06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025

Analysis

max time kernel
86s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe
Size

41KB
MD5

00d8fb703a25b8455adbf6b33ecd0ff6
SHA1

49f2bdb6b902bbe5024792ca6da9ca33d9d6083f
SHA256

06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025
SHA512

755a7f2cce2a9834af190ce9d2c075a63ac108f688f5773cf7263f589e753243b4f8f4090e8b35cf5fda4f6b8b7111ff8268f0c8a03de0a899d3d2a2d37ae3c5
SSDEEP

768:+iZNPp0b5BbrMVUTBv6mkZ8jA7IwnDoSdW:+WNBGBrM6Fv6mkqyoT

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 52 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

mmtask.exeSVCHOST.EXEmmtask.exemmtask.exemmtask.exeSVCHOST.EXESVCHOST.EXESVCHOST.EXEEBRR.EXEmmtask.exeSVCHOST.EXEEBRR.EXESVCHOST.EXEmmtask.exeEBRR.EXESVCHOST.EXESVCHOST.EXEmmtask.exeSVCHOST.EXEEBRR.EXE06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exemmtask.exeSVCHOST.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""	mmtask.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""	mmtask.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""	mmtask.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""	mmtask.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\SVCHOST.EXE\""	EBRR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\SVCHOST.EXE\""	mmtask.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system\\SVCHOST.EXE\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""	EBRR.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""	mmtask.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""	EBRR.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system\\SVCHOST.EXE\""	EBRR.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system\\SVCHOST.EXE\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\SVCHOST.EXE\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""	mmtask.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""	mmtask.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system\\SVCHOST.EXE\""	mmtask.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""	EBRR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""	mmtask.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""	mmtask.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\SVCHOST.EXE\""	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system\\SVCHOST.EXE\""	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""	mmtask.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""	EBRR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\SVCHOST.EXE\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""	mmtask.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""	EBRR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""	mmtask.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""	mmtask.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""	mmtask.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""	EBRR.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"\""

Executes dropped EXE 64 IoCs

Processes:

EBRR.EXEEBRR.EXEmmtask.exeEBRR.EXEmmtask.exeSVCHOST.EXEEBRR.EXEmmtask.exeSVCHOST.EXEmmtask.exeEBRR.EXEEBRR.EXEmmtask.exeSVCHOST.EXEEBRR.EXESVCHOST.EXESVCHOST.EXEmmtask.exemmtask.exeSVCHOST.EXEEBRR.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXEEBRR.EXEmmtask.exeSVCHOST.EXESVCHOST.EXEmmtask.exeSVCHOST.EXESVCHOST.EXEEBRR.EXESVCHOST.EXEEBRR.EXEEBRR.EXEmmtask.exemmtask.exemmtask.exeEBRR.EXEEBRR.EXESVCHOST.EXESVCHOST.EXEmmtask.exeSVCHOST.EXEmmtask.exeSVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXEEBRR.EXEEBRR.EXEEBRR.EXEmmtask.exeEBRR.EXEEBRR.EXEmmtask.exemmtask.exe

pid	process
1616	EBRR.EXE
2676	EBRR.EXE
2072	mmtask.exe
2748	EBRR.EXE
2576	mmtask.exe
2460	SVCHOST.EXE
3024	EBRR.EXE
1628	mmtask.exe
2624	SVCHOST.EXE
1996	mmtask.exe
2376	EBRR.EXE
1676	EBRR.EXE
1780	mmtask.exe
920	SVCHOST.EXE
1396	EBRR.EXE
2240	SVCHOST.EXE
1736	SVCHOST.EXE
2812	mmtask.exe
2992	mmtask.exe
2060	SVCHOST.EXE
744	EBRR.EXE
440	SVCHOST.EXE
1912	SVCHOST.EXE
1756	SVCHOST.EXE
1352	SVCHOST.EXE
1856	EBRR.EXE
2032	mmtask.exe
2328	SVCHOST.EXE
1052	SVCHOST.EXE
2264	mmtask.exe
2852	SVCHOST.EXE
1716	SVCHOST.EXE
1260	EBRR.EXE
2724	SVCHOST.EXE
1664	EBRR.EXE
1588	EBRR.EXE
1596	mmtask.exe
2876	mmtask.exe
2536	mmtask.exe
2144	EBRR.EXE
2680	EBRR.EXE
2672	SVCHOST.EXE
2512	SVCHOST.EXE
2552	mmtask.exe
2604	SVCHOST.EXE
2708	mmtask.exe
1548	SVCHOST.EXE
2520	SVCHOST.EXE
2572	SVCHOST.EXE
2904	SVCHOST.EXE
552	SVCHOST.EXE
1480	SVCHOST.EXE
1100	SVCHOST.EXE
2668	SVCHOST.EXE
2632	SVCHOST.EXE
1992	SVCHOST.EXE
1040	EBRR.EXE
2044	EBRR.EXE
1780	EBRR.EXE
604	mmtask.exe
1964	EBRR.EXE
2084	EBRR.EXE
2740	mmtask.exe
768	mmtask.exe

Loads dropped DLL 64 IoCs

Processes:

