File name:

SoundPad.4.0.9.x64.rar

Full analysis: https://app.any.run/tasks/c51bc695-e909-4d12-9900-51ef05bd4d56
Verdict: Malicious activity
Analysis date: March 23, 2025, 19:27:02
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
inno
installer
delphi
smartsteamemu
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

0AD8CEBA5CC47F33BF3E6E6AFE9B2EAD

SHA1:

91F80C1581C38DDA625362045C8546FCA40C360A

SHA256:

189331AE1FBFD9F6DB51E77DA24C6C136CC1594D3EA3530D7F984E9F8062E879

SSDEEP:

98304:Fnv4sb5ax9L+xZl8H21a7j8lPArimi63r5HmZLtgCgRyIGDQt39BP13CKaCFJHWf:PARuysXmxcuTS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 1228)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Setup_cracked.tmp (PID: 7084)
      • Soundpad.exe (PID: 2384)

    • Executable content was dropped or overwritten

      • Setup_cracked.exe (PID: 6112)
      • Setup_cracked.exe (PID: 6068)
      • Setup_cracked.tmp (PID: 6944)

    • Reads the Windows owner or organization settings

      • Setup_cracked.tmp (PID: 6944)

    • SMARTSTEAMEMU mutex has been found

      • Soundpad.exe (PID: 2384)

    • Reads the date of Windows installation

      • Soundpad.exe (PID: 2384)

  • INFO

    • Create files in a temporary directory

      • Setup_cracked.exe (PID: 6112)
      • Setup_cracked.exe (PID: 6068)
      • Setup_cracked.tmp (PID: 6944)

    • Checks supported languages

      • Setup_cracked.exe (PID: 6112)
      • Setup_cracked.tmp (PID: 7084)
      • Setup_cracked.exe (PID: 6068)
      • Setup_cracked.tmp (PID: 6944)
      • Soundpad.exe (PID: 2384)
      • SoundpadService.exe (PID: 2284)

    • Manual execution by a user

      • Setup_cracked.exe (PID: 6112)
      • OpenWith.exe (PID: 6048)
      • msinfo32.exe (PID: 2564)

    • Reads the computer name

      • Setup_cracked.tmp (PID: 7084)
      • Setup_cracked.tmp (PID: 6944)
      • Soundpad.exe (PID: 2384)

    • Process checks computer location settings

      • Setup_cracked.tmp (PID: 7084)
      • Soundpad.exe (PID: 2384)

    • Compiled with Borland Delphi (YARA)

      • Setup_cracked.exe (PID: 6112)
      • Setup_cracked.tmp (PID: 7084)
      • Setup_cracked.exe (PID: 6068)
      • Setup_cracked.tmp (PID: 6944)

    • Detects InnoSetup installer (YARA)

      • Setup_cracked.tmp (PID: 7084)
      • Setup_cracked.exe (PID: 6112)
      • Setup_cracked.exe (PID: 6068)
      • Setup_cracked.tmp (PID: 6944)

    • Creates files in the program directory

      • Setup_cracked.tmp (PID: 6944)
      • Soundpad.exe (PID: 2384)

    • The sample compiled with english language support

      • Setup_cracked.tmp (PID: 6944)

    • The sample compiled with chinese language support

      • Setup_cracked.tmp (PID: 6944)

    • Creates a software uninstall entry

      • Setup_cracked.tmp (PID: 6944)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 6048)

    • Reads the software policy settings

      • slui.exe (PID: 1164)

    • Reads the machine GUID from the registry

      • Soundpad.exe (PID: 2384)

    • Checks proxy server information

      • slui.exe (PID: 1164)

    • Reads Environment values

      • Soundpad.exe (PID: 2384)

    • Creates files or folders in the user directory

      • Soundpad.exe (PID: 2384)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion: RAR v5
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
11
Malicious processes
0
Suspicious processes
3

