Analysis
-
max time kernel
151s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-02-2024 20:26
Static task
static1
Behavioral task
behavioral1
Sample
aa148aaca301b7273bdbdb6c1f2d581e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
aa148aaca301b7273bdbdb6c1f2d581e.exe
Resource
win10v2004-20240226-en
General
-
Target
aa148aaca301b7273bdbdb6c1f2d581e.exe
-
Size
428KB
-
MD5
aa148aaca301b7273bdbdb6c1f2d581e
-
SHA1
7c000c6d06806d6aaeaeab56e34e8eda52b3ac13
-
SHA256
69eb268d4de61fc838aa1e15b67025486e375f7a63e969bf16205021d3bc4526
-
SHA512
3a15f03815c71cdfbd984d464002eebf323f0b904a7303e2636f23b11ce73c926d057a6ab16423f975cee6f030fc574259a85c40c88d444692f3ea4cef3f6913
-
SSDEEP
6144:pcSj5+6EIo/rBlI/Pj5WUq4I9/Pjx5+6EIo/rBlLR:GStEI4yq4IZEI4bR
Malware Config
Signatures
-
Detect XtremeRAT payload 56 IoCs
Processes:
resource yara_rule behavioral1/memory/1676-5-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/1676-6-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/1676-18-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/2540-28-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/2540-31-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/2860-39-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/2860-43-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/2744-51-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/2744-54-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/340-62-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/340-66-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/1636-74-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/1636-77-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/2280-85-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/2280-89-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/3032-97-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/3032-100-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/1524-108-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/1524-112-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/2028-122-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/2652-130-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/2652-134-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/2260-142-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/2260-145-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/2196-153-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/2196-157-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/2100-165-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/2100-168-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/2092-176-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/2092-180-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/2896-188-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/2896-190-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/656-199-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/656-203-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/1992-211-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/1992-214-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/1348-222-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/1348-225-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/1496-236-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/2128-244-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/2128-247-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/3132-258-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/3284-266-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/3284-270-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/3444-278-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/3444-280-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/3596-289-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/3596-293-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/3748-301-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/3892-308-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/3892-312-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/4044-318-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/4044-321-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/3272-330-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/3564-337-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral1/memory/3564-340-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Modifies Installed Components in the registry 2 TTPs 60 IoCs
Processes:
sonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exeaa148aaca301b7273bdbdb6c1f2d581e.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} aa148aaca301b7273bdbdb6c1f2d581e.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" aa148aaca301b7273bdbdb6c1f2d581e.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe -
Executes dropped EXE 59 IoCs
Processes:
sonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exepid process 2684 sonds.exe 2540 sonds.exe 2448 sonds.exe 2860 sonds.exe 2720 sonds.exe 2744 sonds.exe 1956 sonds.exe 340 sonds.exe 620 sonds.exe 1636 sonds.exe 2012 sonds.exe 2280 sonds.exe 844 sonds.exe 3032 sonds.exe 916 sonds.exe 1524 sonds.exe 876 sonds.exe 2028 sonds.exe 1808 sonds.exe 2652 sonds.exe 2352 sonds.exe 2260 sonds.exe 2380 sonds.exe 2196 sonds.exe 1688 sonds.exe 2100 sonds.exe 592 sonds.exe 2092 sonds.exe 2224 sonds.exe 2896 sonds.exe 2620 sonds.exe 656 sonds.exe 1536 sonds.exe 1992 sonds.exe 2932 sonds.exe 1348 sonds.exe 1184 sonds.exe 1496 sonds.exe 2360 sonds.exe 2128 sonds.exe 3108 sonds.exe 3132 sonds.exe 3256 sonds.exe 3284 sonds.exe 3416 sonds.exe 3444 sonds.exe 3568 sonds.exe 3596 sonds.exe 3724 sonds.exe 3748 sonds.exe 3868 sonds.exe 3892 sonds.exe 4020 sonds.exe 4044 sonds.exe 3164 sonds.exe 3272 sonds.exe 3504 sonds.exe 3564 sonds.exe 3740 sonds.exe -
Loads dropped DLL 3 IoCs
Processes:
aa148aaca301b7273bdbdb6c1f2d581e.exesonds.exepid process 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe 2684 sonds.exe -
Processes:
resource yara_rule behavioral1/memory/1676-2-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/1676-4-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/1676-5-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/1676-6-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/1676-18-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/2540-28-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/2540-31-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/2860-39-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/2860-43-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/2744-51-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/2744-54-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/340-62-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/340-66-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/1636-74-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/1636-77-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/2280-85-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/2280-89-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/3032-97-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/3032-100-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/1524-108-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/1524-112-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/2028-122-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/2652-130-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/2652-134-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/2260-142-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/2260-145-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/2196-153-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/2196-157-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