06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exeEBRR.EXEmmtask.exeSVCHOST.EXESVCHOST.EXE

pid	process
2284	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe
2284	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe
1616	EBRR.EXE
1616	EBRR.EXE
1616	EBRR.EXE
1616	EBRR.EXE
2072	mmtask.exe
2072	mmtask.exe
2072	mmtask.exe
2072	mmtask.exe
2460	SVCHOST.EXE
2460	SVCHOST.EXE
2460	SVCHOST.EXE
2460	SVCHOST.EXE
2284	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe
2284	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe
2460	SVCHOST.EXE
2460	SVCHOST.EXE
2072	mmtask.exe
2072	mmtask.exe
2460	SVCHOST.EXE
2460	SVCHOST.EXE
1616	EBRR.EXE
1616	EBRR.EXE
2460	SVCHOST.EXE
2460	SVCHOST.EXE
1616	EBRR.EXE
1616	EBRR.EXE
2072	mmtask.exe
2072	mmtask.exe
1736	SVCHOST.EXE
1736	SVCHOST.EXE
2284	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe
1616	EBRR.EXE
2460	SVCHOST.EXE
2284	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe
2284	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe
1736	SVCHOST.EXE
1736	SVCHOST.EXE
2072	mmtask.exe
2284	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe
2284	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe
2072	mmtask.exe
1736	SVCHOST.EXE
1736	SVCHOST.EXE
2284	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe
1616	EBRR.EXE
2284	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe
1736	SVCHOST.EXE
1736	SVCHOST.EXE
2460	SVCHOST.EXE
2460	SVCHOST.EXE
2284	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe
2284	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe
2460	SVCHOST.EXE
2460	SVCHOST.EXE
2072	mmtask.exe
1616	EBRR.EXE
2072	mmtask.exe
1616	EBRR.EXE
2072	mmtask.exe
2072	mmtask.exe
2284	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe
1616	EBRR.EXE

Modifies system executable filetype association 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

mmtask.exeEBRR.EXESVCHOST.EXESVCHOST.EXE06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	mmtask.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	EBRR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe

Drops file in System32 directory 20 IoCs

Processes:

EBRR.EXEmmtask.exe06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exeSVCHOST.EXESVCHOST.EXE

description	ioc	process
File created	C:\Windows\SysWOW64\mmtask.exe	EBRR.EXE
File opened for modification	C:\Windows\SysWOW64\mmtask.exe	EBRR.EXE
File created	C:\Windows\SysWOW64\EBRR.EXE	mmtask.exe
File opened for modification	C:\Windows\SysWOW64\EBRR.EXE	mmtask.exe
File created	C:\Windows\SysWOW64\EBRR.EXE	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe
File opened for modification	C:\Windows\SysWOW64\EBRR.EXE	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe
File created	C:\Windows\SysWOW64\EBRR.EXE	EBRR.EXE
File opened for modification	C:\Windows\SysWOW64\EBRR.EXE	EBRR.EXE
File created	C:\Windows\SysWOW64\mmtask.exe	SVCHOST.EXE
File opened for modification	C:\Windows\SysWOW64\mmtask.exe	SVCHOST.EXE
File opened for modification	C:\Windows\SysWOW64\mmtask.exe	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe
File created	C:\Windows\SysWOW64\mmtask.exe	mmtask.exe
File opened for modification	C:\Windows\SysWOW64\mmtask.exe	mmtask.exe
File created	C:\Windows\SysWOW64\EBRR.EXE	SVCHOST.EXE
File created	C:\Windows\SysWOW64\mmtask.exe	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe
File opened for modification	C:\Windows\SysWOW64\EBRR.EXE	SVCHOST.EXE
File created	C:\Windows\SysWOW64\mmtask.exe	SVCHOST.EXE
File opened for modification	C:\Windows\SysWOW64\mmtask.exe	SVCHOST.EXE
File opened for modification	C:\Windows\SysWOW64\EBRR.EXE	SVCHOST.EXE
File created	C:\Windows\SysWOW64\EBRR.EXE	SVCHOST.EXE

Drops file in Windows directory 20 IoCs

Processes:

mmtask.exeSVCHOST.EXESVCHOST.EXEEBRR.EXE06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe

description	ioc	process
File opened for modification	C:\Windows\system\SVCHOST.EXE	mmtask.exe
File opened for modification	C:\Windows\SVCHOST.EXE	SVCHOST.EXE
File opened for modification	C:\Windows\system\SVCHOST.EXE	SVCHOST.EXE
File opened for modification	C:\Windows\SVCHOST.EXE	SVCHOST.EXE
File opened for modification	C:\Windows\system\SVCHOST.EXE	SVCHOST.EXE
File opened for modification	C:\Windows\SVCHOST.EXE	EBRR.EXE
File created	C:\Windows\system\SVCHOST.EXE	SVCHOST.EXE
File created	C:\Windows\SVCHOST.EXE	mmtask.exe
File opened for modification	C:\Windows\SVCHOST.EXE	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe
File opened for modification	C:\Windows\system\SVCHOST.EXE	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe
File created	C:\Windows\SVCHOST.EXE	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe
File created	C:\Windows\system\SVCHOST.EXE	EBRR.EXE
File created	C:\Windows\system\SVCHOST.EXE	mmtask.exe
File created	C:\Windows\system\SVCHOST.EXE	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe
File created	C:\Windows\SVCHOST.EXE	EBRR.EXE
File opened for modification	C:\Windows\system\SVCHOST.EXE	EBRR.EXE
File created	C:\Windows\SVCHOST.EXE	SVCHOST.EXE
File opened for modification	C:\Windows\SVCHOST.EXE	mmtask.exe
File created	C:\Windows\SVCHOST.EXE	SVCHOST.EXE
File created	C:\Windows\system\SVCHOST.EXE	SVCHOST.EXE

