Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-02-2024 20:26
Static task
static1
Behavioral task
behavioral1
Sample
aa148aaca301b7273bdbdb6c1f2d581e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
aa148aaca301b7273bdbdb6c1f2d581e.exe
Resource
win10v2004-20240226-en
General
-
Target
aa148aaca301b7273bdbdb6c1f2d581e.exe
-
Size
428KB
-
MD5
aa148aaca301b7273bdbdb6c1f2d581e
-
SHA1
7c000c6d06806d6aaeaeab56e34e8eda52b3ac13
-
SHA256
69eb268d4de61fc838aa1e15b67025486e375f7a63e969bf16205021d3bc4526
-
SHA512
3a15f03815c71cdfbd984d464002eebf323f0b904a7303e2636f23b11ce73c926d057a6ab16423f975cee6f030fc574259a85c40c88d444692f3ea4cef3f6913
-
SSDEEP
6144:pcSj5+6EIo/rBlI/Pj5WUq4I9/Pjx5+6EIo/rBlLR:GStEI4yq4IZEI4bR
Malware Config
Signatures
-
Detect XtremeRAT payload 46 IoCs
Processes:
resource yara_rule behavioral2/memory/4936-6-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/4936-20-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/1436-28-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/1436-33-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/3024-41-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/3024-46-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/5056-54-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/5056-59-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/1676-67-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/1676-72-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/628-80-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/628-85-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/2192-97-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/2084-105-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/2084-110-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/3128-118-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/3128-123-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/4032-135-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/3964-143-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/3964-148-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/2972-156-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/2972-161-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/4944-173-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/316-181-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/316-186-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/4388-198-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/4808-206-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/4808-211-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/1480-223-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/4028-231-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/4028-236-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/1820-248-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/4228-256-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/4228-261-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/816-273-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/5156-281-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/5156-285-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/5376-292-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/5376-295-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/5572-304-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/5760-311-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/5760-314-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/6096-323-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/5384-330-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/5384-333-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/5792-340-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Modifies Installed Components in the registry 2 TTPs 56 IoCs
Processes:
sonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exeaa148aaca301b7273bdbdb6c1f2d581e.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} aa148aaca301b7273bdbdb6c1f2d581e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" aa148aaca301b7273bdbdb6c1f2d581e.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\sonds.exe restart" sonds.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} sonds.exe -
Checks computer location settings 2 TTPs 27 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
sonds.exesonds.exesonds.exesonds.exesonds.exesonds.exeaa148aaca301b7273bdbdb6c1f2d581e.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation sonds.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation sonds.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation sonds.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation sonds.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation sonds.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation sonds.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation aa148aaca301b7273bdbdb6c1f2d581e.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation sonds.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation sonds.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation sonds.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation sonds.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation sonds.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation sonds.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation sonds.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation sonds.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation sonds.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation sonds.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation sonds.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation sonds.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation sonds.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation sonds.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation sonds.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation sonds.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation sonds.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation sonds.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation sonds.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation sonds.exe -
Executes dropped EXE 54 IoCs
Processes:
sonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exepid process 960 sonds.exe 1436 sonds.exe 3984 sonds.exe 3024 sonds.exe 1992 sonds.exe 5056 sonds.exe 2988 sonds.exe 1676 sonds.exe 4588 sonds.exe 628 sonds.exe 4404 sonds.exe 2192 sonds.exe 2128 sonds.exe 2084 sonds.exe 740 sonds.exe 3128 sonds.exe 4704 sonds.exe 4032 sonds.exe 1136 sonds.exe 3964 sonds.exe 2528 sonds.exe 2972 sonds.exe 1564 sonds.exe 4944 sonds.exe 3924 sonds.exe 316 sonds.exe 4528 sonds.exe 4388 sonds.exe 1332 sonds.exe 4808 sonds.exe 1304 sonds.exe 1480 sonds.exe 3016 sonds.exe 4028 sonds.exe 1960 sonds.exe 1820 sonds.exe 2292 sonds.exe 4228 sonds.exe 2484 sonds.exe 816 sonds.exe 5124 sonds.exe 5156 sonds.exe 5348 sonds.exe 5376 sonds.exe 5544 sonds.exe 5572 sonds.exe 5728 sonds.exe 5760 sonds.exe 6068 sonds.exe 6096 sonds.exe 5340 sonds.exe 5384 sonds.exe 5748 sonds.exe 5792 sonds.exe -
Processes:
resource yara_rule behavioral2/memory/4936-2-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/4936-4-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/4936-6-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/4936-20-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/1436-28-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/1436-33-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/3024-41-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/3024-46-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/5056-54-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/5056-59-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/1676-67-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/1676-72-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/628-80-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/628-85-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/2192-97-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/2084-105-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/2084-110-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/3128-118-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/3128-123-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/4032-135-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/3964-143-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/3964-148-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/2972-156-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/2972-161-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/4944-173-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/316-181-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/316-186-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/4388-198-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/4808-206-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/4808-211-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/1480-223-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/4028-231-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/4028-236-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/1820-248-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/4228-256-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/4228-261-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/816-273-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/5156-281-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/5156-285-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/5376-292-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/5376-295-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/5572-304-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/5760-311-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/5760-314-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/6096-323-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/5384-330-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/5384-333-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/5792-340-0x0000000000C80000-0x0000000000C95000-memory.dmp upx -
Adds Run key to start application 2 TTPs 56 IoCs
Processes:
sonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exeaa148aaca301b7273bdbdb6c1f2d581e.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" aa148aaca301b7273bdbdb6c1f2d581e.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" aa148aaca301b7273bdbdb6c1f2d581e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\sonds.exe" sonds.exe -
Suspicious use of SetThreadContext 28 IoCs
Processes:
aa148aaca301b7273bdbdb6c1f2d581e.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exedescription pid process target process PID 2676 set thread context of 4936 2676 aa148aaca301b7273bdbdb6c1f2d581e.exe aa148aaca301b7273bdbdb6c1f2d581e.exe PID 960 set thread context of 1436 960 sonds.exe sonds.exe PID 3984 set thread context of 3024 3984 sonds.exe sonds.exe PID 1992 set thread context of 5056 1992 sonds.exe sonds.exe PID 2988 set thread context of 1676 2988 sonds.exe sonds.exe PID 4588 set thread context of 628 4588 sonds.exe sonds.exe PID 4404 set thread context of 2192 4404 sonds.exe sonds.exe PID 2128 set thread context of 2084 2128 sonds.exe sonds.exe PID 740 set thread context of 3128 740 sonds.exe sonds.exe PID 4704 set thread context of 4032 4704 sonds.exe sonds.exe PID 1136 set thread context of 3964 1136 sonds.exe sonds.exe PID 2528 set thread context of 2972 2528 sonds.exe sonds.exe PID 1564 set thread context of 4944 1564 sonds.exe sonds.exe PID 3924 set thread context of 316 3924 sonds.exe sonds.exe PID 4528 set thread context of 4388 4528 sonds.exe sonds.exe PID 1332 set thread context of 4808 1332 sonds.exe sonds.exe PID 1304 set thread context of 1480 1304 sonds.exe sonds.exe PID 3016 set thread context of 4028 3016 sonds.exe sonds.exe PID 1960 set thread context of 1820 1960 sonds.exe sonds.exe PID 2292 set thread context of 4228 2292 sonds.exe sonds.exe PID 2484 set thread context of 816 2484 sonds.exe sonds.exe PID 5124 set thread context of 5156 5124 sonds.exe sonds.exe PID 5348 set thread context of 5376 5348 sonds.exe sonds.exe PID 5544 set thread context of 5572 5544 sonds.exe sonds.exe PID 5728 set thread context of 5760 5728 sonds.exe sonds.exe PID 6068 set thread context of 6096 6068 sonds.exe sonds.exe PID 5340 set thread context of 5384 5340 sonds.exe sonds.exe PID 5748 set thread context of 5792 5748 sonds.exe sonds.exe -
Drops file in Windows directory 2 IoCs
Processes:
aa148aaca301b7273bdbdb6c1f2d581e.exedescription ioc process File opened for modification C:\Windows\InstallDir\sonds.exe aa148aaca301b7273bdbdb6c1f2d581e.exe File created C:\Windows\InstallDir\sonds.exe aa148aaca301b7273bdbdb6c1f2d581e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 28 IoCs
Processes:
aa148aaca301b7273bdbdb6c1f2d581e.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exesonds.exepid process 2676 aa148aaca301b7273bdbdb6c1f2d581e.exe 960 sonds.exe 3984 sonds.exe 1992 sonds.exe 2988 sonds.exe 4588 sonds.exe 4404 sonds.exe 2128 sonds.exe 740 sonds.exe 4704 sonds.exe 1136 sonds.exe 2528 sonds.exe 1564 sonds.exe 3924 sonds.exe 4528 sonds.exe 1332 sonds.exe 1304 sonds.exe 3016 sonds.exe 1960 sonds.exe 2292 sonds.exe 2484 sonds.exe 5124 sonds.exe 5348 sonds.exe 5544 sonds.exe 5728 sonds.exe 6068 sonds.exe 5340 sonds.exe 5748 sonds.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
aa148aaca301b7273bdbdb6c1f2d581e.exeaa148aaca301b7273bdbdb6c1f2d581e.exesonds.exesonds.exedescription pid process target process PID 2676 wrote to memory of 4936 2676 aa148aaca301b7273bdbdb6c1f2d581e.exe aa148aaca301b7273bdbdb6c1f2d581e.exe PID 2676 wrote to memory of 4936 2676 aa148aaca301b7273bdbdb6c1f2d581e.exe aa148aaca301b7273bdbdb6c1f2d581e.exe PID 2676 wrote to memory of 4936 2676 aa148aaca301b7273bdbdb6c1f2d581e.exe aa148aaca301b7273bdbdb6c1f2d581e.exe PID 2676 wrote to memory of 4936 2676 aa148aaca301b7273bdbdb6c1f2d581e.exe aa148aaca301b7273bdbdb6c1f2d581e.exe PID 2676 wrote to memory of 4936 2676 aa148aaca301b7273bdbdb6c1f2d581e.exe aa148aaca301b7273bdbdb6c1f2d581e.exe PID 2676 wrote to memory of 4936 2676 aa148aaca301b7273bdbdb6c1f2d581e.exe aa148aaca301b7273bdbdb6c1f2d581e.exe PID 2676 wrote to memory of 4936 2676 aa148aaca301b7273bdbdb6c1f2d581e.exe aa148aaca301b7273bdbdb6c1f2d581e.exe PID 2676 wrote to memory of 4936 2676 aa148aaca301b7273bdbdb6c1f2d581e.exe aa148aaca301b7273bdbdb6c1f2d581e.exe PID 4936 wrote to memory of 4140 4936 aa148aaca301b7273bdbdb6c1f2d581e.exe msedge.exe PID 4936 wrote to memory of 4140 4936 aa148aaca301b7273bdbdb6c1f2d581e.exe msedge.exe PID 4936 wrote to memory of 4140 4936 aa148aaca301b7273bdbdb6c1f2d581e.exe msedge.exe PID 4936 wrote to memory of 2556 4936 aa148aaca301b7273bdbdb6c1f2d581e.exe msedge.exe PID 4936 wrote to memory of 2556 4936 aa148aaca301b7273bdbdb6c1f2d581e.exe msedge.exe PID 4936 wrote to memory of 2556 4936 aa148aaca301b7273bdbdb6c1f2d581e.exe msedge.exe PID 4936 wrote to memory of 2220 4936 aa148aaca301b7273bdbdb6c1f2d581e.exe msedge.exe PID 4936 wrote to memory of 2220 4936 aa148aaca301b7273bdbdb6c1f2d581e.exe msedge.exe PID 4936 wrote to memory of 2220 4936 aa148aaca301b7273bdbdb6c1f2d581e.exe msedge.exe PID 4936 wrote to memory of 1984 4936 aa148aaca301b7273bdbdb6c1f2d581e.exe msedge.exe PID 4936 wrote to memory of 1984 4936 aa148aaca301b7273bdbdb6c1f2d581e.exe msedge.exe PID 4936 wrote to memory of 1984 4936 aa148aaca301b7273bdbdb6c1f2d581e.exe msedge.exe PID 4936 wrote to memory of 5096 4936 aa148aaca301b7273bdbdb6c1f2d581e.exe msedge.exe PID 4936 wrote to memory of 5096 4936 aa148aaca301b7273bdbdb6c1f2d581e.exe msedge.exe PID 4936 wrote to memory of 5096 4936 aa148aaca301b7273bdbdb6c1f2d581e.exe msedge.exe PID 4936 wrote to memory of 1080 4936 aa148aaca301b7273bdbdb6c1f2d581e.exe msedge.exe PID 4936 wrote to memory of 1080 4936 aa148aaca301b7273bdbdb6c1f2d581e.exe msedge.exe PID 4936 wrote to memory of 1080 4936 aa148aaca301b7273bdbdb6c1f2d581e.exe msedge.exe PID 4936 wrote to memory of 2108 4936 aa148aaca301b7273bdbdb6c1f2d581e.exe msedge.exe PID 4936 wrote to memory of 2108 4936 aa148aaca301b7273bdbdb6c1f2d581e.exe msedge.exe PID 4936 wrote to memory of 2108 4936 aa148aaca301b7273bdbdb6c1f2d581e.exe msedge.exe PID 4936 wrote to memory of 920 4936 aa148aaca301b7273bdbdb6c1f2d581e.exe msedge.exe PID 4936 wrote to memory of 920 4936 aa148aaca301b7273bdbdb6c1f2d581e.exe msedge.exe PID 4936 wrote to memory of 960 4936 aa148aaca301b7273bdbdb6c1f2d581e.exe sonds.exe PID 4936 wrote to memory of 960 4936 aa148aaca301b7273bdbdb6c1f2d581e.exe sonds.exe PID 4936 wrote to memory of 960 4936 aa148aaca301b7273bdbdb6c1f2d581e.exe sonds.exe PID 960 wrote to memory of 1436 960 sonds.exe sonds.exe PID 960 wrote to memory of 1436 960 sonds.exe sonds.exe PID 960 wrote to memory of 1436 960 sonds.exe sonds.exe PID 960 wrote to memory of 1436 960 sonds.exe sonds.exe PID 960 wrote to memory of 1436 960 sonds.exe sonds.exe PID 960 wrote to memory of 1436 960 sonds.exe sonds.exe PID 960 wrote to memory of 1436 960 sonds.exe sonds.exe PID 960 wrote to memory of 1436 960 sonds.exe sonds.exe PID 1436 wrote to memory of 2432 1436 sonds.exe msedge.exe PID 1436 wrote to memory of 2432 1436 sonds.exe msedge.exe PID 1436 wrote to memory of 2432 1436 sonds.exe msedge.exe PID 1436 wrote to memory of 1616 1436 sonds.exe msedge.exe PID 1436 wrote to memory of 1616 1436 sonds.exe msedge.exe PID 1436 wrote to memory of 1616 1436 sonds.exe msedge.exe PID 1436 wrote to memory of 3576 1436 sonds.exe msedge.exe PID 1436 wrote to memory of 3576 1436 sonds.exe msedge.exe PID 1436 wrote to memory of 3576 1436 sonds.exe msedge.exe PID 1436 wrote to memory of 1440 1436 sonds.exe msedge.exe PID 1436 wrote to memory of 1440 1436 sonds.exe msedge.exe PID 1436 wrote to memory of 1440 1436 sonds.exe msedge.exe PID 1436 wrote to memory of 5104 1436 sonds.exe msedge.exe PID 1436 wrote to memory of 5104 1436 sonds.exe msedge.exe PID 1436 wrote to memory of 5104 1436 sonds.exe msedge.exe PID 1436 wrote to memory of 4516 1436 sonds.exe msedge.exe PID 1436 wrote to memory of 4516 1436 sonds.exe msedge.exe PID 1436 wrote to memory of 4516 1436 sonds.exe msedge.exe PID 1436 wrote to memory of 4612 1436 sonds.exe msedge.exe PID 1436 wrote to memory of 4612 1436 sonds.exe msedge.exe PID 1436 wrote to memory of 4612 1436 sonds.exe msedge.exe PID 1436 wrote to memory of 1508 1436 sonds.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa148aaca301b7273bdbdb6c1f2d581e.exe"C:\Users\Admin\AppData\Local\Temp\aa148aaca301b7273bdbdb6c1f2d581e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\aa148aaca301b7273bdbdb6c1f2d581e.exe"C:\Users\Admin\AppData\Local\Temp\aa148aaca301b7273bdbdb6c1f2d581e.exe"2⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:4140
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:2556
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:2220
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:1984
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:5096
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:1080
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:2108
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:920
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"4⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:2432
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:1616
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:3576
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:1440
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:5104
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:4516
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:4612
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:1508
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3984 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"6⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:3024 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:4312
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:1880
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:1552
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:2080
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:3624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:3416
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:2392
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:2016
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1992 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"8⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:5056 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵PID:4864
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵PID:2804
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵PID:2468
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵PID:3636
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵PID:2524
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵PID:1076
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵PID:4968
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵PID:1336
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2988 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"10⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:1676 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"11⤵PID:3228
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"11⤵PID:812
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"11⤵PID:3652
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"11⤵PID:720
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"11⤵PID:648
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"11⤵PID:2436
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"11⤵PID:3712
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"11⤵PID:1236
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4588 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"12⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:628 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"13⤵PID:4740
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"13⤵PID:3596
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"13⤵PID:1312
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"13⤵PID:1524
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"13⤵PID:2176
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"13⤵PID:1520
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"13⤵PID:4708
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"13⤵PID:4204
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4404 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"14⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:2192 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"15⤵PID:2924
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"15⤵PID:3716
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"15⤵PID:3860
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"15⤵PID:1408
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"15⤵PID:2916
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"15⤵PID:4620
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"15⤵PID:2628
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"15⤵PID:3172
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2128 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"16⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:2084 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"17⤵PID:4124
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"17⤵PID:3188
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"17⤵PID:888
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"17⤵PID:3556
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"17⤵PID:856
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"17⤵PID:4464
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"17⤵PID:1932
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"17⤵PID:2964
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:740 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"18⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:3128 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"19⤵PID:4880
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"19⤵PID:4524
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"19⤵PID:1260
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"19⤵PID:1348
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"19⤵PID:3768
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"19⤵PID:460
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"19⤵PID:3848
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"19⤵PID:768
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4704 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"20⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:4032 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"21⤵PID:1896
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"21⤵PID:3432
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"21⤵PID:2296
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"21⤵PID:1556
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"21⤵PID:4492
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"21⤵PID:4320
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"21⤵PID:4148
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"21⤵PID:4328
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1136 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"22⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:3964 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"23⤵PID:1840
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"23⤵PID:4112
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"23⤵PID:4668
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"23⤵PID:4036
