a49d6efa641852bd8bf501ee0aa414626c334af6f707ab8a04cf16b8957e13aa

Analysis

max time kernel
130s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16/03/2024, 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd849346a352a38feb22d8941d2068d8.exe
Size

49KB
MD5

cd849346a352a38feb22d8941d2068d8
SHA1

9eb6a524d9185af11be1189bf583abde194dd35d
SHA256

a49d6efa641852bd8bf501ee0aa414626c334af6f707ab8a04cf16b8957e13aa
SHA512

bb940cecbc923f8e691fe077bc255bbc78e2ee3142eba9e698be6f6597c37f61b395188016db1b6b38f632f9ab7b47ecd79c062a2bf14fd1ad3a2a716ea4b7be
SSDEEP

768:0kv2vcaKsl+ZcUEsOLSQ/tWZqkPoK7UZbwHZe4inoejTGt2Caou33CbFrl2xy:0kv2XslyktwZUHZknoejT9IcCbFrIY

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SOUNDMAN.EXE

Executes dropped EXE 64 IoCs

pid	Process
3052	SOUNDMAN.EXE
568	SOUNDMAN.EXE
220	SOUNDMAN.EXE
4272	SOUNDMAN.EXE
1212	SOUNDMAN.EXE
4596	SOUNDMAN.EXE
4196	SOUNDMAN.EXE
4612	SOUNDMAN.EXE
2308	SOUNDMAN.EXE
4268	SOUNDMAN.EXE
3156	SOUNDMAN.EXE
4732	SOUNDMAN.EXE
408	SOUNDMAN.EXE
2612	SOUNDMAN.EXE
1844	SOUNDMAN.EXE
2784	SOUNDMAN.EXE
3108	SOUNDMAN.EXE
2872	SOUNDMAN.EXE
4376	SOUNDMAN.EXE
1156	SOUNDMAN.EXE
1104	SOUNDMAN.EXE
1356	SOUNDMAN.EXE
3432	SOUNDMAN.EXE
1044	SOUNDMAN.EXE
4112	SOUNDMAN.EXE
876	SOUNDMAN.EXE
4840	SOUNDMAN.EXE
4472	SOUNDMAN.EXE
3300	SOUNDMAN.EXE
444	SOUNDMAN.EXE
1844	SOUNDMAN.EXE
2784	SOUNDMAN.EXE
1924	SOUNDMAN.EXE
220	SOUNDMAN.EXE
116	SOUNDMAN.EXE
2288	SOUNDMAN.EXE
556	SOUNDMAN.EXE
2464	SOUNDMAN.EXE
1104	SOUNDMAN.EXE
3384	SOUNDMAN.EXE
4612	SOUNDMAN.EXE
1932	SOUNDMAN.EXE
1332	SOUNDMAN.EXE
4516	SOUNDMAN.EXE
4584	SOUNDMAN.EXE
384	SOUNDMAN.EXE
5024	SOUNDMAN.EXE
4600	SOUNDMAN.EXE
448	SOUNDMAN.EXE
3704	SOUNDMAN.EXE
5072	SOUNDMAN.EXE
3108	SOUNDMAN.EXE
388	SOUNDMAN.EXE
1460	SOUNDMAN.EXE
2404	SOUNDMAN.EXE
1588	SOUNDMAN.EXE
2160	SOUNDMAN.EXE
5060	SOUNDMAN.EXE
2804	SOUNDMAN.EXE
2340	SOUNDMAN.EXE
4052	SOUNDMAN.EXE
3572	SOUNDMAN.EXE
3684	SOUNDMAN.EXE
4236	SOUNDMAN.EXE