/2100-165-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/2100-168-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/2092-176-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/2092-180-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/2896-188-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/2896-190-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/656-199-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/656-203-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/1992-211-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/1992-214-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/1348-222-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/1348-225-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/1496-236-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/2128-244-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/2128-247-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/3132-258-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/3284-266-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/3284-270-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/3444-278-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/3444-280-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/3596-289-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/3596-293-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/3748-301-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/3892-308-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/3892-312-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/4044-318-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/4044-321-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/3272-330-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/3564-337-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral1/memory/3564-340-0x0000000000C80000-0x0000000000C95000-memory.dmp upx -
Adds Run key to start application 2 TTPs 60 IoCs
Processes:
sonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exeaa148aaca301b7273bdbdb6c1f2d581e.exesonds.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" aa148aaca301b7273bdbdb6c1f2d581e.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" aa148aaca301b7273bdbdb6c1f2d581e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe -
Suspicious use of SetThreadContext 30 IoCs
Processes:
aa148aaca301b7273bdbdb6c1f2d581e.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exedescription pid process target process PID 2020 set thread context of 1676 2020 aa148aaca301b7273bdbdb6c1f2d581e.exe aa148aaca301b7273bdbdb6c1f2d581e.exe PID 2684 set thread context of 2540 2684 sonds.exe sonds.exe PID 2448 set thread context of 2860 2448 sonds.exe sonds.exe PID 2720 set thread context of 2744 2720 sonds.exe sonds.exe PID 1956 set thread context of 340 1956 sonds.exe sonds.exe PID 620 set thread context of 1636 620 sonds.exe sonds.exe PID 2012 set thread context of 2280 2012 sonds.exe sonds.exe PID 844 set thread context of 3032 844 sonds.exe sonds.exe PID 916 set thread context of 1524 916 sonds.exe sonds.exe PID 876 set thread context of 2028 876 sonds.exe sonds.exe PID 1808 set thread context of 2652 1808 sonds.exe sonds.exe PID 2352 set thread context of 2260 2352 sonds.exe sonds.exe PID 2380 set thread context of 2196 2380 sonds.exe sonds.exe PID 1688 set thread context of 2100 1688 sonds.exe sonds.exe PID 592 set thread context of 2092 592 sonds.exe sonds.exe PID 2224 set thread context of 2896 2224 sonds.exe sonds.exe PID 2620 set thread context of 656 2620 sonds.exe sonds.exe PID 1536 set thread context of 1992 1536 sonds.exe sonds.exe PID 2932 set thread context of 1348 2932 sonds.exe sonds.exe PID 1184 set thread context of 1496 1184 sonds.exe sonds.exe PID 2360 set thread context of 2128 2360 sonds.exe sonds.exe PID 3108 set thread context of 3132 3108 sonds.exe sonds.exe PID 3256 set thread context of 3284 3256 sonds.exe sonds.exe PID 3416 set thread context of 3444 3416 sonds.exe sonds.exe PID 3568 set thread context of 3596 3568 sonds.exe sonds.exe PID 3724 set thread context of 3748 3724 sonds.exe sonds.exe PID 3868 set thread context of 3892 3868 sonds.exe sonds.exe PID 4020 set thread context of 4044 4020 sonds.exe sonds.exe PID 3164 set thread context of 3272 3164 sonds.exe sonds.exe PID 3504 set thread context of 3564 3504 sonds.exe sonds.exe -
Drops file in Windows directory 2 IoCs
Processes:
aa148aaca301b7273bdbdb6c1f2d581e.exedescription ioc process File opened for modification C:\Windows\InstallDir\sonds.exe aa148aaca301b7273bdbdb6c1f2d581e.exe File created C:\Windows\InstallDir\sonds.exe aa148aaca301b7273bdbdb6c1f2d581e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 31 IoCs
Processes:
aa148aaca301b7273bdbdb6c1f2d581e.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exepid process 2020 aa148aaca301b7273bdbdb6c1f2d581e.exe 2684 sonds.exe 2448 sonds.exe 2720 sonds.exe 1956 sonds.exe 620 sonds.exe 2012 sonds.exe 844 sonds.exe 916 sonds.exe 876 sonds.exe 1808 sonds.exe 2352 sonds.exe 2380 sonds.exe 1688 sonds.exe 592 sonds.exe 2224 sonds.exe 2620 sonds.exe 1536 sonds.exe 2932 sonds.exe 1184 sonds.exe 2360 sonds.exe 3108 sonds.exe 3256 sonds.exe 3416 sonds.exe 3568 sonds.exe 3724 sonds.exe 3868 sonds.exe 4020 sonds.exe 3164 sonds.exe 3504 sonds.exe 3740 sonds.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
aa148aaca301b7273bdbdb6c1f2d581e.exeaa148aaca301b7273bdbdb6c1f2d581e.exesonds.exesonds.exedescription pid process target process PID 2020 wrote to memory of 1676 2020 aa148aaca301b7273bdbdb6c1f2d581e.exe aa148aaca301b7273bdbdb6c1f2d581e.exe PID 2020 wrote to memory of 1676 2020 aa148aaca301b7273bdbdb6c1f2d581e.exe aa148aaca301b7273bdbdb6c1f2d581e.exe PID 2020 wrote to memory of 1676 2020 aa148aaca301b7273bdbdb6c1f2d581e.exe aa148aaca301b7273bdbdb6c1f2d581e.exe PID 2020 wrote to memory of 1676 2020 aa148aaca301b7273bdbdb6c1f2d581e.exe aa148aaca301b7273bdbdb6c1f2d581e.exe PID 2020 wrote to memory of 1676 2020 aa148aaca301b7273bdbdb6c1f2d581e.exe aa148aaca301b7273bdbdb6c1f2d581e.exe PID 2020 wrote to memory of 1676 2020 aa148aaca301b7273bdbdb6c1f2d581e.exe aa148aaca301b7273bdbdb6c1f2d581e.exe PID 2020 wrote to memory of 1676 2020 aa148aaca301b7273bdbdb6c1f2d581e.exe aa148aaca301b7273bdbdb6c1f2d581e.exe PID 2020 wrote to memory of 1676 2020 aa148aaca301b7273bdbdb6c1f2d581e.exe aa148aaca301b7273bdbdb6c1f2d581e.exe PID 2020 wrote to memory of 1676 2020 aa148aaca301b7273bdbdb6c1f2d581e.exe aa148aaca301b7273bdbdb6c1f2d581e.exe PID 1676 wrote to memory of 2912 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 2912 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 2912 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 2912 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 2912 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 2496 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 2496 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 2496 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 2496 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 2496 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 3004 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 3004 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 3004 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 3004 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 3004 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 2268 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 2268 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 2268 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 2268 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 2268 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 