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 43 IoCs

Processes:

explorer.exeSVCHOST.EXESVCHOST.EXE06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exeEBRR.EXEmmtask.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SVCHOST.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 = c600310000000000b758479216003036303234427e310000ae0008000400efbeb7584792b75847922a000000695c01000000270000000000000000000000000000003000360030003200340062006500630030003600660062003100370064006200380033003100340061006400350064003500300036006200630034003300640036006100630036006500650035006300610035003600350039003400610061003200350036003700300065003600390034003300310036003500300032003500000018000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 520031000000000055588276122041707044617461003c0008000400efbe55588276555882762a000000ed0100000000020000000000000000000000000000004100700070004400610074006100000016000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SVCHOST.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4c003100000000005558037e100041646d696e00380008000400efbe555882765558037e2a00000030000000000004000000000000000000000000000000410064006d0069006e00000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 4c003100000000005558c87910204c6f63616c00380008000400efbe555882765558c8792a000000000200000000020000000000000000000000000000004c006f00630061006c00000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Pictures"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	EBRR.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 7400310000000000555882761100557365727300600008000400efbeee3a851a555882762a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	mmtask.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4a00310000000000b7584792102054656d700000360008000400efbe55588276b75847922a00000001020000000002000000000000000000000000000000540065006d007000000014000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exeEBRR.EXEmmtask.exeSVCHOST.EXESVCHOST.EXE

pid	process
2284	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe
2284	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe
2284	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe
2284	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe
2284	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe
2284	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe
2284	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe
2284	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe
1616	EBRR.EXE
1616	EBRR.EXE
1616	EBRR.EXE
1616	EBRR.EXE
1616	EBRR.EXE
1616	EBRR.EXE
1616	EBRR.EXE
1616	EBRR.EXE
2072	mmtask.exe
2072	mmtask.exe
2072	mmtask.exe
2072	mmtask.exe
2072	mmtask.exe
2072	mmtask.exe
2072	mmtask.exe
2072	mmtask.exe
2460	SVCHOST.EXE
2460	SVCHOST.EXE
2460	SVCHOST.EXE
2460	SVCHOST.EXE
2460	SVCHOST.EXE
2460	SVCHOST.EXE
2460	SVCHOST.EXE
2460	SVCHOST.EXE
2460	SVCHOST.EXE
2460	SVCHOST.EXE
2460	SVCHOST.EXE
2460	SVCHOST.EXE
2460	SVCHOST.EXE
2460	SVCHOST.EXE
2460	SVCHOST.EXE
2460	SVCHOST.EXE
2460	SVCHOST.EXE
2460	SVCHOST.EXE
2072	mmtask.exe
2072	mmtask.exe
2072	mmtask.exe
2072	mmtask.exe
2072	mmtask.exe
2072	mmtask.exe
2072	mmtask.exe
2072	mmtask.exe
2072	mmtask.exe
2072	mmtask.exe
1616	EBRR.EXE
1616	EBRR.EXE
1616	EBRR.EXE
1616	EBRR.EXE
1616	EBRR.EXE
1616	EBRR.EXE
1616	EBRR.EXE
1616	EBRR.EXE
1616	EBRR.EXE
1616	EBRR.EXE
1736	SVCHOST.EXE
1736	SVCHOST.EXE

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exeEBRR.EXEEBRR.EXEmmtask.exeEBRR.EXEmmtask.exeSVCHOST.EXEEBRR.EXEmmtask.exeSVCHOST.EXEmmtask.exeEBRR.EXEmmtask.exeEBRR.EXESVCHOST.EXEEBRR.EXESVCHOST.EXESVCHOST.EXEmmtask.exemmtask.exeEBRR.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXEmmtask.exeEBRR.EXESVCHOST.EXEmmtask.exeSVCHOST.EXESVCHOST.EXESVCHOST.EXEEBRR.EXESVCHOST.EXEEBRR.EXEEBRR.EXEEBRR.EXEmmtask.exemmtask.exemmtask.exeEBRR.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXEmmtask.exemmtask.exeSVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXEEBRR.EXEEBRR.EXEmmtask.exeEBRR.EXEEBRR.EXEEBRR.EXEmmtask.exe

pid	process
2284	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe
1616	EBRR.EXE
2676	EBRR.EXE
2072	mmtask.exe
2748	EBRR.EXE
2576	mmtask.exe
2460	SVCHOST.EXE
3024	EBRR.EXE
1628	mmtask.exe
2624	SVCHOST.EXE
1996	mmtask.exe
2376	EBRR.EXE
1780	mmtask.exe
1676	EBRR.EXE
920	SVCHOST.EXE
1396	EBRR.EXE
1736	SVCHOST.EXE
2240	SVCHOST.EXE
2812	mmtask.exe
2992	mmtask.exe
744	EBRR.EXE
2060	SVCHOST.EXE
440	SVCHOST.EXE
1912	SVCHOST.EXE
1756	SVCHOST.EXE
1352	SVCHOST.EXE
2032	mmtask.exe
1856	EBRR.EXE
2328	SVCHOST.EXE
2264	mmtask.exe
2852	SVCHOST.EXE
1052	SVCHOST.EXE
1716	SVCHOST.EXE
1260	EBRR.EXE
2724	SVCHOST.EXE
1664	EBRR.EXE
1588	EBRR.EXE
2144	EBRR.EXE
2536	mmtask.exe
1596	mmtask.exe
2876	mmtask.exe
2680	EBRR.EXE
2512	SVCHOST.EXE
2672	SVCHOST.EXE
2604	SVCHOST.EXE
2708	mmtask.exe
2552	mmtask.exe
1548	SVCHOST.EXE
2520	SVCHOST.EXE
2572	SVCHOST.EXE
2904	SVCHOST.EXE
552	SVCHOST.EXE
1480	SVCHOST.EXE
1100	SVCHOST.EXE
2668	SVCHOST.EXE
2632	SVCHOST.EXE
1992	SVCHOST.EXE
1040	EBRR.EXE
2044	EBRR.EXE
604	mmtask.exe
1780	EBRR.EXE
1964	EBRR.EXE
2084	EBRR.EXE
2740	mmtask.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exeEBRR.EXEmmtask.exeSVCHOST.EXE

