Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 16:46
Static task
static1
Behavioral task
behavioral1
Sample
4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe
Resource
win10v2004-20241007-en
General
-
Target
4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe
-
Size
92KB
-
MD5
4e326a2d8ba7ce07f77a16eda1694e86
-
SHA1
c28ee1cd1a10ab67adce0e41b407181c5782691c
-
SHA256
4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766
-
SHA512
c90d22f6d1a081249578f01e41075b4c7f9583066a165cf7cd5c1b47dd48653db886c508b889c81b79295ded0a1ccffe460b3b49121a0265247ecb7550bf7d43
-
SSDEEP
768:4zW4wnebSdDlmkok6lRGXu+jKZAOWjpiRHVAGr4PzpyRAJ7IwnDoSdA:41bC4Bk6lMTOWw4PkRAPoD
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 10 IoCs
Processes:
SVCHOST.EXEEBRR.EXEmmtask.exeSVCHOST.EXE4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\SVCHOST.EXE\"" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system\\SVCHOST.EXE\"" EBRR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\SVCHOST.EXE\"" mmtask.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system\\SVCHOST.EXE\"" mmtask.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system\\SVCHOST.EXE\"" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\SVCHOST.EXE\"" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system\\SVCHOST.EXE\"" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\SVCHOST.EXE\"" 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system\\SVCHOST.EXE\"" 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\SVCHOST.EXE\"" EBRR.EXE -
Executes dropped EXE 64 IoCs
Processes:
EBRR.EXEEBRR.EXEmmtask.exeEBRR.EXESVCHOST.EXEmmtask.exeSVCHOST.EXEEBRR.EXESVCHOST.EXEmmtask.exemmtask.exeSVCHOST.EXEEBRR.EXEEBRR.EXESVCHOST.EXEmmtask.exeSVCHOST.EXEmmtask.exeEBRR.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXEmmtask.exeSVCHOST.EXESVCHOST.EXEEBRR.EXESVCHOST.EXESVCHOST.EXEmmtask.exeEBRR.EXEEBRR.EXEEBRR.EXEEBRR.EXEmmtask.exemmtask.exeSVCHOST.EXEmmtask.exemmtask.exeSVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXEEBRR.EXEEBRR.EXEEBRR.EXEEBRR.EXEEBRR.EXEmmtask.exemmtask.exemmtask.exeSVCHOST.EXEmmtask.exemmtask.exeSVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXEpid Process 5112 EBRR.EXE 2152 EBRR.EXE 2392 mmtask.exe 1224 EBRR.EXE 1564 SVCHOST.EXE 3688 mmtask.exe 2540 SVCHOST.EXE 2848 EBRR.EXE 2116 SVCHOST.EXE 4984 mmtask.exe 2732 mmtask.exe 3928 SVCHOST.EXE 3492 EBRR.EXE 764 EBRR.EXE 4520 SVCHOST.EXE 1588 mmtask.exe 536 SVCHOST.EXE 5040 mmtask.exe 1644 EBRR.EXE 1100 SVCHOST.EXE 4244 SVCHOST.EXE 4384 SVCHOST.EXE 4892 SVCHOST.EXE 1980 mmtask.exe 3508 SVCHOST.EXE 988 SVCHOST.EXE 1120 EBRR.EXE 1624 SVCHOST.EXE 3044 SVCHOST.EXE 1608 mmtask.exe 1596 EBRR.EXE 4368 EBRR.EXE 432 EBRR.EXE 1628 EBRR.EXE 2240 mmtask.exe 3444 mmtask.exe 1912 SVCHOST.EXE 3184 mmtask.exe 116 mmtask.exe 4488 SVCHOST.EXE 1508 SVCHOST.EXE 1976 SVCHOST.EXE 228 SVCHOST.EXE 4848 SVCHOST.EXE 1712 SVCHOST.EXE 2844 SVCHOST.EXE 392 SVCHOST.EXE 4712 SVCHOST.EXE 1536 EBRR.EXE 676 EBRR.EXE 112 EBRR.EXE 2200 EBRR.EXE 4536 EBRR.EXE 4984 mmtask.exe 4076 mmtask.exe 2716 mmtask.exe 408 SVCHOST.EXE 2732 mmtask.exe 4740 mmtask.exe 3076 SVCHOST.EXE 1588 SVCHOST.EXE 4328 SVCHOST.EXE 3988 SVCHOST.EXE 4628 SVCHOST.EXE -
Modifies system executable filetype association 2 TTPs 5 IoCs
Processes:
4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exeEBRR.EXEmmtask.exeSVCHOST.EXESVCHOST.EXEdescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" EBRR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" mmtask.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SVCHOST.EXE -
Drops file in System32 directory 20 IoCs
Processes:
mmtask.exe4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exeSVCHOST.EXEEBRR.EXESVCHOST.EXEdescription ioc Process File opened for modification C:\Windows\SysWOW64\mmtask.exe mmtask.exe File created C:\Windows\SysWOW64\mmtask.exe 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe File opened for modification C:\Windows\SysWOW64\mmtask.exe SVCHOST.EXE File created C:\Windows\SysWOW64\EBRR.EXE 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe File opened for modification C:\Windows\SysWOW64\mmtask.exe EBRR.EXE File opened for modification C:\Windows\SysWOW64\mmtask.exe SVCHOST.EXE File opened for modification C:\Windows\SysWOW64\EBRR.EXE 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe File opened for modification C:\Windows\SysWOW64\EBRR.EXE mmtask.exe File opened for modification C:\Windows\SysWOW64\EBRR.EXE SVCHOST.EXE File created C:\Windows\SysWOW64\EBRR.EXE SVCHOST.EXE File created C:\Windows\SysWOW64\EBRR.EXE mmtask.exe File opened for modification C:\Windows\SysWOW64\EBRR.EXE EBRR.EXE File created C:\Windows\SysWOW64\mmtask.exe EBRR.EXE File created C:\Windows\SysWOW64\mmtask.exe mmtask.exe File created C:\Windows\SysWOW64\EBRR.EXE SVCHOST.EXE File created C:\Windows\SysWOW64\mmtask.exe SVCHOST.EXE File opened for modification C:\Windows\SysWOW64\mmtask.exe 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe File opened for modification C:\Windows\SysWOW64\EBRR.EXE SVCHOST.EXE File created C:\Windows\SysWOW64\EBRR.EXE EBRR.EXE File created C:\Windows\SysWOW64\mmtask.exe SVCHOST.EXE -
Drops file in Windows directory 20 IoCs
Processes:
mmtask.exe4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exeSVCHOST.EXESVCHOST.EXEEBRR.EXEdescription ioc Process File created C:\Windows\system\SVCHOST.EXE mmtask.exe File opened for modification C:\Windows\SVCHOST.EXE 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe File opened for modification C:\Windows\SVCHOST.EXE SVCHOST.EXE File created C:\Windows\system\SVCHOST.EXE 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe File created C:\Windows\system\SVCHOST.EXE SVCHOST.EXE File opened for modification C:\Windows\SVCHOST.EXE SVCHOST.EXE File opened for modification C:\Windows\SVCHOST.EXE EBRR.EXE File created C:\Windows\SVCHOST.EXE mmtask.exe File opened for modification C:\Windows\system\SVCHOST.EXE mmtask.exe File created C:\Windows\SVCHOST.EXE 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe File created C:\Windows\SVCHOST.EXE SVCHOST.EXE File opened for modification C:\Windows\system\SVCHOST.EXE 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe File created C:\Windows\SVCHOST.EXE EBRR.EXE File created C:\Windows\system\SVCHOST.EXE EBRR.EXE File opened for modification C:\Windows\system\SVCHOST.EXE SVCHOST.EXE File created C:\Windows\SVCHOST.EXE SVCHOST.EXE File created C:\Windows\system\SVCHOST.EXE SVCHOST.EXE File opened for modification C:\Windows\system\SVCHOST.EXE SVCHOST.EXE File opened for modification C:\Windows\system\SVCHOST.EXE EBRR.EXE File opened for modification C:\Windows\SVCHOST.EXE mmtask.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
mmtask.exemmtask.exemmtask.exeEBRR.EXESVCHOST.EXESVCHOST.EXEEBRR.EXEEBRR.EXEEBRR.EXESVCHOST.EXESVCHOST.EXEEBRR.EXEmmtask.exeEBRR.EXEmmtask.exeSVCHOST.EXEEBRR.EXESVCHOST.EXESVCHOST.EXEmmtask.exeSVCHOST.EXESVCHOST.EXEEBRR.EXESVCHOST.EXEEBRR.EXESVCHOST.EXESVCHOST.EXEEBRR.EXEEBRR.EXESVCHOST.EXESVCHOST.EXEEBRR.EXEmmtask.exeSVCHOST.EXE4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exemmtask.exeEBRR.EXESVCHOST.EXEEBRR.EXESVCHOST.EXEEBRR.EXEEBRR.EXEEBRR.EXEEBRR.EXESVCHOST.EXESVCHOST.EXEEBRR.EXESVCHOST.EXEEBRR.EXEmmtask.exemmtask.exeEBRR.EXEEBRR.EXESVCHOST.EXEEBRR.EXEmmtask.exeSVCHOST.EXESVCHOST.EXEEBRR.EXEmmtask.exeSVCHOST.EXEEBRR.EXEmmtask.exeSVCHOST.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mmtask.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mmtask.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mmtask.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EBRR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EBRR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EBRR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EBRR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EBRR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mmtask.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EBRR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mmtask.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EBRR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mmtask.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EBRR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EBRR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EBRR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EBRR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EBRR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mmtask.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mmtask.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EBRR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EBRR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EBRR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EBRR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EBRR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EBRR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EBRR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EBRR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mmtask.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mmtask.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EBRR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EBRR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EBRR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mmtask.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EBRR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mmtask.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EBRR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mmtask.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE -
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe -
Modifies registry class 44 IoCs
Processes:
explorer.exe4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exemmtask.exeSVCHOST.EXEEBRR.EXESVCHOST.EXEdescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" mmtask.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SVCHOST.EXE Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4e003100000000006d59d785100054656d7000003a0009000400efbe4759f1496d59d7852e00000083e10100000001000000000000000000000000000000981b4f00540065006d007000000014000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 50003100000000004759214c10004c6f63616c003c0009000400efbe4759f1496d59d7852e00000082e1010000000100000000000000000000000000000043b623014c006f00630061006c00000014000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" EBRR.EXE Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\NodeSlot = "1" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 500031000000000047597551100041646d696e003c0009000400efbe4759f1496d59d7852e00000063e101000000010000000000000000000000000000005f184200410064006d0069006e00000014000000 explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SVCHOST.EXE Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 78003100000000004759f1491100557365727300640009000400efbe874f77486d59d7852e000000c70500000000010000000000000000003a00000000009c1a220055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 56003100000000004759f14912004170704461746100400009000400efbe4759f1496d59d7852e0000006ee10100000001000000000000000000000000000000d06b11004100700070004400610074006100000016000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 = ca003100000000006d59d78516003442453945347e310000b20009000400efbe6d59d7856d59d7852e0000008e3b020000000b000000000000000000000000000000981b4f003400620065003900650034003400390035003100300037003900330036003000640063006500310062003500320036006200630031006400640033003800380033003000660063003300340036006200330061003800320066006300330063003900340066003800310031003200640063006100360062003100370036003600000018000000 explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
explorer.exepid Process 3604 explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exeEBRR.EXEmmtask.exeSVCHOST.EXESVCHOST.EXEpid Process 2264 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe 2264 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe 2264 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe 2264 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe 2264 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe 2264 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe 2264 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe 2264 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe 2264 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe 2264 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe 2264 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe 2264 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe 5112 EBRR.EXE 5112 EBRR.EXE 5112 EBRR.EXE 5112 EBRR.EXE 5112 EBRR.EXE 5112 EBRR.EXE 5112 EBRR.EXE 5112 EBRR.EXE 5112 EBRR.EXE 5112 EBRR.EXE 5112 EBRR.EXE 5112 EBRR.EXE 2392 mmtask.exe 2392 mmtask.exe 2392 mmtask.exe 2392 mmtask.exe 2392 mmtask.exe 2392 mmtask.exe 2392 mmtask.exe 2392 mmtask.exe 2392 mmtask.exe 2392 mmtask.exe 2392 mmtask.exe 2392 mmtask.exe 1564 SVCHOST.EXE 1564 SVCHOST.EXE 1564 SVCHOST.EXE 1564 SVCHOST.EXE 1564 SVCHOST.EXE 1564 SVCHOST.EXE 1564 SVCHOST.EXE 1564 SVCHOST.EXE 1564 SVCHOST.EXE 1564 SVCHOST.EXE 1564 SVCHOST.EXE 1564 SVCHOST.EXE 2540 SVCHOST.EXE 5112 EBRR.EXE 5112 EBRR.EXE 5112 EBRR.EXE 2540 SVCHOST.EXE 2540 SVCHOST.EXE 2540 SVCHOST.EXE 2540 SVCHOST.EXE 2540 SVCHOST.EXE 5112 EBRR.EXE 5112 EBRR.EXE 2540 SVCHOST.EXE 2540 SVCHOST.EXE 2540 SVCHOST.EXE 2540 SVCHOST.EXE 2540 SVCHOST.EXE -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exeEBRR.EXEEBRR.EXEmmtask.exeEBRR.EXESVCHOST.EXEexplorer.exemmtask.exeSVCHOST.EXEEBRR.EXESVCHOST.EXESVCHOST.EXEmmtask.exeEBRR.EXEmmtask.exeSVCHOST.EXEEBRR.EXEmmtask.exeSVCHOST.EXESVCHOST.EXEEBRR.EXEmmtask.exeSVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXEmmtask.exeSVCHOST.EXEEBRR.EXESVCHOST.EXEEBRR.EXEEBRR.EXEmmtask.exeEBRR.EXEEBRR.EXESVCHOST.EXEmmtask.exemmtask.exeSVCHOST.EXEmmtask.exemmtask.exeSVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXEEBRR.EXEEBRR.EXEEBRR.EXEEBRR.EXEmmtask.exeEBRR.EXESVCHOST.EXEmmtask.exemmtask.exeSVCHOST.EXEmmtask.exemmtask.exeSVCHOST.EXEpid Process 2264 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe 5112 EBRR.EXE 2152 EBRR.EXE 2392 mmtask.exe 1224 EBRR.EXE 1564 SVCHOST.EXE 3604 explorer.exe 3604 explorer.exe 3688 mmtask.exe 2540 SVCHOST.EXE 2848 EBRR.EXE 2116 SVCHOST.EXE 3928 SVCHOST.EXE 4984 mmtask.exe 3492 EBRR.EXE 2732 mmtask.exe 4520 SVCHOST.EXE 764 EBRR.EXE 1588 mmtask.exe 1100 SVCHOST.EXE 536 SVCHOST.EXE 1644 EBRR.EXE 5040 mmtask.exe 4244 SVCHOST.EXE 4384 SVCHOST.EXE 4892 SVCHOST.EXE 3508 SVCHOST.EXE 988 SVCHOST.EXE 1980 mmtask.exe 1624 SVCHOST.EXE 1120 EBRR.EXE 3044 SVCHOST.EXE 4368 EBRR.EXE 1596 EBRR.EXE 1608 mmtask.exe 432 EBRR.EXE 1628 EBRR.EXE 1912 SVCHOST.EXE 116 mmtask.exe 2240 mmtask.exe 4488 SVCHOST.EXE 3184 mmtask.exe 3444 mmtask.exe 1508 SVCHOST.EXE 1976 SVCHOST.EXE 228 SVCHOST.EXE 4848 SVCHOST.EXE 1712 SVCHOST.EXE 2844 SVCHOST.EXE 4712 SVCHOST.EXE 392 SVCHOST.EXE 1536 EBRR.EXE 676 EBRR.EXE 112 EBRR.EXE 2200 EBRR.EXE 4984 mmtask.exe 4536 EBRR.EXE 408 SVCHOST.EXE 4740 mmtask.exe 2732 mmtask.exe 3076 SVCHOST.EXE 4076 mmtask.exe 2716 mmtask.exe 1588 SVCHOST.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exeEBRR.EXEmmtask.exeSVCHOST.EXESVCHOST.EXEdescription pid Process procid_target PID 2264 wrote to memory of 1948 2264 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe 83 PID 2264 wrote to memory of 1948 2264 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe 83 PID 2264 wrote to memory of 1948 2264 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe 83 PID 2264 wrote to memory of 5112 2264 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe 86 PID 2264 wrote to memory of 5112 2264 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe 86 PID 2264 wrote to memory of 5112 2264 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe 86 PID 5112 wrote to memory of 2152 5112 EBRR.EXE 87 PID 5112 wrote to memory of 2152 5112 EBRR.EXE 87 PID 5112 wrote to memory of 2152 5112 EBRR.EXE 87 PID 5112 wrote to memory of 2392 5112 EBRR.EXE 89 PID 5112 wrote to memory of 2392 5112 EBRR.EXE 89 PID 5112 wrote to memory of 2392 5112 EBRR.EXE 89 PID 5112 wrote to memory of 1564 5112 EBRR.EXE 90 PID 5112 wrote to memory of 1564 5112 EBRR.EXE 90 PID 5112 wrote to memory of 1564 5112 EBRR.EXE 90 PID 2392 wrote to memory of 1224 2392 mmtask.exe 91 PID 2392 wrote to memory of 1224 2392 mmtask.exe 91 PID 2392 wrote to memory of 1224 2392 mmtask.exe 91 PID 2392 wrote to memory of 3688 2392 mmtask.exe 92 PID 2392 wrote to memory of 3688 2392 mmtask.exe 92 PID 2392 wrote to memory of 3688 2392 mmtask.exe 92 PID 5112 wrote to memory of 2540 5112 EBRR.EXE 93 PID 5112 wrote to memory of 2540 5112 EBRR.EXE 93 PID 5112 wrote to memory of 2540 5112 EBRR.EXE 93 PID 1564 wrote to memory of 2848 1564 SVCHOST.EXE 94 PID 1564 wrote to memory of 2848 1564 SVCHOST.EXE 94 PID 1564 wrote to memory of 2848 1564 SVCHOST.EXE 94 PID 2392 wrote to memory of 2116 2392 mmtask.exe 96 PID 2392 wrote to memory of 2116 2392 mmtask.exe 96 PID 2392 wrote to memory of 2116 2392 mmtask.exe 96 PID 1564 wrote to memory of 2732 1564 SVCHOST.EXE 147 PID 1564 wrote to memory of 2732 1564 SVCHOST.EXE 147 PID 1564 wrote to memory of 2732 1564 SVCHOST.EXE 147 PID 2264 wrote to memory of 4984 2264 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe 143 PID 2264 wrote to memory of 4984 2264 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe 143 PID 2264 wrote to memory of 4984 2264 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe 143 PID 2392 wrote to memory of 3928 2392 mmtask.exe 99 PID 2392 wrote to memory of 3928 2392 mmtask.exe 99 PID 2392 wrote to memory of 3928 2392 mmtask.exe 99 PID 2540 wrote to memory of 3492 2540 SVCHOST.EXE 100 PID 2540 wrote to memory of 3492 2540 SVCHOST.EXE 100 PID 2540 wrote to memory of 3492 2540 SVCHOST.EXE 100 PID 5112 wrote to memory of 764 5112 EBRR.EXE 101 PID 5112 wrote to memory of 764 5112 EBRR.EXE 101 PID 5112 wrote to memory of 764 5112 EBRR.EXE 101 PID 2264 wrote to memory of 4520 2264 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe 102 PID 2264 wrote to memory of 4520 2264 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe 102 PID 2264 wrote to memory of 4520 2264 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe 102 PID 2540 wrote to memory of 1588 2540 SVCHOST.EXE 150 PID 2540 wrote to memory of 1588 2540 SVCHOST.EXE 150 PID 2540 wrote to memory of 1588 2540 SVCHOST.EXE 150 PID 1564 wrote to memory of 1100 1564 SVCHOST.EXE 190 PID 1564 wrote to memory of 1100 1564 SVCHOST.EXE 190 PID 1564 wrote to memory of 1100 1564 SVCHOST.EXE 190 PID 2264 wrote to memory of 536 2264 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe 225 PID 2264 wrote to memory of 536 2264 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe 225 PID 2264 wrote to memory of 536 2264 4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe 225 PID 5112 wrote to memory of 5040 5112 EBRR.EXE 106 PID 5112 wrote to memory of 5040 5112 EBRR.EXE 106 PID 5112 wrote to memory of 5040 5112 EBRR.EXE 106 PID 2392 wrote to memory of 1644 2392 mmtask.exe 107 PID 2392 wrote to memory of 1644 2392 mmtask.exe 107 PID 2392 wrote to memory of 1644 2392 mmtask.exe 107 PID 1564 wrote to memory of 4244 1564 SVCHOST.EXE 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe"C:\Users\Admin\AppData\Local\Temp\4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766.exe"1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Users\Admin\AppData\Local\Temp\4be9e44951079360dce1b526bc1dd38830fc346b3a82fc3c94f8112dca6b1766\2⤵PID:1948
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2152
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1224
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3688
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2116
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3928
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1644
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1980
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1624
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3044
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1628
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:116
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1508
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4848
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:112
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2716
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4628
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:1476
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:2752
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:4748
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4652
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:4812
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:1108
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:2836
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:3984
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:3024