1320 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 1320 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 1320 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 1320 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 1320 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 2536 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 2536 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 2536 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 2536 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 2536 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 2556 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 2556 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 2556 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 2556 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 2556 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 2660 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 2660 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 2660 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 2660 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe iexplore.exe PID 1676 wrote to memory of 2684 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe sonds.exe PID 1676 wrote to memory of 2684 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe sonds.exe PID 1676 wrote to memory of 2684 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe sonds.exe PID 1676 wrote to memory of 2684 1676 aa148aaca301b7273bdbdb6c1f2d581e.exe sonds.exe PID 2684 wrote to memory of 2540 2684 sonds.exe sonds.exe PID 2684 wrote to memory of 2540 2684 sonds.exe sonds.exe PID 2684 wrote to memory of 2540 2684 sonds.exe sonds.exe PID 2684 wrote to memory of 2540 2684 sonds.exe sonds.exe PID 2684 wrote to memory of 2540 2684 sonds.exe sonds.exe PID 2684 wrote to memory of 2540 2684 sonds.exe sonds.exe PID 2684 wrote to memory of 2540 2684 sonds.exe sonds.exe PID 2684 wrote to memory of 2540 2684 sonds.exe sonds.exe PID 2684 wrote to memory of 2540 2684 sonds.exe sonds.exe PID 2540 wrote to memory of 2584 2540 sonds.exe iexplore.exe PID 2540 wrote to memory of 2584 2540 sonds.exe iexplore.exe PID 2540 wrote to memory of 2584 2540 sonds.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa148aaca301b7273bdbdb6c1f2d581e.exe"C:\Users\Admin\AppData\Local\Temp\aa148aaca301b7273bdbdb6c1f2d581e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\aa148aaca301b7273bdbdb6c1f2d581e.exe"C:\Users\Admin\AppData\Local\Temp\aa148aaca301b7273bdbdb6c1f2d581e.exe"2⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2912
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2496
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:3004
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2268
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:1320
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2536
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2556
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2660
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2584
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2428
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2180
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2676
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2404
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2400
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2424
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2940
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2448 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2860 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2388
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:1968
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:536
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2472
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2392
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2636
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2616
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2624
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2720 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2744 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:1796
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:1712
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:1780
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:1264
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:2220
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:676
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:788
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:2212
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1956 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:340 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:756
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:1480
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:1472
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:1092
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:804
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:1836
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:1736
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:1904
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:620 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:1636 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:1608
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:1744
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:1512
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:2228
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:1728
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:1548
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:1272
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:2240
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2012 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"14⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2280 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:2236
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:2812
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:964
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:884
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:1788
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:2444
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:1132
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:2300
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:844 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"16⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:3032 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:816
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:1088
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:1940
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:2120
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:1672
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:1944
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:1848
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:736
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:916 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"18⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:1524 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:1980
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:568
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:1568
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:2172
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:2316
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:1804
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:3008