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\error.dat	SOUNDMAN.EXE
File created	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File opened for modification	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File created	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File created	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File opened for modification	C:\Windows\SysWOW64\error.dat	SOUNDMAN.EXE
File opened for modification	C:\Windows\SysWOW64\error.dat	SOUNDMAN.EXE
File created	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File created	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File opened for modification	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File opened for modification	C:\Windows\SysWOW64\error.dat	SOUNDMAN.EXE
File opened for modification	C:\Windows\SysWOW64\error.dat	SOUNDMAN.EXE
File opened for modification	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File opened for modification	C:\Windows\SysWOW64\error.dat	SOUNDMAN.EXE
File opened for modification	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File created	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File opened for modification	C:\Windows\SysWOW64\error.dat	SOUNDMAN.EXE
File created	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File opened for modification	C:\Windows\SysWOW64\error.dat	SOUNDMAN.EXE
File opened for modification	C:\Windows\SysWOW64\error.dat	SOUNDMAN.EXE
File created	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File created	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File created	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File created	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File opened for modification	C:\Windows\SysWOW64\error.dat	SOUNDMAN.EXE
File opened for modification	C:\Windows\SysWOW64\error.dat	SOUNDMAN.EXE
File opened for modification	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File opened for modification	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File opened for modification	C:\Windows\SysWOW64\error.dat	SOUNDMAN.EXE
File opened for modification	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File opened for modification	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File opened for modification	C:\Windows\SysWOW64\error.dat	SOUNDMAN.EXE
File opened for modification	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File opened for modification	C:\Windows\SysWOW64\error.dat	SOUNDMAN.EXE
File opened for modification	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File opened for modification	C:\Windows\SysWOW64\error.dat	SOUNDMAN.EXE
File opened for modification	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File opened for modification	C:\Windows\SysWOW64\error.dat	SOUNDMAN.EXE
File opened for modification	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File opened for modification	C:\Windows\SysWOW64\error.dat	SOUNDMAN.EXE
File opened for modification	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File opened for modification	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File created	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File opened for modification	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File opened for modification	C:\Windows\SysWOW64\error.dat	SOUNDMAN.EXE
File opened for modification	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File opened for modification	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File opened for modification	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File opened for modification	C:\Windows\SysWOW64\error.dat	SOUNDMAN.EXE
File created	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File created	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File opened for modification	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File opened for modification	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File opened for modification	C:\Windows\SysWOW64\error.dat	SOUNDMAN.EXE
File created	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File opened for modification	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File created	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File opened for modification	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File opened for modification	C:\Windows\SysWOW64\error.dat	SOUNDMAN.EXE
File created	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File opened for modification	C:\Windows\SysWOW64\error.dat	SOUNDMAN.EXE
File opened for modification	C:\Windows\SysWOW64\error.dat	SOUNDMAN.EXE
File created	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE
File created	C:\WINDOWS\SysWOW64\SOUNDMAN.EXE	SOUNDMAN.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4488	cd849346a352a38feb22d8941d2068d8.exe