description	pid	process	target process
PID 2284 wrote to memory of 2272	2284	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe	explorer.exe
PID 2284 wrote to memory of 2272	2284	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe	explorer.exe
PID 2284 wrote to memory of 2272	2284	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe	explorer.exe
PID 2284 wrote to memory of 2272	2284	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe	explorer.exe
PID 2284 wrote to memory of 1616	2284	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe	EBRR.EXE
PID 2284 wrote to memory of 1616	2284	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe	EBRR.EXE
PID 2284 wrote to memory of 1616	2284	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe	EBRR.EXE
PID 2284 wrote to memory of 1616	2284	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe	EBRR.EXE
PID 1616 wrote to memory of 2676	1616	EBRR.EXE	EBRR.EXE
PID 1616 wrote to memory of 2676	1616	EBRR.EXE	EBRR.EXE
PID 1616 wrote to memory of 2676	1616	EBRR.EXE	EBRR.EXE
PID 1616 wrote to memory of 2676	1616	EBRR.EXE	EBRR.EXE
PID 1616 wrote to memory of 2072	1616	EBRR.EXE	mmtask.exe
PID 1616 wrote to memory of 2072	1616	EBRR.EXE	mmtask.exe
PID 1616 wrote to memory of 2072	1616	EBRR.EXE	mmtask.exe
PID 1616 wrote to memory of 2072	1616	EBRR.EXE	mmtask.exe
PID 2072 wrote to memory of 2748	2072	mmtask.exe	EBRR.EXE
PID 2072 wrote to memory of 2748	2072	mmtask.exe	EBRR.EXE
PID 2072 wrote to memory of 2748	2072	mmtask.exe	EBRR.EXE
PID 2072 wrote to memory of 2748	2072	mmtask.exe	EBRR.EXE
PID 2072 wrote to memory of 2576	2072	mmtask.exe	mmtask.exe
PID 2072 wrote to memory of 2576	2072	mmtask.exe	mmtask.exe
PID 2072 wrote to memory of 2576	2072	mmtask.exe	mmtask.exe
PID 2072 wrote to memory of 2576	2072	mmtask.exe	mmtask.exe
PID 2072 wrote to memory of 2460	2072	mmtask.exe	SVCHOST.EXE
PID 2072 wrote to memory of 2460	2072	mmtask.exe	SVCHOST.EXE
PID 2072 wrote to memory of 2460	2072	mmtask.exe	SVCHOST.EXE
PID 2072 wrote to memory of 2460	2072	mmtask.exe	SVCHOST.EXE
PID 2460 wrote to memory of 3024	2460	SVCHOST.EXE	EBRR.EXE
PID 2460 wrote to memory of 3024	2460	SVCHOST.EXE	EBRR.EXE
PID 2460 wrote to memory of 3024	2460	SVCHOST.EXE	EBRR.EXE
PID 2460 wrote to memory of 3024	2460	SVCHOST.EXE	EBRR.EXE
PID 2460 wrote to memory of 1628	2460	SVCHOST.EXE	mmtask.exe
PID 2460 wrote to memory of 1628	2460	SVCHOST.EXE	mmtask.exe
PID 2460 wrote to memory of 1628	2460	SVCHOST.EXE	mmtask.exe
PID 2460 wrote to memory of 1628	2460	SVCHOST.EXE	mmtask.exe
PID 2460 wrote to memory of 2624	2460	SVCHOST.EXE	mmtask.exe
PID 2460 wrote to memory of 2624	2460	SVCHOST.EXE	mmtask.exe
PID 2460 wrote to memory of 2624	2460	SVCHOST.EXE	mmtask.exe
PID 2460 wrote to memory of 2624	2460	SVCHOST.EXE	mmtask.exe
PID 2284 wrote to memory of 1996	2284	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe	mmtask.exe
PID 2284 wrote to memory of 1996	2284	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe	mmtask.exe
PID 2284 wrote to memory of 1996	2284	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe	mmtask.exe
PID 2284 wrote to memory of 1996	2284	06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe	mmtask.exe
PID 2460 wrote to memory of 2376	2460	SVCHOST.EXE	EBRR.EXE
PID 2460 wrote to memory of 2376	2460	SVCHOST.EXE	EBRR.EXE
PID 2460 wrote to memory of 2376	2460	SVCHOST.EXE	EBRR.EXE
PID 2460 wrote to memory of 2376	2460	SVCHOST.EXE	EBRR.EXE
PID 2072 wrote to memory of 1676	2072	mmtask.exe	SVCHOST.EXE
PID 2072 wrote to memory of 1676	2072	mmtask.exe	SVCHOST.EXE
PID 2072 wrote to memory of 1676	2072	mmtask.exe	SVCHOST.EXE
PID 2072 wrote to memory of 1676	2072	mmtask.exe	SVCHOST.EXE
PID 2460 wrote to memory of 1780	2460	SVCHOST.EXE	EBRR.EXE
PID 2460 wrote to memory of 1780	2460	SVCHOST.EXE	EBRR.EXE
PID 2460 wrote to memory of 1780	2460	SVCHOST.EXE	EBRR.EXE
PID 2460 wrote to memory of 1780	2460	SVCHOST.EXE	EBRR.EXE
PID 1616 wrote to memory of 1396	1616	EBRR.EXE	EBRR.EXE
PID 1616 wrote to memory of 1396	1616	EBRR.EXE	EBRR.EXE
PID 1616 wrote to memory of 1396	1616	EBRR.EXE	EBRR.EXE
PID 1616 wrote to memory of 1396	1616	EBRR.EXE	EBRR.EXE
PID 2460 wrote to memory of 920	2460	SVCHOST.EXE	SVCHOST.EXE
PID 2460 wrote to memory of 920	2460	SVCHOST.EXE	SVCHOST.EXE
PID 2460 wrote to memory of 920	2460	SVCHOST.EXE	SVCHOST.EXE
PID 2460 wrote to memory of 920	2460	SVCHOST.EXE	SVCHOST.EXE