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:2200
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:876 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"20⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2028 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:1580
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:1680
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:2024
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:1188
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:1152
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:2176
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:1616
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:1328
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1808 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"22⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2652 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:2716
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:2944
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:2788
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:2056
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:2604
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:2580
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:2508
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:2576
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2352 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"24⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2260 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:2640
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:2740
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:2504
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:2768
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:1632
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:344
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:1452
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:1032
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2380 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"26⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2196 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:1016
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:2000
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:2188
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:3060
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:1692
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:2232
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:1516
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:2376
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1688 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"28⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2100 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:1908
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:1240
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:3040
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:1072
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:3044
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:1860
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:680
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:672
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:592 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"30⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2092 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:1256
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:2168
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:1924
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:1640
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:1972
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:1144
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:1752
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:1656
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2224 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"32⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2896 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:2796
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:2308
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:2464
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:2456
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:2328
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:980
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:2872
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:792
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2620 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"34⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:656 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:1612
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:2948
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:2856
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:1564
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:2816
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:3048
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:1116
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:2600
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1536 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"36⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:1992 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:2064
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:2880
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:2052
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:2344
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:1476
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:1700
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:1696
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:872
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2932 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"38⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:1348 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"39⤵PID:472
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"39⤵PID:1364
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"39⤵PID:268
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"39⤵PID:2748
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"39⤵PID:2088
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"39⤵PID:2032
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"39⤵PID:572
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"39⤵PID:2804
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1184 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"40⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:1496 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"41⤵PID:2656
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"41⤵PID:308
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"41⤵PID:2292
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"41⤵PID:2724
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"41⤵PID:2184
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"41⤵PID:1920
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"41⤵PID:2148
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"41⤵PID:2060
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2360 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"42⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2128 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"43⤵PID:2692
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"43⤵PID:2256
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"43⤵PID:2672
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"43⤵PID:1268