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"23⤵PID:2236
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"23⤵PID:4540
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"23⤵PID:2036
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"23⤵PID:1060
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2528 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"24⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:2972 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"25⤵PID:3724
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"25⤵PID:3264
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"25⤵PID:4716
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"25⤵PID:5084
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"25⤵PID:3756
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"25⤵PID:1988
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"25⤵PID:2208
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"25⤵PID:3764
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1564 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"26⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:4944 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"27⤵PID:4532
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"27⤵PID:4188
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"27⤵PID:320
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"27⤵PID:1528
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"27⤵PID:3280
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"27⤵PID:924
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"27⤵PID:3112
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"27⤵PID:3872
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3924 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"28⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:316 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"29⤵PID:4368
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"29⤵PID:1468
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"29⤵PID:4520
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"29⤵PID:4972
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"29⤵PID:3732
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"29⤵PID:4372
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"29⤵PID:3408
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"29⤵PID:1944
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4528 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"30⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:4388 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"31⤵PID:4576
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"31⤵PID:4752
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"31⤵PID:336
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"31⤵PID:1572
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"31⤵PID:4692
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"31⤵PID:3100
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"31⤵PID:1516
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"31⤵PID:4248
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1332 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"32⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:4808 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"33⤵PID:4784
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"33⤵PID:1888
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"33⤵PID:3488
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"33⤵PID:3520
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"33⤵PID:4948
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"33⤵PID:2864
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"33⤵PID:420
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"33⤵PID:3948
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1304 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"34⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:1480 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"35⤵PID:3564
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"35⤵PID:1624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"35⤵PID:3968
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"35⤵PID:1352
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"35⤵PID:4432
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"35⤵PID:2892
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"35⤵PID:1996
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"35⤵PID:2580
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3016 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"36⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:4028 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"37⤵PID:3236
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"37⤵PID:4940
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"37⤵PID:2712
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"37⤵PID:4356
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"37⤵PID:4904
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"37⤵PID:400
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"37⤵PID:4568
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"37⤵PID:4436
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1960 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"38⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:1820 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"39⤵PID:4256
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"39⤵PID:4216
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"39⤵PID:1724
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"39⤵PID:4892
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"39⤵PID:4264
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"39⤵PID:5032
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"39⤵PID:1068
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"39⤵PID:2576
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2292 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"40⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:4228 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"41⤵PID:3240
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"41⤵PID:2520
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"41⤵PID:232
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"41⤵PID:1672
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"41⤵PID:3816
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"41⤵PID:3580
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"41⤵PID:4696
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"41⤵PID:744
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2484 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"42⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:816 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"43⤵PID:1576
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"43⤵PID:4052
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"43⤵PID:3988
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"43⤵PID:5076
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"43⤵PID:4496
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"43⤵PID:1088
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"43⤵PID:3656
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"43⤵PID:4476
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5124 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"44⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:5156 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"45⤵PID:5216
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"45⤵PID:5228
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"45⤵PID:5236
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"45⤵PID:5248
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"45⤵PID:5256
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"45⤵PID:5296
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"45⤵PID:5312
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"45⤵PID:5324
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5348 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"46⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:5376 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"47⤵PID:5428
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"47⤵PID:5444
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"47⤵PID:5456
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"47⤵PID:5472
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"47⤵PID:5480
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"47⤵PID:5492
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"47⤵PID:5508
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"47⤵PID:5520
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5544 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"48⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:5572 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"49⤵PID:5624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"49⤵PID:5632
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"49⤵PID:5644
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"49⤵PID:5652
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"49⤵PID:5664
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"49⤵PID:5676
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"49⤵PID:5696
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"49⤵PID:5704
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5728 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"50⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:5760 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"51⤵PID:5812
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"51⤵PID:5820
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"51⤵PID:5832
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"51⤵PID:5992
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"51⤵PID:6004
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"51⤵PID:6012
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"51⤵PID:6032
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"51⤵PID:6040
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6068 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"52⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:6096 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"53⤵PID:6140
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"53⤵PID:1924
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"53⤵PID:5164
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"53⤵PID:5188
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"53⤵PID:5212
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"53⤵PID:616
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"53⤵PID:212
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"53⤵PID:1916
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5340 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"54⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:5384 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"55⤵PID:5416
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"55⤵PID:5536
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"55⤵PID:5564
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"55⤵PID:5592
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"55⤵PID:5616
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"55⤵PID:5640
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"55⤵PID:5684
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"55⤵PID:5608
-
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5748 -
C:\Windows\InstallDir\sonds.exe"C:\Windows\InstallDir\sonds.exe"56⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:5792 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"57⤵PID:5800
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"57⤵PID:6056
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"57⤵PID:6060
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"57⤵PID:6088
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d1a921131bfeffbfffb631b7d29bd461
SHA1bd555f1030aea183b5fe8cb004a10869c02797ef
SHA2565c5d67713455743a876d4fd9f61df70b7bcaed374e90a8d5f96f737b6ab3d4f3
SHA51284f7bbd4c38dcaeaae6e36957b939c6d83c9dbc4a39c93647a1d978e21a559637bf4b7fa1deb91cc85d1707f04203a8e417576e9da7dad836d8b66d37221bf3b
-
Filesize
428KB
MD5aa148aaca301b7273bdbdb6c1f2d581e
SHA17c000c6d06806d6aaeaeab56e34e8eda52b3ac13
SHA25669eb268d4de61fc838aa1e15b67025486e375f7a63e969bf16205021d3bc4526
SHA5123a15f03815c71cdfbd984d464002eebf323f0b904a7303e2636f23b11ce73c926d057a6ab16423f975cee6f030fc574259a85c40c88d444692f3ea4cef3f6913
-
Filesize
231KB
MD55d4edad79a844f13431ac4ad9322212c
SHA1afcb3bde419232dbcba6bbd48313b11c438c62cc
SHA2569e6e82d4919907d58723e2582cb62d83aa7f5a406abee69826dc3498731e6445
SHA512fc3ecb904f4c8d606d8bb6b446d530c4e9c41defb8ea0cba3a2d6ec0dbe7e013932dbf2af5f2e120bd55dcfceb7e24d61ef9f5c97d5e0db616c1a8a035d61c20