1d29f8a98a688
                                        • Instruction Fuzzy Hash: 81A193B5604104EFDB44DF54C489EAA77BABF88340F108559F94D8F382DA39EE42DB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00000278AB618700 Relevance: .2, Instructions: 208COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2243163643.00000278AB600000.00000004.00000020.00020000.00000000.sdmp, Offset: 00000278AB600000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_278ab600000_SoundTune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 17b38f73b0a4d43c3d345f33e4ad5e53a60e6b22988b1a985ab0bd22df309355
                                        • Instruction ID: 56d1719974d0af03438b1e9852df8ea2772eccbd7a7a1c72d74e4cf2d2c53cd4
                                        • Opcode Fuzzy Hash: 17b38f73b0a4d43c3d345f33e4ad5e53a60e6b22988b1a985ab0bd22df309355
                                        • Instruction Fuzzy Hash: 117153302586159FE780DFA8E45D7BABBE4FF5A301F8408A6F14ECB292CE15DC019751
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00000278AE400F2A Relevance: .2, Instructions: 203COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, Offset: 00000278AE3D1000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_278ae3d1000_SoundTune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 186fe38cc052511de10dfd47768647201f785e6ccd01fae26765a661eda3a6e4
                                        • Instruction ID: 4f50ba559de400b07f75cf23819577b24fb2d2b680a151ac06eba59296112609
                                        • Opcode Fuzzy Hash: 186fe38cc052511de10dfd47768647201f785e6ccd01fae26765a661eda3a6e4
                                        • Instruction Fuzzy Hash: 0371CAB66496006BEB08DE30C45FBA7335A6F49340F008975F9894F3C2DE3EEE019691
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00000278AE3F5986 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, Offset: 00000278AE3D1000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_278ae3d1000_SoundTune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1d58e5e0029f841941ee71f791d62e557e3015b908add20f1f5d801ed639b7bd
                                        • Instruction ID: 4388b2614a45bbe4751f53b75331b334ec66a42169baeed66b1aa8bccd59cc9a
                                        • Opcode Fuzzy Hash: 1d58e5e0029f841941ee71f791d62e557e3015b908add20f1f5d801ed639b7bd
                                        • Instruction Fuzzy Hash: 53219933D55505AFEB21EB64C68E69AB3F4FF44710F250C2BD4899B291DBB1AD01CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00000278AE3E3FD5 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, Offset: 00000278AE3D1000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_278ae3d1000_SoundTune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6cd9824c77b7b7b3d32199752a248329110d2d7983c4df8e0aad9ad6444cee97
                                        • Instruction ID: 1eb811949aa6d55ff79d2cc468f288c43288b475eba39395633f1ba861c92c10
                                        • Opcode Fuzzy Hash: 6cd9824c77b7b7b3d32199752a248329110d2d7983c4df8e0aad9ad6444cee97
                                        • Instruction Fuzzy Hash: EA217332D482059FEB60DB68C54E6AAF3F5EF88710F1508BAE48993691FB70AD018740
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00000278AE3F5D97 Relevance: .0, Instructions: 2COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, Offset: 00000278AE3D1000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_278ae3d1000_SoundTune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                        • Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
                                        • Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                        • Instruction Fuzzy Hash:
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00000278AE3E0F53 Relevance: .0, Instructions: 2COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, Offset: 00000278AE3D1000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_278ae3d1000_SoundTune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                        • Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
                                        • Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                        • Instruction Fuzzy Hash:
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00000278AE3E40CF Relevance: .0, Instructions: 2COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, Offset: 00000278AE3D1000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_278ae3d1000_SoundTune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                        • Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
                                        • Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                        • Instruction Fuzzy Hash:
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00000278AB60A950 Relevance: 36.5, Strings: 29, Instructions: 244COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2243163643.00000278AB600000.00000004.00000020.00020000.00000000.sdmp, Offset: 00000278AB600000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_278ab600000_SoundTune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: $ $ $ $ $"$"$"$"$%$.$/$/$a$c$c$d$e$e$i$m$m$n$r$s$s$t$t$x
                                        • API String ID: 0-407333426
                                        • Opcode ID: efd4f444f1070b543fb005905694dfbca1e8ce65fe8e0cd3f6e4f275d1c7893f
                                        • Instruction ID: 7a9700609c4216871dd7a13e7ff42007b9c9746e4a3857d234cce0f6d72092a0
                                        • Opcode Fuzzy Hash: efd4f444f1070b543fb005905694dfbca1e8ce65fe8e0cd3f6e4f275d1c7893f
                                        • Instruction Fuzzy Hash: 74B1043011CBC48FE7A1DB28C458B9BBBE1FBA9344F54485DA0C9C72A2CA79D944CB52
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00000278AB60C6C0 Relevance: 34.0, Strings: 27, Instructions: 203COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2243163643.00000278AB600000.00000004.00000020.00020000.00000000.sdmp, Offset: 00000278AB600000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_278ab600000_SoundTune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: $"$&$1$3$6$;$=$F$H$M$N$Q$S$W$X$Xa4$Xa4$Xa4$Xa4$_$g$l$o$w$w$x
                                        • API String ID: 0-1030656984
                                        • Opcode ID: d51c9e0b5b090725f69d30dbca927642991fc7c199e8415c61726fa51ff925f5
                                        • Instruction ID: f65e41d11657e44f3d9c7ab7c633fdaf35a514e4bb137ff36592c484a0f7130e
                                        • Opcode Fuzzy Hash: d51c9e0b5b090725f69d30dbca927642991fc7c199e8415c61726fa51ff925f5
                                        • Instruction Fuzzy Hash: A7A1E57021C7808BE364DF28C59875EBAE0FB89308F50592EF1D9CB3A1D7B98945CB06
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00000278AB60CC50 Relevance: 34.0, Strings: 27, Instructions: 203COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2243163643.00000278AB600000.00000004.00000020.00020000.00000000.sdmp, Offset: 00000278AB600000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_278ab600000_SoundTune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: $"$&$1$3$6$;$=$F$H$M$N$Q$S$W$X$Xa4$Xa4$Xa4$Xa4$_$g$l$o$w$w$x
                                        • API String ID: 0-1030656984
                                        • Opcode ID: 6d3ebd19bb5a44dbed7d84cb9fb5a42c73d0dacfff23186c174dda975f8ead67
                                        • Instruction ID: eb0ba43b4cb8ebe2e83a024c9cd33a15f93f97810066a290ea9e3c440553b08d
                                        • Opcode Fuzzy Hash: 6d3ebd19bb5a44dbed7d84cb9fb5a42c73d0dacfff23186c174dda975f8ead67
                                        • Instruction Fuzzy Hash: 2DA1C37020C7818BE3649F28C59875EBAE1FB89308F50592EF1D9DB3A1D7B98945CB07
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00000278AE3E3A92 Relevance: 31.4, Strings: 25, Instructions: 147COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, Offset: 00000278AE3D1000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_278ae3d1000_SoundTune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: $"$&$3$6$;$=$H$N$Q$S$W$X$Xa4$Xa4$Xa4$Xa4$_$g$j$l$o$w$w$x
                                        • API String ID: 0-2902430524
                                        • Opcode ID: 0a2c656b731585a4625f2ba0236d19889665718c32ac025bede13eea2fb82884
                                        • Instruction ID: 4619d10df652512a632b95c97ce9ffd2572f4e3fc233ccdbc4425f05db6018a3
                                        • Opcode Fuzzy Hash: 0a2c656b731585a4625f2ba0236d19889665718c32ac025bede13eea2fb82884
                                        • Instruction Fuzzy Hash: 06617871D04289DAEB10CFA8C8893EDFBF1AF04318F14859AD458BB391D7B95A4ACB51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00000278AE3F5753 Relevance: 31.4, Strings: 25, Instructions: 147COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, Offset: 00000278AE3D1000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_278ae3d1000_SoundTune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: $"$&$3$6$;$=$H$N$Q$S$W$X$Xa4$Xa4$Xa4$Xa4$_$g$j$l$o$w$w$x
                                        • API String ID: 0-2902430524
                                        • Opcode ID: 0a2c656b731585a4625f2ba0236d19889665718c32ac025bede13eea2fb82884
                                        • Instruction ID: bbfae3f941ab63c5bcaf32751adb4ac58f90a6d6eb2e0fc7cbaf48ddc9020c56
                                        • Opcode Fuzzy Hash: 0a2c656b731585a4625f2ba0236d19889665718c32ac025bede13eea2fb82884
                                        • Instruction Fuzzy Hash: A5616971D04289DAEB10DFA8D9483EEBBF1EF05318F10855AD458BB391D7BA0A4ACB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00000278AE3F5A48 Relevance: 28.9, Strings: 23, Instructions: 147COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, Offset: 00000278AE3D1000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_278ae3d1000_SoundTune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: $"$&$3$6$;$=$H$N$Q$S$W$X$Xa4$Xa4$_$g$j$l$o$w$w$x
                                        • API String ID: 0-124078437
                                        • Opcode ID: 6f957bf0e52ff8f6cda14630bee9f7884332855c505a2a3676227f2166986fb8
                                        • Instruction ID: 8636dcb50f6aa4495bb6b8a65ba88eff08cbf79d0da9ca3f07f859c98e8e2f59
                                        • Opcode Fuzzy Hash: 6f957bf0e52ff8f6cda14630bee9f7884332855c505a2a3676227f2166986fb8
                                        • Instruction Fuzzy Hash: A7617B70D49289DAEF10DFA8C9483EDBBF1AF05304F20815AD058BB3C1D7BA4A49CB54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00000278AE3E3CC5 Relevance: 28.9, Strings: 23, Instructions: 147COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, Offset: 00000278AE3D1000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_278ae3d1000_SoundTune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: $"$&$3$6$;$=$H$N$Q$S$W$X$Xa4$Xa4$_$g$j$l$o$w$w$x