C:\Users\Admin\AppData\Local\Temp\06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe
"C:\Users\Admin\AppData\Local\Temp\06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\SysWOW64\explorer.exe
explorer C:\Users\Admin\AppData\Local\Temp\06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025\
2⤵
PID:2272

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2676

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2748

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2576

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3024

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1628

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2624

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2376

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1780

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:920

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1736

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:744

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2032

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1052

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1260

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1596

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2520

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2632

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1992

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1964

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2740

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:2324

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:2140

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:744

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:2220

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:2980

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:2836

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:2404

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:1468

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:1812

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:2352

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:1768

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:924

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:1388

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:2128

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:1392

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:2280

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
- Modifies WinLogon for persistence
PID:1656

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:2512

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:992

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
- Modifies WinLogon for persistence
PID:1444

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:1988

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:2152

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:1544

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:1832

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:2892

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:2908

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:2000

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:2604

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:2856

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:2648

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:1396

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:324

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:2112

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:2808

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:1192

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:1936

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:2180

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:2780

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:2744

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:2764

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:704

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:1788

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:1980

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:2760

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:1808

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:2820

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:2816

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:1760

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:2992

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:1708

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:1684

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:2784

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:940

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:1932

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:2676

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:2732

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:3044

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:2644

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:2588

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:1724

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:1520

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:2596

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:1624

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:2628

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
- Modifies WinLogon for persistence
PID:2540

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:2872

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:2428

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:2440

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:1948

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:2200

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:1796

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:532

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:1852

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:1716

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:2180

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:2720

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:2688

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:1664

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:2900

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:2512

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:2788

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
- Modifies WinLogon for persistence
PID:552

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:1036

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:2620

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:3048

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:1132

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:972

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:1764

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:932

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:2292

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:1012

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
- Modifies WinLogon for persistence
PID:2128

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:2984

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:2680

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:2512

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:1464

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:2676

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:1860

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:1396

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:2740

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:2352

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:532

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:2252

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:884

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:2840

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:1756

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:2532

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:1624

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:2256

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:840

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:1016

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:2572

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:992

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:2844

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:2504

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:1796

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:2040

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:2188

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:1256

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:2772

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:2828

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:1568

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:2968

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:2680

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:1728

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:2440

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:1332

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:2768

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:324

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:2624

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:1224

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:1852

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:2908

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:2832

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:2144

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:1684

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:1688

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:2900

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:2484

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:2076

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:580

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:2200

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:2988

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:2588

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:2104

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:1988

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:1708

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:932

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:1804

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:2420

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:1152

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:704

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:1648

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:2484

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:1820

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:1332

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:1036

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:1780

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:2624

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:2040

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:1724

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:900

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:2280

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:2892

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:2848

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:1316

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:2140

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:1048

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:1792

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:1620

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:2076

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:2984

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:2668

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:2148

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:2812

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:2040

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:532

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:2028

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:2384

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:1804

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:692

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:948

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:2784

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:2160

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:552

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:856

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:2392

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:2408

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:1328

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:676

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:1832

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:2692

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:1516

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
6⤵
PID:2464

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
6⤵
PID:2716

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
6⤵
PID:1728

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
6⤵
PID:2696

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1352

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1588

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2536

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2672

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1548

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2044

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
- Executes dropped EXE
PID:768

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:972

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:1832

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:948

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:1656

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:2828

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:2716

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:1548

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:2668

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:1500

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:2496

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:2240

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:932

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:1676

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:2140

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:2180

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:1532

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:2900

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:2320

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:1812

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:1040

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:1804

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:2112

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:676

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:2292

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:1692

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:1484

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:840

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:2464

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:2436

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:2452

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:856

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:1308

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:3056

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:1964

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:964

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:2036

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:676

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:1744

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:2984

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:2980

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:1588

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:2272

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:2408

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:648

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:2504

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:2324

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:1128

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:1568

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:2256

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:1524

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:2604

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:3024

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:1464

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:1644

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:2620

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:660

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:920

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:1796

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:3036

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:1160

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:1316

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:1756

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:1684

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:2532

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:1532

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:3020

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:2524

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:2732

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:2064

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:2152

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:752

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:1804

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:428

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:2896

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:1352

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:940

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:2416

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:2412

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:2956

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:1680

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:1984

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:1860

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:1564

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:2876

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:1512

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:1760

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:476

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:2520

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:1256

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
- Modifies WinLogon for persistence
PID:2780

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:2412

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:2528

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:1620

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:2484

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:1296

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:1116

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:1780

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:2644

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:944

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:1708

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:1716

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:2908

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:1392

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:2536

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:1584

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:2424

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:856

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:1332

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:2208

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:1264

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
- Modifies WinLogon for persistence
PID:600

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:1708

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:964

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:1520

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:1936

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:1584

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:1932

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:2628

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:1944

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:2956

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:1672

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:2452

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:836

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:1196

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:2740

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:2364

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:1608

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:1764

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:2220

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:884

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:2912

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:2684

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:2272

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:1048

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:2260

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:1996

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:2156

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:1332

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:2504

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:2604

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:1544

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:1160

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:2940

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:2692

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:968

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:1516

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:2716

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:2984

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:1860

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:1300

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:1304

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:1600

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:1964

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:2392

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:2180

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:1556

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:2940

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:1716

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:1912

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:2748

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:2664

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:2404

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:1996

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:2572

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:2320

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:2632

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:440

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:1544

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:1952

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:1604

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:2728

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:2980

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:2924

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:2552

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:2956

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:3028

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:1788

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:1648

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:1780

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:2316

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:1332

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:2240

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:2596

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:1816

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:2180

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
5⤵
PID:2720

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
5⤵
PID:2712

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
5⤵
PID:1048

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
5⤵
PID:1788

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1676

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2992

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1912

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2328

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2852

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2144

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2552

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:552

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1480

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1780

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:1276

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:1952

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:2060

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:2032

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
- Modifies WinLogon for persistence
PID:692