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:3132
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:116
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4608
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:2176
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:4280
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:4832
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:2516
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:3380
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:1596
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:1608
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:3956
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:928
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵
- System Location Discovery: System Language Discovery
PID:412
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:1324
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵
- System Location Discovery: System Language Discovery
PID:4620
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:2492
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:3936
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵
- System Location Discovery: System Language Discovery
PID:4608
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:1536
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:3076
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:776
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:4420
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4620
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:2148
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:2440
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:4640
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵
- System Location Discovery: System Language Discovery
PID:4188
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:2116
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:3700
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:4508
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4932
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:2852
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵
- System Location Discovery: System Language Discovery
PID:1668
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:4832
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:2016
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:4216
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:1504
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:4420
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:1496
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:2960
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵
- System Location Discovery: System Language Discovery
PID:764
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:2544
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4384
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:2152
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:4628
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:5116
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4832
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:3376
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:2116
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:1512
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:1548
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:4932
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:1536
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:4124
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:3620
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:3464
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:1308
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:2148
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4620
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:4092
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:3920
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:2204
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:2720
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:1108
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:640
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:4576
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:468
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:2652
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:2204
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:2676
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:3444
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:3552
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:3020
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:4488
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:5040
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵
- System Location Discovery: System Language Discovery
PID:1608
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵
- System Location Discovery: System Language Discovery
PID:2200
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:1368
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4408
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:4968
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:2908
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:3428
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4520
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:2212
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:4448
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:2320
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:1744
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:3748
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:4724
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:2796
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:2128
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:708
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:3200
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:3636
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:2524
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:2320
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:3748
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:808
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4116
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:4816
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:2700
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:3200
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:1688
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:3508
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:3832
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:3428
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:1776
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:4580
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:3928
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:3200
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4436
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:3468
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:552
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:2148
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4864
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:4628
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:4248
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:2932
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:5092
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:724
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:2904
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:5040
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:2340
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:1484
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:3276
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:4272
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:3900
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:4268
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:3444
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:5048
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:5076
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:908
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:4068
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:2552
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:3112
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:3348
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:3520
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:3168
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4716
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:2016
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:2472
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:5116
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:468
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:4748
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:3020
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:2176
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4832
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:1308
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:2684
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:1280
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4860
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:2740
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:1928
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:4244
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:1384
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:612
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:2904
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:4184
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4116
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:4480
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:1100
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:1776
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4792
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:2716
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:1552
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:1956
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:3780
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:5048
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:808
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:3468
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4116
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:4860
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:1928
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:4064
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:1612
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:1668
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:404
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:4368
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4608
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:4020
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:3556
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:4336
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4248
-
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2848
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2732
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1100
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4244
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1120
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1608
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1912
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4488
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1536
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4984
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:408
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3076
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:3044
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵
- System Location Discovery: System Language Discovery
PID:1552
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:3408
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:2412
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:4280
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:1668
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4740
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵
- System Location Discovery: System Language Discovery
PID:1000
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:3416
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵
- System Location Discovery: System Language Discovery
PID:2212
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵
- System Location Discovery: System Language Discovery
PID:3512
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:4812
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵
- System Location Discovery: System Language Discovery
PID:4640
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:1240
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:736
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:1388
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:4520
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:4792
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:3020
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:3408
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:4280
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:3164
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4092
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:5008
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:2112
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:2684
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:2908
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:408
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:3556
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:3720
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4508
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:2156
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:3280
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:2908
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:3900
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:3348
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:432
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:3720
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:2128
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵
- System Location Discovery: System Language Discovery
PID:4792
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵
- System Location Discovery: System Language Discovery
PID:4820
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:2200
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4056
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:612
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:4576
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:3952
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:2412
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:2628
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵
- System Location Discovery: System Language Discovery
PID:512
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:1240
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:3168
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:4064
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:5008
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:2440
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:5088
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:1908
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:3984
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:392
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:1504
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:3700
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵
- System Location Discovery: System Language Discovery
PID:2552
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:400
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4232
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵
- System Location Discovery: System Language Discovery
PID:1988
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:3240
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵
- System Location Discovery: System Language Discovery
PID:116
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:5076
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:2488
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:4336
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:4248
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4384
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:1744
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:724
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:2624
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:1088
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:2212
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:1668
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵
- System Location Discovery: System Language Discovery
PID:3636
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4832
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:1956
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:3184
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:456
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4244
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:3492
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:2204
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:2352
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:2752
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:1628
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:4840
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:1580
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:2128
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:1148
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:4624
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:3636
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:3592
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:2716
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:468
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:2124
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:2852
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:1484
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:1608
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:4080
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4564
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:2564
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:4628
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:2960
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4696
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:1524
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:4244
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:2676
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:1712
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:2716
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:3184
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:1496
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:2852
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:3276
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:3900
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:400
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:3552
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:4832
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:4088
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:4620
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:3588
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:228
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:3112
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:3284
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:1956
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:1628
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:5084
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:2924
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4184
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:4500
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:228
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:3120
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4672
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:732
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:1628
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:1308
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:2724
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:1380
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:4860
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:4384
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:3284