                                        • API String ID: 0-124078437
                                        • Opcode ID: 6f957bf0e52ff8f6cda14630bee9f7884332855c505a2a3676227f2166986fb8
                                        • Instruction ID: 4ecd6108a8958eb0023f76319751f2b3b8772be1c4ce6103e792dc01039d3f41
                                        • Opcode Fuzzy Hash: 6f957bf0e52ff8f6cda14630bee9f7884332855c505a2a3676227f2166986fb8
                                        • Instruction Fuzzy Hash: 96618C71D08289DAEF10CFA8C9483EDBBF1AF55308F24815AD458BB3C1D7B90A4ACB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00000278AE3DC46D Relevance: 17.6, Strings: 14, Instructions: 128COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2244717993.00000278AE3D1000.00000004.00000020.00020000.00000000.sdmp, Offset: 00000278AE3D1000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_278ae3d1000_SoundTune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: E$G$N$U$W$a$e$e$e$m$r$s$t$x
                                        • API String ID: 0-1325830154
                                        • Opcode ID: 77d8e45362ac90ce13e70f84bf46c132bdeb855c935fa87385f52472c5ab7223
                                        • Instruction ID: 645fa5ec1269cb3c7a1d6a115617101ea04910318147fff5e29a27aa093ea3df
                                        • Opcode Fuzzy Hash: 77d8e45362ac90ce13e70f84bf46c132bdeb855c935fa87385f52472c5ab7223
                                        • Instruction Fuzzy Hash: F551AF3451C7848FE790DB68C08875ABBE1EFA9305F44595EF0C9C72A1DABAC944CB17
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00000278AB6154C0 Relevance: 15.1, Strings: 12, Instructions: 110COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2243163643.00000278AB600000.00000004.00000020.00020000.00000000.sdmp, Offset: 00000278AB600000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_278ab600000_SoundTune.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: C$I$a$e$i$i$i$l$n$o$t$z
                                        • API String ID: 0-3631944187
                                        • Opcode ID: 374f5339107ca790e6ba45c4230742c1aebc487dbf654c531ba010c7fd23baf2
                                        • Instruction ID: 2600e1d9e83dd59db107c37fbf2bd4d8a7a3f3e21a093c22dd2db37aafa45db6
                                        • Opcode Fuzzy Hash: 374f5339107ca790e6ba45c4230742c1aebc487dbf654c531ba010c7fd23baf2
                                        • Instruction Fuzzy Hash: B941FB3461C7888FE791DB28C048B6ABBE2FFA9304F44196EB08DC72A1D676C545C717
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 000002A37CBF707A Relevance: .1, Instructions: 144COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2199752462.000002A37CBF0000.00000004.00000020.00020000.00000000.sdmp, Offset: 000002A37CBF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_2a37cbf0000_SoundTune.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8e823343bdd2ca0a3ece7c4bd8bf698368fe962fc053a27b5877336254ca9f80
                                        • Instruction ID: 5c4386e9fe12cbb0743ed774f42b0b85017964c0cc8f7fbe8650a1f34cb27692
                                        • Opcode Fuzzy Hash: 8e823343bdd2ca0a3ece7c4bd8bf698368fe962fc053a27b5877336254ca9f80
                                        • Instruction Fuzzy Hash: 4551CE8664E3D05FE71383B92CA96D4BFB48F57214F1A08DBE0C49B2E3D919562AC316
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 00007FF6FDFBA264 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2256268537.00007FF6FDE41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6FDE40000, based on PE: true
                                        • Associated: 0000000D.00000002.2256231509.00007FF6FDE40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000D.00000002.2257278341.00007FF6FE3D9000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000D.00000002.2257714453.00007FF6FE61C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000D.00000002.2257744654.00007FF6FE623000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000D.00000002.2257773979.00007FF6FE636000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000D.00000002.2257773979.00007FF6FE642000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000D.00000002.2257773979.00007FF6FE664000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000D.00000002.2258013462.00007FF6FE68C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_7ff6fde40000_SoundTune.jbxd
                                        Similarity
                                        • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                        • String ID:
                                        • API String ID: 2933794660-0
                                        • Opcode ID: d24632a9d7cbfeac47ec91ea4afc9551f528e4bafdd956463c956835574216d6
                                        • Instruction ID: 7f0da41c26e65e4fd40aba832ed87b2617dc7bfdedddcbf1a1946ef44d514f3f
                                        • Opcode Fuzzy Hash: d24632a9d7cbfeac47ec91ea4afc9551f528e4bafdd956463c956835574216d6
                                        • Instruction Fuzzy Hash: F6113326B14F058AEB00CFB0E8542B837A4F7A9758F441D31EA6D867A8EF7CD1548340
                                        Uniqueness

                                        Uniqueness Score: -1.00%