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:1588

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:2436

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:2700

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:2624

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:1860

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:1820

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:968

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:1128

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:1692

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:2880

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:1524

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
- Modifies WinLogon for persistence
PID:2272

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:2748

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:1664

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:1792

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:2616

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:1648

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:1304

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:3064

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:600

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
- Modifies WinLogon for persistence
PID:972

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:2384

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:1524

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:2984

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:2912

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:1260

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:836

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:2408

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:2340

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:2504

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
- Modifies WinLogon for persistence
PID:1556

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:2256

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:1488

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:1524

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:2440

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:1048

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:580

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:2732

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:3048

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:1132

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:324

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:752

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:972

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:1316

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:1516

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:2852

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:2980

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:2260

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:2348

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:2744

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:1984

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:2116

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:1116

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:2700

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:1852

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:440

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:2584

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:768

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:2756

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:2748

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:2672

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:2268

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:2668

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:1628

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:2752

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:1772

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:1964

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:2252

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:900

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:2028

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:964

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:2128

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:1584

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:1568

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:2904

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:2748

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:2776

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:1500

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:2380

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:660

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:2352

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:1856

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:2112

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
- Modifies WinLogon for persistence
PID:1052

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:2600

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:2688

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:840

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:2548

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:2452

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:1548

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:2496

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:2316

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:2376

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:2368

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:1480

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:948

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:1592

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:2848

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:1664

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:928

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:2548

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:2268

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:1984

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:2012

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:2700

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:1964

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:1044

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:748

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:2584

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:1816

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:2128

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:2416

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:2672

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:2428

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:2572

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:1700

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:1768

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:2320

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:2376

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:648

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:2824

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:2164

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:1520

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:2952

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:2500

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:2000

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:2680

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:3024

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:1696

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:2580

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:1564

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:660

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:1304

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:1396

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:1328

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:3032

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:1224

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:476

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:948

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:1936

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:2628

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:2608

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:1980

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:1788

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:1732

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:1996

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:2236

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:944

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:2188

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:2252

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:1568

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:872

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:2348

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:1476

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:2708

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:2696

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:1648

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:1808

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:1468

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:836

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:2740

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:1336

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:2020

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:2896

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:2816

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:2720

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:2464

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:2412

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:2500

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:2788

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:1792

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:1812

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:3044

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:1116

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:2984

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:2340

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:2504

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:1856

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:1556

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:1852

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:2220

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:1588

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
4⤵
PID:372

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
4⤵
PID:2924

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
4⤵
PID:928

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
4⤵
PID:2952

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1396

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2812

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:440

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1756

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1716

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2724

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2680

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2708

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1100

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2668

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2084

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:2088

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:1676

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:1128

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:1524

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:2852

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:1592

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:2548

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:2680

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:1596

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:2876

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:552

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:2808

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:1724

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:1720

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:1816

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
- Modifies WinLogon for persistence
PID:2780

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:2828

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:2704

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:1260

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:2676

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:2228

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:1960

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
- Modifies WinLogon for persistence
PID:2644

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:2740

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:3036

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:1276

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:1640

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:1932

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:2748

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:2680

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:2904

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:2768

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:2644

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:1040

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:924

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:968

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:1816

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:1352

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:2832

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:1260

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:2428

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:2524

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:1960

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:1308

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:1512

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:2112

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:924

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:476

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:1584

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:1488

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:1624

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:1792

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:2440

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:1680

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:2480

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:1040

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:2504

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:2244

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:428

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:1816

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:1904

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:2568

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:2536

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:2716

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:2436

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:2512

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:1976

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:836

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:2368

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:2116

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:2768

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:920

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:1040

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:3032

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:2824

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:2924

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:1684

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:1588

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:2548

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:1596

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:2208

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:2496

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:2704

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:2644

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:2248

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:892

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:1740

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:1804

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:2444

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:1584

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:1624

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:2744

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:2436

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:1792

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:2440

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:2208

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
- Modifies WinLogon for persistence
PID:2668

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:2364

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:440

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:1952

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:932

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:2280

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:1804

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:2464

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:2688

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:2540

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:2708

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:2228

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:1812

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:1784

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:324

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:2240

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:2812

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:440

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:3048

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:3052

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:2692

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:2728

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:2500

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:2608

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:2664

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:2964

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:1468

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:1136

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:1784

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:2148

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:2248

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:2020

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:3048

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:428

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:2292

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:2784

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:1152

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:1664

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:704

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:992

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:1984

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:2752

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:2380

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:1740

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:2164

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:1364

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:924

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:2916

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:2140

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:2952

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:2144

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:1048

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:2256

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:1620

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:2512

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:1248

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:1116

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:2700

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:2632

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:1596

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:3036

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:1364

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:2112

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:2712

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:2968

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:1976

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:1152

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:1768

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:2200

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:1644

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:2792

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:676

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:2112

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:1052

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:2692

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:2348

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:2716

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:2268

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:2528

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:2484

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:1300

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:1464

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:1772

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:3040

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:1784

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:2644

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:1480

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:1484

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:1796

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
3⤵
PID:1532

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
3⤵
PID:948

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
3⤵
PID:1976

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
3⤵
PID:1664

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1996

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2240

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2060

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1856

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2264

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1664

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2876

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2512

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2604

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2572

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2904

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1040

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:604

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:1600

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:428

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:2584

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:1364

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
- Modifies WinLogon for persistence
PID:2300