Behavior graph

Click at the process to see the details
start winrar.exe no specs setup_cracked.exe setup_cracked.tmp no specs setup_cracked.exe openwith.exe no specs setup_cracked.tmp msinfo32.exe no specs THREAT soundpad.exe no specs soundpadservice.exe no specs soundpadservice.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1164C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1228"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\SoundPad.4.0.9.x64.rarC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2284"C:\Program Files (x86)\Leppsoft SoundPad\SoundpadService.exe" C:\Program Files (x86)\Leppsoft SoundPad\SoundpadService.exe
Soundpad.exe
User:
admin
Company:
Leppsoft
Integrity Level:
HIGH
Description:
Soundpad Service
Version:
4.0.9
Modules
Images
c:\program files (x86)\leppsoft soundpad\soundpadservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
2384"C:\Program Files (x86)\Leppsoft SoundPad\Soundpad.exe"C:\Program Files (x86)\Leppsoft SoundPad\Soundpad.exe
Setup_cracked.tmp
User:
admin
Company:
Leppsoft
Integrity Level:
MEDIUM
Description:
Soundpad
Version:
4.0.9
Modules
Images
c:\program files (x86)\leppsoft soundpad\soundpad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\dwmapi.dll
2564"C:\WINDOWS\system32\msinfo32.exe" C:\Users\admin\Desktop\FEELiNNERS.nfoC:\Windows\System32\msinfo32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
System Information
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msinfo32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll
2984"C:\Program Files (x86)\Leppsoft SoundPad\SoundpadService.exe" C:\Program Files (x86)\Leppsoft SoundPad\SoundpadService.exeSoundpad.exe
User:
admin
Company:
Leppsoft
Integrity Level:
MEDIUM
Description:
Soundpad Service
Exit code:
3221226540
Version:
4.0.9
Modules
Images
c:\program files (x86)\leppsoft soundpad\soundpadservice.exe
c:\windows\system32\ntdll.dll
6048"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\FiLE_iD.DIZC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6068"C:\Users\admin\Desktop\Setup_cracked.exe" /SPAWNWND=$902C6 /NOTIFYWND=$5026A C:\Users\admin\Desktop\Setup_cracked.exe
Setup_cracked.tmp
User:
admin
Company:
Integrity Level:
HIGH
Description:
Leppsoft SoundPad Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\desktop\setup_cracked.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
6112"C:\Users\admin\Desktop\Setup_cracked.exe" C:\Users\admin\Desktop\Setup_cracked.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Leppsoft SoundPad Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\desktop\setup_cracked.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
6944"C:\Users\admin\AppData\Local\Temp\is-PQMQQ.tmp\Setup_cracked.tmp" /SL5="$60294,8134020,832512,C:\Users\admin\Desktop\Setup_cracked.exe" /SPAWNWND=$902C6 /NOTIFYWND=$5026A C:\Users\admin\AppData\Local\Temp\is-PQMQQ.tmp\Setup_cracked.tmp
Setup_cracked.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-pqmqq.tmp\setup_cracked.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
Total events
7 867
Read events
7 639
Write events
228
Delete events
0

Modification events

(PID) Process:(1228) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(1228) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(1228) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(1228) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\SoundPad.4.0.9.x64.rar
(PID) Process:(1228) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1228) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1228) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1228) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1228) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Comment
Operation:writeName:LeftBorder
Value:
472
(PID) Process:(1228) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
256
Executable files
16
Suspicious files
129
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
6112Setup_cracked.exeC:\Users\admin\AppData\Local\Temp\is-7HKBO.tmp\Setup_cracked.tmpexecutable
MD5:3268F5488A7A5D619E843DA659617822
SHA256:6FF4528F355E3532BC4F1552C345DB2AD25D4D5CA9FFB4B07D4C478BB8C276EF
6944Setup_cracked.tmpC:\Program Files (x86)\Leppsoft SoundPad\is-68G21.tmpexecutable
MD5:C830C0BEC2B3E128FB12FF6529853009
SHA256:544958647DC10F4EE92800AC99BA04700DA337AD426D106A387A57383DC5DD82
6944Setup_cracked.tmpC:\Program Files (x86)\Leppsoft SoundPad\SoundpadService.exeexecutable
MD5:C830C0BEC2B3E128FB12FF6529853009
SHA256:544958647DC10F4EE92800AC99BA04700DA337AD426D106A387A57383DC5DD82
6944Setup_cracked.tmpC:\Program Files (x86)\Leppsoft SoundPad\is-V29CS.tmpexecutable
MD5:C68F3F2622C4B536EEC4DA473C294190
SHA256:17E162EAE3204595E6E0806599FBB9E12F721AEA16597307DCA0EE9C25204D39
6944Setup_cracked.tmpC:\Program Files (x86)\Leppsoft SoundPad\TTS.dllexecutable
MD5:8F1B8DC26A9531F76D3057C7A9F0B5DA
SHA256:A6BAEE91F8392FE62A0A9071082E86B9B42237682280BBDA0F3887B12A9CE1FF
6944Setup_cracked.tmpC:\Program Files (x86)\Leppsoft SoundPad\unins000.exeexecutable
MD5:1E3ED997FF4EAEB69019D416401D34F7
SHA256:5993A5B1852BEE40ACC1AE2A3C5D365C7F140E1CECAF81664EED085F7ED70046
6068Setup_cracked.exeC:\Users\admin\AppData\Local\Temp\is-PQMQQ.tmp\Setup_cracked.tmpexecutable
MD5:3268F5488A7A5D619E843DA659617822
SHA256:6FF4528F355E3532BC4F1552C345DB2AD25D4D5CA9FFB4B07D4C478BB8C276EF
6944Setup_cracked.tmpC:\Program Files (x86)\Leppsoft SoundPad\is-V2EVU.tmpexecutable
MD5:C68F3F2622C4B536EEC4DA473C294190
SHA256:17E162EAE3204595E6E0806599FBB9E12F721AEA16597307DCA0EE9C25204D39
6944Setup_cracked.tmpC:\Program Files (x86)\Leppsoft SoundPad\is-I2UPS.tmptext
MD5:8FB99E6A51B370954779F04E730CE20E
SHA256:69661C0AD3FDC0A0C09AD36F9C2B1B583780D7E961E63F144121A5E52FD6270A
6944Setup_cracked.tmpC:\Program Files (x86)\Leppsoft SoundPad\steamconfig.initext
MD5:207E293DE83AF7C2529107FB086F2EC5
SHA256:BB8D065118EEE9DF2C138AD8E0296A62D3BFF222CB0B897AC26381B39315F3B2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
18
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:137
unknown
896
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
1164
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
unknown
google.com
  • 216.58.206.78
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SoundPad.4.0.9.x64.rar