3052	SOUNDMAN.EXE
568	SOUNDMAN.EXE
220	SOUNDMAN.EXE
4272	SOUNDMAN.EXE
1212	SOUNDMAN.EXE
4596	SOUNDMAN.EXE
4196	SOUNDMAN.EXE
4612	SOUNDMAN.EXE
2308	SOUNDMAN.EXE
4268	SOUNDMAN.EXE
3156	SOUNDMAN.EXE
4732	SOUNDMAN.EXE
408	SOUNDMAN.EXE
2612	SOUNDMAN.EXE
1844	SOUNDMAN.EXE
2784	SOUNDMAN.EXE
3108	SOUNDMAN.EXE
2872	SOUNDMAN.EXE
4376	SOUNDMAN.EXE
1156	SOUNDMAN.EXE
1104	SOUNDMAN.EXE
1356	SOUNDMAN.EXE
3432	SOUNDMAN.EXE
1044	SOUNDMAN.EXE
4112	SOUNDMAN.EXE
876	SOUNDMAN.EXE
4840	SOUNDMAN.EXE
4472	SOUNDMAN.EXE
3300	SOUNDMAN.EXE
444	SOUNDMAN.EXE
1844	SOUNDMAN.EXE
2784	SOUNDMAN.EXE
1924	SOUNDMAN.EXE
220	SOUNDMAN.EXE
116	SOUNDMAN.EXE
2288	SOUNDMAN.EXE
556	SOUNDMAN.EXE
2464	SOUNDMAN.EXE
1104	SOUNDMAN.EXE
3384	SOUNDMAN.EXE
4612	SOUNDMAN.EXE
1932	SOUNDMAN.EXE
1332	SOUNDMAN.EXE
4516	SOUNDMAN.EXE
4584	SOUNDMAN.EXE
384	SOUNDMAN.EXE
5024	SOUNDMAN.EXE
4600	SOUNDMAN.EXE
448	SOUNDMAN.EXE
3704	SOUNDMAN.EXE
5072	SOUNDMAN.EXE
3108	SOUNDMAN.EXE
388	SOUNDMAN.EXE
1460	SOUNDMAN.EXE
2404	SOUNDMAN.EXE
1588	SOUNDMAN.EXE
2160	SOUNDMAN.EXE
5060	SOUNDMAN.EXE
2804	SOUNDMAN.EXE
2340	SOUNDMAN.EXE
4052	SOUNDMAN.EXE
3572	SOUNDMAN.EXE
3684	SOUNDMAN.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4488 wrote to memory of 3052	4488	cd849346a352a38feb22d8941d2068d8.exe	89
PID 4488 wrote to memory of 3052	4488	cd849346a352a38feb22d8941d2068d8.exe	89
PID 4488 wrote to memory of 3052	4488	cd849346a352a38feb22d8941d2068d8.exe	89
PID 3052 wrote to memory of 568	3052	SOUNDMAN.EXE	90
PID 3052 wrote to memory of 568	3052	SOUNDMAN.EXE	90
PID 3052 wrote to memory of 568	3052	SOUNDMAN.EXE	90
PID 568 wrote to memory of 220	568	SOUNDMAN.EXE	91
PID 568 wrote to memory of 220	568	SOUNDMAN.EXE	91
PID 568 wrote to memory of 220	568	SOUNDMAN.EXE	91
PID 220 wrote to memory of 4272	220	SOUNDMAN.EXE	94
PID 220 wrote to memory of 4272	220	SOUNDMAN.EXE	94
PID 220 wrote to memory of 4272	220	SOUNDMAN.EXE	94
PID 4272 wrote to memory of 1212	4272	SOUNDMAN.EXE	95
PID 4272 wrote to memory of 1212	4272	SOUNDMAN.EXE	95
PID 4272 wrote to memory of 1212	4272	SOUNDMAN.EXE	95
PID 1212 wrote to memory of 4596	1212	SOUNDMAN.EXE	99
PID 1212 wrote to memory of 4596	1212	SOUNDMAN.EXE	99
PID 1212 wrote to memory of 4596	1212	SOUNDMAN.EXE	99
PID 4596 wrote to memory of 4196	4596	SOUNDMAN.EXE	100
PID 4596 wrote to memory of 4196	4596	SOUNDMAN.EXE	100
PID 4596 wrote to memory of 4196	4596	SOUNDMAN.EXE	100
PID 4196 wrote to memory of 4612	4196	SOUNDMAN.EXE	101
PID 4196 wrote to memory of 4612	4196	SOUNDMAN.EXE	101
PID 4196 wrote to memory of 4612	4196	SOUNDMAN.EXE	101
PID 4612 wrote to memory of 2308	4612	SOUNDMAN.EXE	102
PID 4612 wrote to memory of 2308	4612	SOUNDMAN.EXE	102
PID 4612 wrote to memory of 2308	4612	SOUNDMAN.EXE	102
PID 2308 wrote to memory of 4268	2308	SOUNDMAN.EXE	105
PID 2308 wrote to memory of 4268	2308	SOUNDMAN.EXE	105
PID 2308 wrote to memory of 4268	2308	SOUNDMAN.EXE	105
PID 4268 wrote to memory of 3156	4268	SOUNDMAN.EXE	106
PID 4268 wrote to memory of 3156	4268	SOUNDMAN.EXE	106
PID 4268 wrote to memory of 3156	4268	SOUNDMAN.EXE	106
PID 3156 wrote to memory of 4732	3156	SOUNDMAN.EXE	107
PID 3156 wrote to memory of 4732	3156	SOUNDMAN.EXE	107
PID 3156 wrote to memory of 4732	3156	SOUNDMAN.EXE	107
PID 4732 wrote to memory of 408	4732	SOUNDMAN.EXE	108
PID 4732 wrote to memory of 408	4732	SOUNDMAN.EXE	108
PID 4732 wrote to memory of 408	4732	SOUNDMAN.EXE	108
PID 408 wrote to memory of 2612	408	SOUNDMAN.EXE	109
PID 408 wrote to memory of 2612	408	SOUNDMAN.EXE	109
PID 408 wrote to memory of 2612	408	SOUNDMAN.EXE	109
PID 2612 wrote to memory of 1844	2612	SOUNDMAN.EXE	111
PID 2612 wrote to memory of 1844	2612	SOUNDMAN.EXE	111
PID 2612 wrote to memory of 1844	2612	SOUNDMAN.EXE	111
PID 1844 wrote to memory of 2784	1844	SOUNDMAN.EXE	112
PID 1844 wrote to memory of 2784	1844	SOUNDMAN.EXE	112
PID 1844 wrote to memory of 2784	1844	SOUNDMAN.EXE	112
PID 2784 wrote to memory of 3108	2784	SOUNDMAN.EXE	113
PID 2784 wrote to memory of 3108	2784	SOUNDMAN.EXE	113
PID 2784 wrote to memory of 3108	2784	SOUNDMAN.EXE	113
PID 3108 wrote to memory of 2872	3108	SOUNDMAN.EXE	114
PID 3108 wrote to memory of 2872	3108	SOUNDMAN.EXE	114
PID 3108 wrote to memory of 2872	3108	SOUNDMAN.EXE	114
PID 2872 wrote to memory of 4376	2872	SOUNDMAN.EXE	115
PID 2872 wrote to memory of 4376	2872	SOUNDMAN.EXE	115
PID 2872 wrote to memory of 4376	2872	SOUNDMAN.EXE	115
PID 4376 wrote to memory of 1156	4376	SOUNDMAN.EXE	116
PID 4376 wrote to memory of 1156	4376	SOUNDMAN.EXE	116
PID 4376 wrote to memory of 1156	4376	SOUNDMAN.EXE	116
PID 1156 wrote to memory of 1104	1156	SOUNDMAN.EXE	117
PID 1156 wrote to memory of 1104	1156	SOUNDMAN.EXE	117
PID 1156 wrote to memory of 1104	1156	SOUNDMAN.EXE	117
PID 1104 wrote to memory of 1356	1104	SOUNDMAN.EXE	119

C:\Users\Admin\AppData\Local\Temp\cd849346a352a38feb22d8941d2068d8.exe
"C:\Users\Admin\AppData\Local\Temp\cd849346a352a38feb22d8941d2068d8.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4488
- C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
  "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
    "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:568
  - - C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
      "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:220
    - - C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4272
      - C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        16⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        22⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1356
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3432
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1044
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4112
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:876
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4840
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4472
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        30⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3300
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:444
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1844
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2784
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1924
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:220
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:116
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2288
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        38⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:556
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2464
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        40⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1104
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3384
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        42⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4612
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1932
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        44⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1332
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4516
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4584
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:384
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        48⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5024
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4600
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:448
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:3704
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:5072
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        53⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3108
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:388
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1460
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        56⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2404
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1588
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        58⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2160
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        59⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5060
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2804
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        61⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2340
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        62⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4052
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        63⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3572
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        64⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3684
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4236
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        66⤵
        
        PID:2624
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        67⤵
        Drops file in System32 directory
        
        PID:4584
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        68⤵
        
        PID:384
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        69⤵
        Checks computer location settings
        
        PID:5024
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        70⤵
        
        PID:4468
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        71⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:448
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        72⤵
        
        PID:3704
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        73⤵
        
        PID:4376
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        74⤵
        Checks computer location settings
        
        PID:4064
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        75⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2124
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        76⤵
        
        PID:3136
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        77⤵
        
        PID:3804
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        78⤵
        
        PID:2240
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        79⤵
        
        PID:4692
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        80⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:956
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        81⤵
        Drops file in System32 directory
        
        PID:1932
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        82⤵
        Drops file in System32 directory
        
        PID:4236
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        83⤵
        Checks computer location settings
        
        PID:4456
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        84⤵
        
        PID:3276
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        85⤵
        
        PID:444
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        86⤵
        
        PID:4356
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        87⤵
        
        PID:1708
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        88⤵
        
        PID:2444
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        89⤵
        
        PID:4656
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        90⤵
        
        PID:1460
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        91⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4296
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        92⤵
        
        PID:1152
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        93⤵
        
        PID:392
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        94⤵
        
        PID:2644
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        95⤵
        
        PID:2308
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        96⤵
        
        PID:4616
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        97⤵
        Drops file in System32 directory
        
        PID:4748
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        98⤵
        
        PID:3644
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        99⤵
        
        PID:4032
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        100⤵
        Drops file in System32 directory
        
        PID:4256
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        101⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1552
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        102⤵
        Drops file in System32 directory
        
        PID:1532
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        103⤵
        
        PID:628
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        104⤵
        Checks computer location settings
        
        PID:3272
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        105⤵
        Checks computer location settings
        