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:3636
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:4188
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:3036
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:412
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:1536
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:5088
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:5104
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:3928
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:2128
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:3508
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:2112
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:1164
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:4020
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:3088
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:632
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4336
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:2204
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:4672
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:2164
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:3780
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:2492
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:2352
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:2068
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:3832
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:4400
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:2552
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:2284
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:3128
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:4268
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:2112
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4276
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:2960
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:1580
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:3936
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:2340
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:1996
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:4448
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:1376
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:1204
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:1628
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:2208
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:552
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:2112
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:4716
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:3000
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:4016
-
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3492
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1588
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4384
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4892
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:432
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3184
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:228
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:392
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4536
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2732
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵
- Executes dropped EXE
PID:3988
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:5008
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:1996
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:1596
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:3512
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:2924
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:392
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:4832
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:2932
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:3108
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:3836
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:1280
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:1504
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:2420
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵
- System Location Discovery: System Language Discovery
PID:4336
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:1692
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4628
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:612
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:1996
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:4888
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:3112
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:1008
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:4860
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:4076
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:2524
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:552
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵
- System Location Discovery: System Language Discovery
PID:1280
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:2676
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4812
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:2288
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:4436
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:2716
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:1760
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:2412
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:5036
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:4248
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:2016
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:2932
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:612
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:4912
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:116
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:2796
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵
- System Location Discovery: System Language Discovery
PID:652
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:1164
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:1644
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:2132
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:1552
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:3468
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:3112
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:4124
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:4860
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:2524
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:2836
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:5076
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:3512
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:2432
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:3164
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:3076
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:5096
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:5040
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵
- System Location Discovery: System Language Discovery
PID:3832
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:4508
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:4608
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:4568
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:1908
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:4440
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:3128
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:2652
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:2904
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:2960
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵
- System Location Discovery: System Language Discovery
PID:928
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:400
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:5052
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵
- System Location Discovery: System Language Discovery
PID:876
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:4488
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:1996
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:1608
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:1352
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:4016
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:4328
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:3076
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵
- System Location Discovery: System Language Discovery
PID:5096
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:2132
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:2796
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:5104
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:4812
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:1752
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:4644
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:3076
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵
- System Location Discovery: System Language Discovery
PID:1000
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:4456
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:2488
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:5088
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:1352
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:1688
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:1600
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:1976
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:1548
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:4576
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:2652
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4520
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:4552
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:1204
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:3060
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4792
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:4088
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:4456
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:3556
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:632
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:4640
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:4812
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:4880
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:3464
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:3468
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:2176
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:3748
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4664
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:652
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:4472
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:4268
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:1628
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:3060
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:1976
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:3176
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:2960
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:2552
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:764
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:864
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:2700
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:3020
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:552
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:2520
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4724
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:2652
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:776
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:4888
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:3020
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:1204
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:1644
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:1000
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:3184
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:4124
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:3268
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:988
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:1552
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:4284
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:1148
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:4456
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:3280
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:2408
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:3000
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:4624
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4844
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:2872
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:2200
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:1368
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:2296
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:5076
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:2860
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:4864
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4820
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:1996
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:2872
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:3636
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:1652
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:3620
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:3168
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:2132
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:2408
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:1224
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:1996
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:4356
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:2524
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:2156
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:3704
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:3896
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:552
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:732
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:4084
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:652
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4056
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:4292
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:1480
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:3900
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:4508
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:4556
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:5076
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:4232
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s4⤵PID:1496
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s4⤵PID:392
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s4⤵PID:1112
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s4⤵PID:1932
-
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:764
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5040
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3508
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:988
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4368
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2240
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1976
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1712
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:676
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4076
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵
- Executes dropped EXE
PID:4328
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:552
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:2564
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:1504
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:2676
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:2124
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:5088
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵
- System Location Discovery: System Language Discovery
PID:2524
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:876
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:4628
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:2624
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:732
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:3232
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:1908
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵
- System Location Discovery: System Language Discovery
PID:536
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:4440
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵
- System Location Discovery: System Language Discovery
PID:2196
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:1776
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:4156
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:2852
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:4664
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵
- System Location Discovery: System Language Discovery
PID:2116
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:3240
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:4420
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:4056
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:1760
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:4556
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵
- System Location Discovery: System Language Discovery
PID:3560
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:4652
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:4820
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:436
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:4628
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:2492
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:3444
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:2684
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:1644
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:1100
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:4880
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵
- System Location Discovery: System Language Discovery
PID:4948
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:2716
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:3928
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:5116
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:3636
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:1776
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:1752
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:1680
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵
- System Location Discovery: System Language Discovery
PID:5008
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:3088
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:2732
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵
- System Location Discovery: System Language Discovery
PID:1612
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:2872
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:4076
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:1680
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:732
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵
- System Location Discovery: System Language Discovery
PID:2112
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:4500
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:2720
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:1668
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:2544
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:2660
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵
- System Location Discovery: System Language Discovery
PID:3184
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵
- System Location Discovery: System Language Discovery
PID:4664
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:3928
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵
- System Location Discovery: System Language Discovery
PID:2720
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:412
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:3984
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:4088
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:3168
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:612
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:5100
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:3560
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:4472
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵
- System Location Discovery: System Language Discovery
PID:2140
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:1240
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:1600
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:5076
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:4608
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:4500
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:2412
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:1692
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:2564
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:2112
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:1496
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:1996
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵
- System Location Discovery: System Language Discovery
PID:3276
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:4624
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:2412
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵
- System Location Discovery: System Language Discovery
PID:2116
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵
- System Location Discovery: System Language Discovery
PID:808
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:3748
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:4064
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:3556
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:2016
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:4500
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:3900
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:1908
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:5092
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:2136
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:4556
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:1912
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:228
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:4640
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:4880
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:3464
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:612
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:3552
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:4716
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:4664
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:4724
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:3276
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:4568
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:2284
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:876
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:3700
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:3168
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:4716
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:1164
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:3972
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:436
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:3348
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:1808
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:1368
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:2684
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:1380
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:1484
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:1580
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:2128
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:1100
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:4552
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:4408
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:4912
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:4080
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:4020
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:1976
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:4568
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:1928
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:4284
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:1712
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:4832
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:552
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:3088
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:2472
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:4500
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:4440
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:1524
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:864
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:4508
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:2208
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:1988
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:4864
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:3588
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:3592
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:1612
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:2676
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:1712
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:4436
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:3576
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:3464
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:2488
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:4016
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:1352
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:228
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:1088
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:1552
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:3828
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:4408
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:456
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:2184
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:808
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:1548
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:1280
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:1152
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:4324
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:2872
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:4044
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:724
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:1368
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:4832
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:4020
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:4624
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:708
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:4248
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:1108
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:4748
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:1744
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:2200
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:2492
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:4676
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s3⤵PID:116
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s3⤵PID:4520
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s3⤵PID:1820
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s3⤵PID:4292
-
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4984
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4520
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:536
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1596
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3444
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2844
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4712
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2200
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4740
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1588
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:4092
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:4156
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:4456
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:1600
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:2148
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵
- System Location Discovery: System Language Discovery
PID:3060
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵
- System Location Discovery: System Language Discovery
PID:1100
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:652
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵
- System Location Discovery: System Language Discovery
PID:1204
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:3468
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:1956
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:1600
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:2544
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:1108
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:1376
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:2040
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵
- System Location Discovery: System Language Discovery
PID:3024
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:4616
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:3468
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:1712
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:2412
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵
- System Location Discovery: System Language Discovery
PID:436
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:748
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:432
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:2128
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:4156
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:2960
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:844
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:4248
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:3984
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:2196
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:3132
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵
- System Location Discovery: System Language Discovery
PID:4044
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:1484
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:2432
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:4232
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:4812
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:4276
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:4616
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:1224
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:1612
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:4816
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵
- System Location Discovery: System Language Discovery
PID:1240
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:1100
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:4872
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:2624
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:2716
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:5088
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵
- System Location Discovery: System Language Discovery
PID:2700
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵
- System Location Discovery: System Language Discovery
PID:4812
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:2908
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:1928
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:2492
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵
- System Location Discovery: System Language Discovery
PID:4912
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:908
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:400
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:3112
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:4088
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:2524
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:3956
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:3936
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:2212
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:4472
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:4736
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:2732
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵
- System Location Discovery: System Language Discovery
PID:640
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:3508
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:864
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:2796
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:1204
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵
- System Location Discovery: System Language Discovery
PID:1952
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:4436
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:4748
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:4064
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:3936
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:4244
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:4816
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:3348
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:2200
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:2544
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:2136
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:5100
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:2128
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:4272
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:4880
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:2932
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:3240
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:4484
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:4848
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:1776
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:4184
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:1112
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:1608
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:5080
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:4832
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:2564
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:3168
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:4064
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:4932
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:776
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:4016
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:3284
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:8
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:2296
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:1976
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:3088
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:4184
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:988
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:3920
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:1680
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:1752
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:612
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:552
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:2492
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:4368
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:2724
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:4696
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:4484
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:2700
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:2720
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:1956
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:116
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:4868
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:4560
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:5104
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:1696
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:4472
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:3508
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:3444
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:2624
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:4088
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:4092
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:4628
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:4844
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:988
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:5116
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:2284
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:1692
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:1512
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:5040
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:1224
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:2652
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:1912
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:4568
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:2740
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:408
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:1204
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:3700
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:1976
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:2340
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:5036
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:1376
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:5008
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:1552
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:2976
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:1744
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:3240
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:4116
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:3000
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:1100
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:640
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:3348
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:4284
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:4048
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:4436
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:5040
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:4500
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:3532
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:1380
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:4580
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:3956
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:3300
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:3112
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:1744
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:1600
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:2032
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:3732
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:3428
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:3088
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:4604
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:4888
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:1528
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:408
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:2476
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:2720
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:1600
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:2184
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:4664
-
-
C:\Windows\system\SVCHOST.EXEC:\Windows\system\SVCHOST.EXE -s2⤵PID:1952
-
-
C:\Windows\SysWOW64\EBRR.EXEC:\Windows\system32\EBRR.EXE -s2⤵PID:1476
-
-
C:\Windows\SysWOW64\mmtask.exeC:\Windows\system32\mmtask.exe -s2⤵PID:5080
-
-
C:\Windows\SVCHOST.EXEC:\Windows\SVCHOST.EXE -s2⤵PID:5116
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3604
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4272
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:4740
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5dd97fb0c312cf11cfc5ac8d2ad1e912f
SHA1f3c5ec283314560af0e0f9b33dbc986410ad9a2f
SHA256cda0cabc5d9ca0392cceaee478276a9369987235531d1c481548ba1c2061ed32
SHA512f3b27cf84b74d54153c1b81b503a6fc50722412d849800e13ac16b8723aea0b4f8981a1bd19dd53a2af8884ae38a9b57f22737e46d6f55f56a8afa451b4073e0
-
Filesize
92KB
MD544658050d1e91f1ee5eec624440481b0
SHA1342b5ebebb6c89d9f882041272795fd7bad5bbf4
SHA256988b97c7bcf357fa8a88f9225df3422ee5b1c16ab16a886b7fad8f71bc6f8ee7
SHA51233f647764e8f8023361c14a9743e373012fd6354b3806e2ae55bee2a0b8174e7794699488a28893fd5a516c7774ced563de7b00fab37a34418f63847676c076f
-
Filesize
92KB
MD50d1040223a5ce6946177db23aeb1e523
SHA1e7b332f4308ad8b7c0e878625e70e5aec6547144
SHA25627611892aab036a474d0208361cd251d8c752db138e715f4bd72939d27bf045f
SHA512de95dd7754845e7a4f51f96a6b06d92a4004e5801145e1a5f8203a77c199ef785106e93275b74bf2fa3c99fe9daa273d4d9cba894654eb8d532f58166654c287
-
Filesize
92KB
MD511054e12a6031e9820c5b3a9dff78f58
SHA1d1c251095ab73ba5b17bee208b1d8f820ec14aaa
SHA256a20e3398103980e1dcbc11ff027d2ce5ed3a94da345091a1cdd45b18c60f6214
SHA512062119bc6a5b545940598361791d763ee2e5b474b6e1bc019ba6cb783841bbe018734b4c6c53686df5f54f42a1690d90e2b837fa41d174bdc69732af571d67ee