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"43⤵PID:612
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"43⤵PID:908
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"43⤵PID:3084
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"43⤵PID:3092
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3108 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"44⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:3132 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"45⤵PID:3176
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"45⤵PID:3184
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"45⤵PID:3196
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"45⤵PID:3204
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"45⤵PID:3216
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"45⤵PID:3224
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"45⤵PID:3236
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"45⤵PID:3244
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3256 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"46⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:3284 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"47⤵PID:3336
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"47⤵PID:3344
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"47⤵PID:3356
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"47⤵PID:3364
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"47⤵PID:3376
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"47⤵PID:3384
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"47⤵PID:3396
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"47⤵PID:3404
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3416 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"48⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:3444 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"49⤵PID:3484
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"49⤵PID:3496
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"49⤵PID:3508
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"49⤵PID:3516
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"49⤵PID:3528
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"49⤵PID:3536
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"49⤵PID:3548
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"49⤵PID:3556
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3568 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"50⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:3596 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"51⤵PID:3640
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"51⤵PID:3652
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"51⤵PID:3664
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"51⤵PID:3672
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"51⤵PID:3684
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"51⤵PID:3692
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"51⤵PID:3704
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"51⤵PID:3712
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3724 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"52⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:3748 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"53⤵PID:3784
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"53⤵PID:3796
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"53⤵PID:3808
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"53⤵PID:3816
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"53⤵PID:3828
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"53⤵PID:3836
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"53⤵PID:3848
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"53⤵PID:3856
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3868 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"54⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:3892 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"55⤵PID:3932
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"55⤵PID:3944
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"55⤵PID:3956
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"55⤵PID:3968
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"55⤵PID:3980
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"55⤵PID:3988
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"55⤵PID:4000
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"55⤵PID:4008
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4020 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"56⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:4044 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"57⤵PID:4088
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"57⤵PID:3080
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"57⤵PID:3116
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"57⤵PID:3120
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"57⤵PID:3140
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"57⤵PID:3152
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"57⤵PID:3172
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"57⤵PID:3192
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3164 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"58⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:3272 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"59⤵PID:3276
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"59⤵PID:3372
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"59⤵PID:3324
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"59⤵PID:3424
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"59⤵PID:3412
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"59⤵PID:3452
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"59⤵PID:3464
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"59⤵PID:3472
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3504 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"60⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:3564 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"61⤵PID:3632
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"61⤵PID:3660
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"61⤵PID:3700
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"61⤵PID:1508
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"61⤵PID:3720
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"61⤵PID:3744
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"61⤵PID:3756
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"61⤵PID:3768
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"61⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3740 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"62⤵PID:3772
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d1a921131bfeffbfffb631b7d29bd461
SHA1bd555f1030aea183b5fe8cb004a10869c02797ef
SHA2565c5d67713455743a876d4fd9f61df70b7bcaed374e90a8d5f96f737b6ab3d4f3
SHA51284f7bbd4c38dcaeaae6e36957b939c6d83c9dbc4a39c93647a1d978e21a559637bf4b7fa1deb91cc85d1707f04203a8e417576e9da7dad836d8b66d37221bf3b
-
Filesize
103KB
MD5d96da31dc60b5ab8b68e345db4e9b4dd
SHA1b0993a3e08e9b9436c2c4ee2ba115a3e01247fc7
SHA2562981cdef41416b51adeb6759a0fbc7045f5c12fa686f437587c325a1435a3c96
SHA51260e71087cc5fb9a21b2a43325eb9e8527115dc692ed3899f02c2d11e4ff0a9f98047f129bf0e2de850b427ea2a2febc327efa8443854b1757728d5538cf44bca
-
Filesize
428KB
MD5aa148aaca301b7273bdbdb6c1f2d581e
SHA17c000c6d06806d6aaeaeab56e34e8eda52b3ac13
SHA25669eb268d4de61fc838aa1e15b67025486e375f7a63e969bf16205021d3bc4526
SHA5123a15f03815c71cdfbd984d464002eebf323f0b904a7303e2636f23b11ce73c926d057a6ab16423f975cee6f030fc574259a85c40c88d444692f3ea4cef3f6913