        PID:1212
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        106⤵
        
        PID:2708
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        107⤵
        Drops file in System32 directory
        
        PID:3856
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        108⤵
        
        PID:3176
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        109⤵
        Drops file in System32 directory
        
        PID:824
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        110⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4180
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        111⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4188
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        112⤵
        
        PID:8
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        113⤵
        Drops file in System32 directory
        
        PID:1948
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        114⤵
        Checks computer location settings
        
        PID:2780
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        115⤵
        Checks computer location settings
        
        PID:1332
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        116⤵
        Drops file in System32 directory
        
        PID:2020
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        117⤵
        
        PID:632
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        118⤵
        
        PID:3108
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        119⤵
        
        PID:1924
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        120⤵
        Drops file in System32 directory
        
        PID:3500
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        121⤵
        
        PID:2152
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        122⤵
        
        PID:3548
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        123⤵
        
        PID:3468
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        124⤵
        Drops file in System32 directory
        
        PID:4880
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        125⤵
        
        PID:2784
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        126⤵
        
        PID:3460
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        127⤵
        Checks computer location settings
        
        PID:1032
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        128⤵
        
        PID:1680
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        129⤵
        
        PID:2860
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        130⤵
        
        PID:4376
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        131⤵
        
        PID:1868
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        132⤵
        
        PID:3888
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        133⤵
        Checks computer location settings
        
        PID:3136
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        134⤵
        
        PID:3788
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        135⤵
        
        PID:4036
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        136⤵
        
        PID:2584
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        137⤵
        Drops file in System32 directory
        
        PID:3812
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        138⤵
        Drops file in System32 directory
        
        PID:4696
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        139⤵
        
        PID:1932
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        140⤵
        
        PID:1312
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        141⤵
        Drops file in System32 directory
        
        PID:2308
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        142⤵
        
        PID:4236
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        143⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:384
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        144⤵
        
        PID:1516
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        145⤵
        
        PID:3600
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        146⤵
        
        PID:4120
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        147⤵
        
        PID:5088
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        148⤵
        Drops file in System32 directory
        
        PID:2128
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        149⤵
        Drops file in System32 directory
        
        PID:4016
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        150⤵
        Checks computer location settings
        
        PID:3440
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        151⤵
        
        PID:4768
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        152⤵
        
        PID:1444
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        153⤵
        Checks computer location settings
        
        PID:1652
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        154⤵
        
        PID:2092
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        155⤵
        
        PID:2620
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        156⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1868
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        157⤵
        
        PID:3432
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        158⤵
        Checks computer location settings
        
        PID:1388
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        159⤵
        Checks computer location settings
        
        PID:1152
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        160⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4536
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        161⤵
        
        PID:4268
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        162⤵
        
        PID:1740
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        163⤵
        Checks computer location settings
        
        PID:2952
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        164⤵
        Drops file in System32 directory
        
        PID:4608
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        165⤵
        Checks computer location settings
        
        PID:5020
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        166⤵
        
        PID:1876
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        167⤵
        Checks computer location settings
        
        PID:1240
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        168⤵
        Checks computer location settings
        
        PID:3056
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        169⤵
        
        PID:4884
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        170⤵
        Drops file in System32 directory
        
        PID:4512
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        171⤵
        
        PID:2124
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        172⤵
        
        PID:4340
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        173⤵
        Drops file in System32 directory
        
        PID:2104
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        174⤵
        Checks computer location settings
        
        PID:2984
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        175⤵
        Checks computer location settings
        
        PID:4248
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        176⤵
        
        PID:3844
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        177⤵
        Checks computer location settings
        
        PID:2444
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        178⤵
        
        PID:116
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        179⤵
        Drops file in System32 directory
        
        PID:3288
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        180⤵
        Checks computer location settings
        
        PID:4744
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        181⤵
        
        PID:3384
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        182⤵
        Checks computer location settings
        
        PID:1624
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        183⤵
        
        PID:2268
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        184⤵
        
        PID:2272
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        185⤵
        Checks computer location settings
        
        PID:3920
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        186⤵
        Drops file in System32 directory
        
        PID:3900
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        187⤵
        Drops file in System32 directory
        
        PID:1152
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        188⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4536
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        189⤵
        Checks computer location settings
        
        PID:4268
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        190⤵
        Drops file in System32 directory
        
        PID:392
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        191⤵
        
        PID:1628
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        192⤵
        Checks computer location settings
        
        PID:452
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        193⤵
        Drops file in System32 directory
        
        PID:1248
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        194⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2656
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        195⤵
        Checks computer location settings
        
        PID:1420
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        196⤵
        
        PID:2992
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        197⤵
        
        PID:856
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        198⤵
        Checks computer location settings
        
        PID:3576
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        199⤵
        
        PID:3600
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        200⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2328
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        201⤵
        Checks computer location settings
        
        PID:4204
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        202⤵
        
        PID:5104
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        203⤵
        Drops file in System32 directory
        
        PID:1668
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        204⤵
        
        PID:5024
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        205⤵
        Drops file in System32 directory
        
        PID:4780
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        206⤵
        
        PID:628
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        207⤵
        Drops file in System32 directory
        
        PID:4320
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        208⤵
        
        PID:4664
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        209⤵
        
        PID:2136
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        210⤵
        
        PID:3740
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        211⤵
        
        PID:3068
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        212⤵
        
        PID:3648
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        213⤵
        
        PID:3804
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        214⤵
        
        PID:4180
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        215⤵
        
        PID:8
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        216⤵
        
        PID:2372
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        217⤵
        
        PID:3632
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        218⤵
        
        PID:4952
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        219⤵
        
        PID:1116
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        220⤵
        
        PID:1588
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        221⤵
        
        PID:4840
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        222⤵
        
        PID:1312
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        223⤵
        
        PID:2988
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        224⤵
        
        PID:1204
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        225⤵
        
        PID:2992
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        226⤵
        
        PID:4884
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        227⤵
        
        PID:2120
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        228⤵
        
        PID:2152
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        229⤵
        
        PID:3192
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        230⤵
        
        PID:4356
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        231⤵
        
        PID:2028
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        232⤵
        
        PID:3468
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        233⤵
        
        PID:3724
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        234⤵
        
        PID:3544
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        235⤵
        
        PID:628
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        236⤵
        
        PID:2348
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        237⤵
        
        PID:4664
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        238⤵
        
        PID:2136
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        239⤵
        
        PID:1300
        
        C:\WINDOWS\SysWOW64\SOUNDMAN.EXE
        
        "C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE"
        240⤵
        
        PID:344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\SOUNDMAN.EXE

Filesize
49KB

MD5
cd849346a352a38feb22d8941d2068d8

SHA1
9eb6a524d9185af11be1189bf583abde194dd35d

SHA256
a49d6efa641852bd8bf501ee0aa414626c334af6f707ab8a04cf16b8957e13aa

SHA512
bb940cecbc923f8e691fe077bc255bbc78e2ee3142eba9e698be6f6597c37f61b395188016db1b6b38f632f9ab7b47ecd79c062a2bf14fd1ad3a2a716ea4b7be

Download Submit
C:\Windows\SysWOW64\error.dat

Filesize
32B

MD5
ae4b937b548b506f15a64cdbd41b0b31

SHA1
be51a89a50261df977ad7a55d228ac40a9ba55d6

SHA256
cfe7fa7605656869b5ed9f33f567f2509e5fd241801c81b9d59fdad054221fac

SHA512
53d8c364ec8ba0a15f2dcd031228686abd92a9c431be8df3d423c81a5c8b98829e4cf358e3f8c627b7524cfd1130f41e44992edcf744c7f5d32c916169edcd61

Download Submit
memory/116-160-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/220-26-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/220-158-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/384-184-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/408-74-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/408-70-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/444-145-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/444-147-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/556-164-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/568-22-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/876-130-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1044-121-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1104-108-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1104-167-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1104-169-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1156-104-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1156-102-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1212-34-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1212-36-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1332-177-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1332-178-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1356-115-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1356-109-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1844-151-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1844-85-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1924-155-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1924-156-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1932-175-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2288-162-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2308-50-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2308-55-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2464-166-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2612-78-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2784-82-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2784-87-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2784-153-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2872-95-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3052-20-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3108-91-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3156-64-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3156-62-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3300-142-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3384-171-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3432-117-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4112-126-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4112-124-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4196-43-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4196-45-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4268-59-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4272-29-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4272-31-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4376-99-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4472-138-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4488-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4488-16-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4516-180-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4584-182-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4596-40-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4612-173-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4612-51-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4612-46-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4732-69-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4732-65-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4840-134-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download