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:2952

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:2424

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:2572

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:2524

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:2408

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:1964

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:2084

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:1512

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:532

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:872

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:2912

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:2608

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:2412

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:2480

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:3056

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:2352

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:2044

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:1852

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:1328

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:1604

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:1912

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:1756

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:2852

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:2688

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:2220

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:1492

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:580

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:2732

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:1644

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:2624

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:2352

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:2816

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:2812

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:1544

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:2016

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:1684

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:2892

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:2540

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:2300

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:2676

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:2452

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:1628

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:2064

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:2156

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:1032

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:768

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:1668

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:1520

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:1504

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:2900

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:1976

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:2572

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:1696

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:2408

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:1136

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:1512

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:600

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:2132

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:2848

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:1352

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:1912

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:2256

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:2836

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:2572

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:2208

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:2604

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:2480

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:2044

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:3048

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:1740

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:2244

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:1604

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:1364

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:1592

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:2500

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:2532

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:2628

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:2872

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:2572

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:2760

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:1808

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:1444

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:2480

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:2084

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:752

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:968

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
- Modifies WinLogon for persistence
PID:1516

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
- Modifies WinLogon for persistence
PID:2536

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:2384

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:2856

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:2580

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:1996

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:2760

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:2868

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:2408

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:1132

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:892

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:2584

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:1852

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:1832

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:1012

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:2716

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:1728

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:1788

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:2904

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:836

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:1304

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:1992

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:2376

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:2340

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:532

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:972

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:2292

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:920

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:2384

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:692

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:2420

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:840

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:2528

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:2580

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:1860

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:2820

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:2408

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:892

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:2060

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:1708

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:2444

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:1592

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:1488

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:2436

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:1788

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:1792

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:2548

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:2868

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:2236

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:2644

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:2084

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:2292

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:1504

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:2924

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:2744

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:2428

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:2904

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:2440

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:552

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:3056

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:2616

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:648

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:1480

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:2852

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:2728

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:1392

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:948

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:1656

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:2784

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:2436

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:2872

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:1464

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:2208

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:2316

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:2876

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:2244

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:1160

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:2180

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:2292

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:2532

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:2628

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:1976

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:840

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:2452

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:2760

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:1684

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:2044

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:1564

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:440

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:3036

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:768

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:2024

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:1568

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:2128

C:\Windows\system\SVCHOST.EXE
C:\Windows\system\SVCHOST.EXE -s
2⤵
PID:2272

C:\Windows\SysWOW64\EBRR.EXE
C:\Windows\system32\EBRR.EXE -s
2⤵
PID:2884

C:\Windows\SysWOW64\mmtask.exe
C:\Windows\system32\mmtask.exe -s
2⤵
PID:2260

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE -s
2⤵
PID:2704

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1612

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1668

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:2016

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\06024bec06fb17db8314ad5d506bc43d6ac6ee5ca56594aa25670e6943165025\Cantik.bmp
Filesize
64KB

MD5
7ab9246655e40e5d922e1f92560128f5

SHA1
a989d0611485d2429f5b33a4124126415b02390f

SHA256
3ed10a9452b56114f9f6fb3f65f02e8d6b906897271793e4b410c08e3bde9772

SHA512
3fe741419bc727d23f18b0979dbadeaa69d418a7f290c816afaf2c4eabd1475ff4f7b543ea699e93f0dce96592e058a55e7a9f0aa3094c200a863df40c4b2c50

Download Submit
C:\Windows\SVCHOST.EXE
Filesize
41KB

MD5
3a2bbb4f7b5e7faa7abc2d8810375671

SHA1
a19f20a0955659aa8eaf422777cfe43e0f26d355

SHA256
81c70d8bc0092359dc65b5f91a0a26fc9dbcb564926ba0459e6fec195f4d086e

SHA512
7e4ca5b492e8b0d3a88372ac93115c68551a4f1086f8ccebd55f508dae9fa24ec50952dfe9c0757f17fd6fc20e2f5ba8de74479a270445f2984a8031599dec64

Download Submit
C:\Windows\system\SVCHOST.EXE
Filesize
41KB

MD5
aa4f0f36c01d51563e2dd6a5c71b4b3f

SHA1
7d295bd385eb3d7838ae72f8bff211002c05c7c3

SHA256
ee9be84c5296cd34d0104160d84da6d5def968ee6f579e6d83840c9d90f9fe7f

SHA512
d6f1f0a3d573164cddb65e2997c5242a33686685d7bf641d13c254ad6234bdd4fad32440f32b79824c0f0c1744a1816ef86e79febd70feca7a6f527751e776f9

Download Submit
\Windows\SysWOW64\EBRR.EXE
Filesize
41KB

MD5
d1efab81b3301962d38ef28cbdf01210

SHA1
70d89f60c7d3eb3c917c6be501fd0ea36b0ec8b7

SHA256
d0a43a3d41be3f4301af5420370941a988649631e09b9e451e428cfef81f024d

SHA512
08dcd4067b6f2b6222d75001d4a1493dac92392d85b8ea47a79e198a5cd55c606451a0edd73d92e95db5afdc0783cfa85a4d89daced518994e7ccb6ac41af8dd

Download Submit
\Windows\SysWOW64\mmtask.exe
Filesize
41KB

MD5
e08226bef157d7fad23b4d21e23f9b22

SHA1
ac740851a60318d077446664d013f369a07acecf

SHA256
1c6c176a9e5cfbb9e8416322f6bc49e0aebccaa43006bc8f72431b262de1ea46

SHA512
fc17468eab132e95ca41b7f1aed398d5b061635cf6a110a7a75c94471dfccf28dcabae1758650e2d97d1584710580977ecf3f3d1bf20a5accffb05aea4b55204

Download Submit
memory/440-225-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/920-148-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/920-142-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1052-267-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1352-239-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1396-149-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1396-167-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1588-293-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1596-310-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1596-286-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1612-59-0x0000000003780000-0x0000000003790000-memory.dmp

Filesize
64KB

Download
memory/1616-224-0x00000000002A0000-0x00000000002BE000-memory.dmp

Filesize
120KB

Download
memory/1616-217-0x00000000002A0000-0x00000000002BE000-memory.dmp

Filesize
120KB

Download
memory/1616-17-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1616-40-0x00000000002A0000-0x00000000002BE000-memory.dmp

Filesize
120KB

Download
memory/1616-276-0x00000000002A0000-0x00000000002BE000-memory.dmp

Filesize
120KB

Download
memory/1616-260-0x00000000002A0000-0x00000000002BE000-memory.dmp

Filesize
120KB

Download
memory/1616-24-0x00000000002A0000-0x00000000002BE000-memory.dmp

Filesize
120KB

Download
memory/1616-214-0x00000000002A0000-0x00000000002BE000-memory.dmp

Filesize
120KB

Download
memory/1616-83-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1616-41-0x00000000002A0000-0x00000000002BE000-memory.dmp

Filesize
120KB

Download
memory/1616-91-0x00000000002A0000-0x00000000002BE000-memory.dmp

Filesize
120KB

Download
memory/1616-90-0x00000000002A0000-0x00000000002BE000-memory.dmp

Filesize
120KB

Download
memory/1616-245-0x00000000002A0000-0x00000000002BE000-memory.dmp

Filesize
120KB

Download
memory/1616-100-0x00000000002A0000-0x00000000002BE000-memory.dmp

Filesize
120KB

Download
memory/1628-98-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1676-139-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1676-198-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1716-261-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1716-270-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1736-284-0x0000000000260000-0x000000000027E000-memory.dmp

Filesize
120KB

Download
memory/1736-216-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1736-169-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1756-215-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1756-256-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1756-246-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1780-140-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1780-128-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/1780-127-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/1856-241-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1912-231-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1996-151-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1996-120-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2032-243-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2060-223-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2060-189-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2072-73-0x0000000000320000-0x000000000033E000-memory.dmp

Filesize
120KB

Download
memory/2072-205-0x0000000000320000-0x000000000033E000-memory.dmp

Filesize
120KB

Download
memory/2072-308-0x0000000000320000-0x000000000033E000-memory.dmp

Filesize
120KB

Download
memory/2072-138-0x0000000000320000-0x000000000033E000-memory.dmp

Filesize
120KB

Download
memory/2072-178-0x0000000000320000-0x000000000033E000-memory.dmp

Filesize
120KB

Download
memory/2072-244-0x0000000000320000-0x000000000033E000-memory.dmp

Filesize
120KB

Download
memory/2072-110-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2072-307-0x0000000000320000-0x000000000033E000-memory.dmp

Filesize
120KB

Download
memory/2072-206-0x0000000000320000-0x000000000033E000-memory.dmp

Filesize
120KB

Download
memory/2072-136-0x0000000000320000-0x000000000033E000-memory.dmp

Filesize
120KB

Download
memory/2072-204-0x0000000000320000-0x000000000033E000-memory.dmp

Filesize
120KB

Download
memory/2072-251-0x0000000000320000-0x000000000033E000-memory.dmp

Filesize
120KB

Download
memory/2072-219-0x0000000000320000-0x000000000033E000-memory.dmp

Filesize
120KB

Download
memory/2072-43-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2240-201-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2240-168-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2264-274-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2284-188-0x00000000003C0000-0x00000000003DE000-memory.dmp

Filesize
120KB

Download
memory/2284-268-0x00000000003C0000-0x00000000003DE000-memory.dmp

Filesize
120KB

Download
memory/2284-218-0x00000000003C0000-0x00000000003DE000-memory.dmp

Filesize
120KB

Download
memory/2284-289-0x00000000003C0000-0x00000000003DE000-memory.dmp

Filesize
120KB

Download
memory/2284-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2284-72-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2284-81-0x00000000003C0000-0x00000000003DE000-memory.dmp

Filesize
120KB

Download
memory/2284-80-0x00000000003C0000-0x00000000003DE000-memory.dmp

Filesize
120KB

Download
memory/2284-14-0x00000000003C0000-0x00000000003DE000-memory.dmp

Filesize
120KB

Download
memory/2284-15-0x00000000003C0000-0x00000000003DE000-memory.dmp

Filesize
120KB

Download
memory/2328-250-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2376-124-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2376-135-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2460-314-0x0000000000260000-0x000000000027E000-memory.dmp

Filesize
120KB

Download
memory/2460-92-0x0000000000260000-0x000000000027E000-memory.dmp

Filesize
120KB

Download
memory/2460-74-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2460-172-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2460-247-0x0000000000260000-0x000000000027E000-memory.dmp

Filesize
120KB

Download
memory/2460-285-0x0000000000260000-0x000000000027E000-memory.dmp

Filesize
120KB

Download
memory/2520-370-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2536-312-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2552-309-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2576-62-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2576-58-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2624-109-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2624-101-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2676-33-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2676-25-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2724-277-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2724-278-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2724-280-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2740-438-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2748-54-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2748-52-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2812-192-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2852-265-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2852-252-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2876-313-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2992-220-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3024-84-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3024-96-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads