62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 09:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
Size

92KB
MD5

4d0ff662db3c28bdefae42d1f46e28fe
SHA1

18a0c14eac56a83564f9a2ad0fe68e759f72ac7e
SHA256

62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe
SHA512

b91410d864c12d09b8680f1e352bfffb47489bfa92691ef35618e27f98e60b2f50692992dc640a69998b164626ed5c196afbcbde4390fb938a4406b4c7532126
SSDEEP

768:4zW4wnebSdDlmkok6lRGXu+jKZAOWjpiRHVAGr4PzpyRAJ7IwnDoSd5:41bC4Bk6lMTOWw4PkRAPoI

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 10 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

SVCHOST.EXE62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exeEBRR.EXEmmtask.exeSVCHOST.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\SVCHOST.EXE\""	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system\\SVCHOST.EXE\""	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\SVCHOST.EXE\""	EBRR.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system\\SVCHOST.EXE\""	mmtask.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\SVCHOST.EXE\""	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system\\SVCHOST.EXE\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\SVCHOST.EXE\""	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system\\SVCHOST.EXE\""	EBRR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\SVCHOST.EXE\""	mmtask.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system\\SVCHOST.EXE\""	SVCHOST.EXE

Executes dropped EXE 64 IoCs

Processes:

EBRR.EXEEBRR.EXEmmtask.exeEBRR.EXEmmtask.exeSVCHOST.EXEEBRR.EXEmmtask.exeSVCHOST.EXESVCHOST.EXEEBRR.EXEmmtask.exeSVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXEEBRR.EXEEBRR.EXESVCHOST.EXEmmtask.exemmtask.exeEBRR.EXEmmtask.exeEBRR.EXESVCHOST.EXESVCHOST.EXEmmtask.exeSVCHOST.EXESVCHOST.EXESVCHOST.EXEmmtask.exeSVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXEEBRR.EXEEBRR.EXEEBRR.EXEEBRR.EXEmmtask.exemmtask.exeEBRR.EXEmmtask.exeSVCHOST.EXEmmtask.exeSVCHOST.EXEmmtask.exeSVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXEEBRR.EXEEBRR.EXEEBRR.EXEEBRR.EXEEBRR.EXEmmtask.exemmtask.exemmtask.exe

pid	process
4928	EBRR.EXE
4912	EBRR.EXE
3024	mmtask.exe
1436	EBRR.EXE
4116	mmtask.exe
1616	SVCHOST.EXE
3532	EBRR.EXE
3680	mmtask.exe
4124	SVCHOST.EXE
3812	SVCHOST.EXE
1816	EBRR.EXE
2720	mmtask.exe
4948	SVCHOST.EXE
2380	SVCHOST.EXE
3672	SVCHOST.EXE
1192	SVCHOST.EXE
2728	EBRR.EXE
3568	EBRR.EXE
1208	SVCHOST.EXE
4512	mmtask.exe
3552	mmtask.exe
3988	EBRR.EXE
4532	mmtask.exe
2204	EBRR.EXE
4736	SVCHOST.EXE
1344	SVCHOST.EXE
3116	mmtask.exe
1440	SVCHOST.EXE
4988	SVCHOST.EXE
1916	SVCHOST.EXE
5000	mmtask.exe
4168	SVCHOST.EXE
1836	SVCHOST.EXE
1980	SVCHOST.EXE
716	SVCHOST.EXE
3916	SVCHOST.EXE
540	EBRR.EXE
2972	EBRR.EXE
4644	EBRR.EXE
220	EBRR.EXE
3012	mmtask.exe
3144	mmtask.exe
3244	EBRR.EXE
4404	mmtask.exe
3624	SVCHOST.EXE
940	mmtask.exe
3064	SVCHOST.EXE
3036	mmtask.exe
2708	SVCHOST.EXE
3260	SVCHOST.EXE
3152	SVCHOST.EXE
3372	SVCHOST.EXE
4952	SVCHOST.EXE
3008	SVCHOST.EXE
3892	SVCHOST.EXE
2320	SVCHOST.EXE
5028	EBRR.EXE
2452	EBRR.EXE
4820	EBRR.EXE
4408	EBRR.EXE
4608	EBRR.EXE
944	mmtask.exe
5036	mmtask.exe
4236	mmtask.exe

Modifies system executable filetype association 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

SVCHOST.EXEmmtask.exeEBRR.EXE62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exeSVCHOST.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	mmtask.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	EBRR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SVCHOST.EXE

Drops file in System32 directory 20 IoCs

Processes:

62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exeEBRR.EXEmmtask.exeSVCHOST.EXESVCHOST.EXE

description	ioc	process
File created	C:\Windows\SysWOW64\EBRR.EXE	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
File created	C:\Windows\SysWOW64\mmtask.exe	EBRR.EXE
File created	C:\Windows\SysWOW64\EBRR.EXE	mmtask.exe
File created	C:\Windows\SysWOW64\EBRR.EXE	SVCHOST.EXE
File created	C:\Windows\SysWOW64\EBRR.EXE	SVCHOST.EXE
File opened for modification	C:\Windows\SysWOW64\EBRR.EXE	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
File opened for modification	C:\Windows\SysWOW64\mmtask.exe	EBRR.EXE
File opened for modification	C:\Windows\SysWOW64\mmtask.exe	mmtask.exe
File opened for modification	C:\Windows\SysWOW64\mmtask.exe	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
File opened for modification	C:\Windows\SysWOW64\EBRR.EXE	EBRR.EXE
File opened for modification	C:\Windows\SysWOW64\mmtask.exe	SVCHOST.EXE
File created	C:\Windows\SysWOW64\EBRR.EXE	EBRR.EXE
File opened for modification	C:\Windows\SysWOW64\EBRR.EXE	mmtask.exe
File created	C:\Windows\SysWOW64\mmtask.exe	mmtask.exe
File opened for modification	C:\Windows\SysWOW64\EBRR.EXE	SVCHOST.EXE
File created	C:\Windows\SysWOW64\mmtask.exe	SVCHOST.EXE
File opened for modification	C:\Windows\SysWOW64\mmtask.exe	SVCHOST.EXE
File opened for modification	C:\Windows\SysWOW64\EBRR.EXE	SVCHOST.EXE
File created	C:\Windows\SysWOW64\mmtask.exe	SVCHOST.EXE
File created	C:\Windows\SysWOW64\mmtask.exe	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe

Drops file in Windows directory 20 IoCs

Processes:

62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exeSVCHOST.EXEmmtask.exeEBRR.EXESVCHOST.EXE

description	ioc	process
File created	C:\Windows\SVCHOST.EXE	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
File opened for modification	C:\Windows\SVCHOST.EXE	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
File opened for modification	C:\Windows\SVCHOST.EXE	SVCHOST.EXE
File opened for modification	C:\Windows\system\SVCHOST.EXE	SVCHOST.EXE
File created	C:\Windows\system\SVCHOST.EXE	mmtask.exe
File created	C:\Windows\SVCHOST.EXE	EBRR.EXE
File created	C:\Windows\system\SVCHOST.EXE	EBRR.EXE
File opened for modification	C:\Windows\system\SVCHOST.EXE	EBRR.EXE
File created	C:\Windows\SVCHOST.EXE	SVCHOST.EXE
File created	C:\Windows\SVCHOST.EXE	SVCHOST.EXE
File created	C:\Windows\system\SVCHOST.EXE	SVCHOST.EXE
File created	C:\Windows\system\SVCHOST.EXE	SVCHOST.EXE
File opened for modification	C:\Windows\SVCHOST.EXE	EBRR.EXE
File opened for modification	C:\Windows\system\SVCHOST.EXE	SVCHOST.EXE
File opened for modification	C:\Windows\system\SVCHOST.EXE	mmtask.exe
File created	C:\Windows\system\SVCHOST.EXE	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
File opened for modification	C:\Windows\system\SVCHOST.EXE	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
File created	C:\Windows\SVCHOST.EXE	mmtask.exe
File opened for modification	C:\Windows\SVCHOST.EXE	mmtask.exe
File opened for modification	C:\Windows\SVCHOST.EXE	SVCHOST.EXE

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

SVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXEmmtask.exeEBRR.EXEEBRR.EXESVCHOST.EXESVCHOST.EXEEBRR.EXEEBRR.EXESVCHOST.EXEmmtask.exeSVCHOST.EXESVCHOST.EXESVCHOST.EXEmmtask.exeSVCHOST.EXEEBRR.EXESVCHOST.EXEmmtask.exeSVCHOST.EXEmmtask.exeSVCHOST.EXEmmtask.exeSVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXEEBRR.EXEmmtask.exeSVCHOST.EXEmmtask.exeSVCHOST.EXESVCHOST.EXEEBRR.EXESVCHOST.EXESVCHOST.EXE62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exeSVCHOST.EXEmmtask.exeSVCHOST.EXEmmtask.exeSVCHOST.EXEEBRR.EXESVCHOST.EXEEBRR.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXEEBRR.EXEEBRR.EXEEBRR.EXESVCHOST.EXESVCHOST.EXEEBRR.EXEmmtask.exeEBRR.EXESVCHOST.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EBRR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EBRR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EBRR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EBRR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EBRR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EBRR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EBRR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EBRR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EBRR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EBRR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EBRR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EBRR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EBRR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EBRR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 44 IoCs

Processes:

explorer.exeSVCHOST.EXEmmtask.exeEBRR.EXE62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exeSVCHOST.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 50003100000000004759d84b10004c6f63616c003c0009000400efbe4759e5497559c9492e00000079e10100000001000000000000000000000000000000dd804b004c006f00630061006c00000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 = ca003100000000007559c94916003632423234327e310000b20009000400efbe7559c9497559c9492e000000b93c0200000008000000000000000000000000000000d6f6f9003600320062003200340032006100350065006600380036006100660032003400360061003400610064006600370035006500300035003000640064003400360062003900380034006300360034006600660033006500300061006400370064003900620036003000390063006200320062006300330032003500620066006500000018000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	mmtask.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	EBRR.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 56003100000000004759e54912004170704461746100400009000400efbe4759e5497559c9492e00000066e101000000010000000000000000000000000000006d2c1e004100700070004400610074006100000016000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 78003100000000004759e5491100557365727300640009000400efbe874f77487559c9492e000000c70500000000010000000000000000003a000000000027162a0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 500031000000000047596a4f100041646d696e003c0009000400efbe4759e5497559c9492e0000005be1010000000100000000000000000000000000000037ced400410064006d0069006e00000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4e003100000000007559c949100054656d7000003a0009000400efbe4759e5497559c9492e0000007ae10100000001000000000000000000000000000000d6f6f900540065006d007000000014000000	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SVCHOST.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

explorer.exe

pid process

856 explorer.exe

pid	process
856	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exeEBRR.EXEmmtask.exeSVCHOST.EXESVCHOST.EXE

pid	process
2364	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
2364	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
2364	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
2364	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
2364	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
2364	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
2364	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
2364	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
2364	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
2364	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
2364	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
2364	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
4928	EBRR.EXE
4928	EBRR.EXE
4928	EBRR.EXE
4928	EBRR.EXE
4928	EBRR.EXE
4928	EBRR.EXE
4928	EBRR.EXE
4928	EBRR.EXE
4928	EBRR.EXE
4928	EBRR.EXE
4928	EBRR.EXE
4928	EBRR.EXE
3024	mmtask.exe
3024	mmtask.exe
3024	mmtask.exe
3024	mmtask.exe
3024	mmtask.exe
3024	mmtask.exe
3024	mmtask.exe
3024	mmtask.exe
3024	mmtask.exe
3024	mmtask.exe
3024	mmtask.exe
3024	mmtask.exe
1616	SVCHOST.EXE
1616	SVCHOST.EXE
1616	SVCHOST.EXE
1616	SVCHOST.EXE
1616	SVCHOST.EXE
1616	SVCHOST.EXE
1616	SVCHOST.EXE
1616	SVCHOST.EXE
1616	SVCHOST.EXE
1616	SVCHOST.EXE
1616	SVCHOST.EXE
1616	SVCHOST.EXE
3812	SVCHOST.EXE
3812	SVCHOST.EXE
3812	SVCHOST.EXE
3812	SVCHOST.EXE
3812	SVCHOST.EXE
3812	SVCHOST.EXE
3812	SVCHOST.EXE
3812	SVCHOST.EXE
3812	SVCHOST.EXE
3812	SVCHOST.EXE
3812	SVCHOST.EXE
3812	SVCHOST.EXE
3812	SVCHOST.EXE
3812	SVCHOST.EXE
3812	SVCHOST.EXE
3812	SVCHOST.EXE

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exeEBRR.EXEEBRR.EXEmmtask.exeEBRR.EXEmmtask.exeexplorer.exeSVCHOST.EXEEBRR.EXEmmtask.exeSVCHOST.EXESVCHOST.EXEEBRR.EXEmmtask.exeSVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXEEBRR.EXEEBRR.EXEmmtask.exemmtask.exeSVCHOST.EXEEBRR.EXEmmtask.exeSVCHOST.EXEEBRR.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXEmmtask.exemmtask.exeSVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXEEBRR.EXEEBRR.EXEEBRR.EXEEBRR.EXEmmtask.exemmtask.exemmtask.exeEBRR.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXEmmtask.exemmtask.exeSVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXEEBRR.EXEEBRR.EXEEBRR.EXEEBRR.EXEEBRR.EXE

pid	process
2364	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
4928	EBRR.EXE
4912	EBRR.EXE
3024	mmtask.exe
1436	EBRR.EXE
4116	mmtask.exe
856	explorer.exe
856	explorer.exe
1616	SVCHOST.EXE
3532	EBRR.EXE
3680	mmtask.exe
4124	SVCHOST.EXE
3812	SVCHOST.EXE
1816	EBRR.EXE
2720	mmtask.exe
4948	SVCHOST.EXE
2380	SVCHOST.EXE
3672	SVCHOST.EXE
1192	SVCHOST.EXE
1208	SVCHOST.EXE
2728	EBRR.EXE
3568	EBRR.EXE
4512	mmtask.exe
3552	mmtask.exe
4736	SVCHOST.EXE
2204	EBRR.EXE
4532	mmtask.exe
1344	SVCHOST.EXE
3988	EBRR.EXE
1440	SVCHOST.EXE
4988	SVCHOST.EXE
1916	SVCHOST.EXE
5000	mmtask.exe
3116	mmtask.exe
4168	SVCHOST.EXE
1980	SVCHOST.EXE
1836	SVCHOST.EXE
716	SVCHOST.EXE
3916	SVCHOST.EXE
2972	EBRR.EXE
540	EBRR.EXE
4644	EBRR.EXE
220	EBRR.EXE
3144	mmtask.exe
4404	mmtask.exe
3012	mmtask.exe
3244	EBRR.EXE
3624	SVCHOST.EXE
3064	SVCHOST.EXE
2708	SVCHOST.EXE
3260	SVCHOST.EXE
3152	SVCHOST.EXE
3036	mmtask.exe
940	mmtask.exe
3372	SVCHOST.EXE
4952	SVCHOST.EXE
3008	SVCHOST.EXE
3892	SVCHOST.EXE
2320	SVCHOST.EXE
2452	EBRR.EXE
5028	EBRR.EXE
4408	EBRR.EXE
4608	EBRR.EXE
4820	EBRR.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exeEBRR.EXEmmtask.exeSVCHOST.EXESVCHOST.EXE

description	pid	process	target process
PID 2364 wrote to memory of 2092	2364	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe	explorer.exe
PID 2364 wrote to memory of 2092	2364	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe	explorer.exe
PID 2364 wrote to memory of 2092	2364	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe	explorer.exe
PID 2364 wrote to memory of 4928	2364	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe	EBRR.EXE
PID 2364 wrote to memory of 4928	2364	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe	EBRR.EXE
PID 2364 wrote to memory of 4928	2364	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe	EBRR.EXE
PID 4928 wrote to memory of 4912	4928	EBRR.EXE	EBRR.EXE
PID 4928 wrote to memory of 4912	4928	EBRR.EXE	EBRR.EXE
PID 4928 wrote to memory of 4912	4928	EBRR.EXE	EBRR.EXE
PID 4928 wrote to memory of 3024	4928	EBRR.EXE	mmtask.exe
PID 4928 wrote to memory of 3024	4928	EBRR.EXE	mmtask.exe
PID 4928 wrote to memory of 3024	4928	EBRR.EXE	mmtask.exe
PID 3024 wrote to memory of 1436	3024	mmtask.exe	EBRR.EXE
PID 3024 wrote to memory of 1436	3024	mmtask.exe	EBRR.EXE
PID 3024 wrote to memory of 1436	3024	mmtask.exe	EBRR.EXE
PID 3024 wrote to memory of 4116	3024	mmtask.exe	mmtask.exe
PID 3024 wrote to memory of 4116	3024	mmtask.exe	mmtask.exe
PID 3024 wrote to memory of 4116	3024	mmtask.exe	mmtask.exe
PID 3024 wrote to memory of 1616	3024	mmtask.exe	SVCHOST.EXE
PID 3024 wrote to memory of 1616	3024	mmtask.exe	SVCHOST.EXE
PID 3024 wrote to memory of 1616	3024	mmtask.exe	SVCHOST.EXE
PID 1616 wrote to memory of 3532	1616	SVCHOST.EXE	EBRR.EXE
PID 1616 wrote to memory of 3532	1616	SVCHOST.EXE	EBRR.EXE
PID 1616 wrote to memory of 3532	1616	SVCHOST.EXE	EBRR.EXE
PID 1616 wrote to memory of 3680	1616	SVCHOST.EXE	mmtask.exe
PID 1616 wrote to memory of 3680	1616	SVCHOST.EXE	mmtask.exe
PID 1616 wrote to memory of 3680	1616	SVCHOST.EXE	mmtask.exe
PID 1616 wrote to memory of 4124	1616	SVCHOST.EXE	SVCHOST.EXE
PID 1616 wrote to memory of 4124	1616	SVCHOST.EXE	SVCHOST.EXE
PID 1616 wrote to memory of 4124	1616	SVCHOST.EXE	SVCHOST.EXE
PID 1616 wrote to memory of 3812	1616	SVCHOST.EXE	SVCHOST.EXE
PID 1616 wrote to memory of 3812	1616	SVCHOST.EXE	SVCHOST.EXE
PID 1616 wrote to memory of 3812	1616	SVCHOST.EXE	SVCHOST.EXE
PID 3812 wrote to memory of 1816	3812	SVCHOST.EXE	EBRR.EXE
PID 3812 wrote to memory of 1816	3812	SVCHOST.EXE	EBRR.EXE
PID 3812 wrote to memory of 1816	3812	SVCHOST.EXE	EBRR.EXE
PID 3812 wrote to memory of 2720	3812	SVCHOST.EXE	mmtask.exe
PID 3812 wrote to memory of 2720	3812	SVCHOST.EXE	mmtask.exe
PID 3812 wrote to memory of 2720	3812	SVCHOST.EXE	mmtask.exe
PID 3812 wrote to memory of 4948	3812	SVCHOST.EXE	SVCHOST.EXE
PID 3812 wrote to memory of 4948	3812	SVCHOST.EXE	SVCHOST.EXE
PID 3812 wrote to memory of 4948	3812	SVCHOST.EXE	SVCHOST.EXE
PID 3812 wrote to memory of 2380	3812	SVCHOST.EXE	SVCHOST.EXE
PID 3812 wrote to memory of 2380	3812	SVCHOST.EXE	SVCHOST.EXE
PID 3812 wrote to memory of 2380	3812	SVCHOST.EXE	SVCHOST.EXE
PID 3024 wrote to memory of 3672	3024	mmtask.exe	SVCHOST.EXE
PID 3024 wrote to memory of 3672	3024	mmtask.exe	SVCHOST.EXE
PID 3024 wrote to memory of 3672	3024	mmtask.exe	SVCHOST.EXE
PID 4928 wrote to memory of 1192	4928	EBRR.EXE	SVCHOST.EXE
PID 4928 wrote to memory of 1192	4928	EBRR.EXE	SVCHOST.EXE
PID 4928 wrote to memory of 1192	4928	EBRR.EXE	SVCHOST.EXE
PID 3812 wrote to memory of 2728	3812	SVCHOST.EXE	EBRR.EXE
PID 3812 wrote to memory of 2728	3812	SVCHOST.EXE	EBRR.EXE
PID 3812 wrote to memory of 2728	3812	SVCHOST.EXE	EBRR.EXE
PID 1616 wrote to memory of 3568	1616	SVCHOST.EXE	EBRR.EXE
PID 1616 wrote to memory of 3568	1616	SVCHOST.EXE	EBRR.EXE
PID 1616 wrote to memory of 3568	1616	SVCHOST.EXE	EBRR.EXE
PID 4928 wrote to memory of 1208	4928	EBRR.EXE	SVCHOST.EXE
PID 4928 wrote to memory of 1208	4928	EBRR.EXE	SVCHOST.EXE
PID 4928 wrote to memory of 1208	4928	EBRR.EXE	SVCHOST.EXE
PID 2364 wrote to memory of 3552	2364	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe	mmtask.exe
PID 2364 wrote to memory of 3552	2364	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe	mmtask.exe
PID 2364 wrote to memory of 3552	2364	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe	mmtask.exe
PID 3812 wrote to memory of 4512	3812	SVCHOST.EXE	mmtask.exe

C:\Users\Admin\AppData\Local\Temp\62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
"C:\Users\Admin\AppData\Local\Temp\62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Users\Admin\AppData\Local\Temp\62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe\
  2⤵
  PID:2092
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4912
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1436
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4116
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Modifies system executable filetype association
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1616
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3532
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3680
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4124
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Modifies system executable filetype association
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3812
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1816
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2720
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4948
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2380
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2728
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4512
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1344
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4988
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4644
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4404
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3624
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3260
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5028
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        Executes dropped EXE
        
        PID:5036
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:4628
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:516
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:3032
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:3340
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1196
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1224
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:4116
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:244
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:3400
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:792
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:3952
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1344
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1916
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1808
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:4656
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:3028
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:396
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2124
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:3568
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:3320
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:3392
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3936
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2360
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:232
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2008
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:3112
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:3388
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:5028
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:852
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:3572
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:4168
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1836
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1008
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1880
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:940
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2288
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:3932
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:3568
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2724
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:868
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:4784
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1160
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:4948
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:3996
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:3500
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:5028
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:3464
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1812
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1408
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:3644
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:556
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:4308
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2320
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1292
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2128
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1520
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:3568
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:3464
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1776
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2972
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:4404
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1240
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:3244
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2324
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1504
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:5108
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:4964
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:3696
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:4784
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:5004
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1240
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:5044
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:4776
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2236
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1192
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2496
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1812
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:4528
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:3088
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:3892
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:3500
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:4384
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:4680
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1592
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2144
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2744
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1780
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:3340
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2708
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2776
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:3672
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2724
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:3540
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2368
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2412
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1580
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2320
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:4528
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:4752
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2516
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:3552
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1016
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:516
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:3936
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:4304
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:3048
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2720
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:3956
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:4780
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:5036
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2388
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1660
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1408
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:4960
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1008
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:624
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:3400
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:3256
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:5036
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:5040
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2288
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:4912
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:4756
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2316
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:4972
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2580
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:792
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:3992
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1280
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3456
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1484
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4244
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2992
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1196
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:3508
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2720
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:4360
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:4236
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1148
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1248
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:3144
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:3120
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:4892
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2708
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:316
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:3788
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:3536
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:4168
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:3832
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:3348
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2992
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1344
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:3140
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2724
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:3684
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:3088
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:3956
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4540
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:3028
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:4444
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:4948
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1476
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:4084
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2724
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:5040
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:3008
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1188
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:392
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:3928
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:4304
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:3120
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1044
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2352
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:4576
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:3932
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2988
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:4004
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2552
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2584
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:4336
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3576
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:232
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:4972
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1192
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:3084
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:3640
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1840
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2956
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1584
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2744
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3568
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4532
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1916
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4168
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2972
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3012
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2708
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3372
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4820
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:3872
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4796
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:4448
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:3868
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:4740
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:4204
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2984
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:4528
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:5008
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:868
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2380
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:3956
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2204
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2148
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:3932
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4496
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:220
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:3260
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:4152
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1692
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:796
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:4236
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1848
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:3364
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:4308
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:544
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:4848
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:4436
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:3256
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:4384
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:3644
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:3392
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1808
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:3056
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2992
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:3260
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2720
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1520
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:3256
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2256
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2744
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5004
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2500
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:232
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2224
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:244
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:944
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:4780
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:4216
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:4244
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:5072
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1392
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:3624
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2088
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:3288
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:4436
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:4592
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2084
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:3032
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2976
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:5072
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2604
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2088
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3716
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:4248
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1384
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:744
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2256
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2844
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:4848
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:4576
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:4752
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2128
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2988
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:3952
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2584
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:4828
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:3348
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:4756
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1776
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1224
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:5028
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:4084
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2128
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2380
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1444
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:512
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:544
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:4056
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:3088
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:4404
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1276
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:852
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:3660
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1280
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:4552
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:3928
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:5072
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:4520
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2460
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:3828
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:3260
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:4236
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:5112
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1200
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:4336
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2604
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1240
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:3080
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1504
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:5044
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:3952
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:3468
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2412
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:3696
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1392
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:3088
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:860
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:3956
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2956
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1016
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2144
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1848
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:3908
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1196
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:3492
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2664
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2224
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2392
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3260
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:3268
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:4400
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:528
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:752
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2628
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2460
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2224
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:3660
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:3872
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:4940
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1384
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2976
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:3908
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:3940
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:4972
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:5008
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:3088
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1520
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:3640
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:3552
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2540
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:3288
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:4952
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2004
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:624
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1512
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:744
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2224
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:3640
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:4308
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:3340
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1116
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2352
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2124
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:624
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1520
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:4628
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1580
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:3960
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1548
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2540
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:4784
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:3276
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:3892
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2496
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:3500
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:4680
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:3992
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3952
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:392
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1932
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:3056
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:4948
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:4756
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:4084
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:3644
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:4532
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2356
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1660
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:4960
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1292
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3672
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2204
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3116
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1980
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:716
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:220
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:940
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3008
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2320
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4408
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      Executes dropped EXE
      PID:4236
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2224
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:4680
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1016
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:3652
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2228
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:220
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2736
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:3516
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1692
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2440
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:3464
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      System Location Discovery: System Language Discovery
      PID:2844
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1580
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:716
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1224
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2736
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2720
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2356
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2676
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2216
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:3116
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:3788
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1684
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2088
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2708
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2120
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2128
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1692
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:3952
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1776
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:440
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:3908
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:4656
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:4912
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2708
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      System Location Discovery: System Language Discovery
      PID:2212
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:792
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:796
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2584
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:3644
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:752
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:3340
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:220
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1196
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1276
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2004
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:3932
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2380
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:3456
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:3696
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:4420
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:396
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:4588
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2324
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:4540
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1840
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:4964
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      System Location Discovery: System Language Discovery
      PID:3456
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      System Location Discovery: System Language Discovery
      PID:2980
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:3012
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1224
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:3388
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:5068
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1592
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1444
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:3392
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:3364
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      System Location Discovery: System Language Discovery
      PID:1312
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:716
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:3684
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1244
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:3056
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:3080
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:768
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      System Location Discovery: System Language Discovery
      PID:1200
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1836
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      System Location Discovery: System Language Discovery
      PID:544
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:4580
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:232
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:3112
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:4640
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1804
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      System Location Discovery: System Language Discovery
      PID:5108
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:4944
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:744
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:864
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1932
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:5004
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1160
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:4752
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2440
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      System Location Discovery: System Language Discovery
      PID:3952
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2984
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:4940
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:4428
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1836
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:4576
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1120
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:548
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2004
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:3268
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:3540
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1188
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2256
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:3144
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:3644
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:3940
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1060
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1476
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1940
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:548
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:4628
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:4944
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2196
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:440
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:4492
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:3144
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      System Location Discovery: System Language Discovery
      PID:4304
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1160
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:5004
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1716
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:3788
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:3916
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:3276
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:5108
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2584
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2844
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:4580
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:4128
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:4892
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:860
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:3956
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:3676
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1660
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:4948
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:4596
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:4264
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:3400
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:4752
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:4680
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:5036
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2516
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2368
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:224
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2352
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1900
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:5056
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2316
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:4608
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1512
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1268
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:3116
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      System Location Discovery: System Language Discovery
      PID:1148
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      System Location Discovery: System Language Discovery
      PID:2584
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:4784
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:544
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:3324
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:116
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:3188
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:3872
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:3624
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      System Location Discovery: System Language Discovery
      PID:556
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2216
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2256
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:3144
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1200
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:4600
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:5028
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:4820
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:864
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:3992
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2288
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2680
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:4400
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2844
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1720
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:4952
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1312
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:3084
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1716
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:224
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      System Location Discovery: System Language Discovery
      PID:1984
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2216
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:512
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2976
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      System Location Discovery: System Language Discovery
      PID:2992
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:632
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1588
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2392
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:3568
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:4100
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:4028
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2552
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:3028
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1192
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1208
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3988
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5000
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1836
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3916
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3244
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3036
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4952
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3892
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4608
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:3188
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:3048
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2588
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1116
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:4492
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:4596
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:4892
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:3036
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:3984
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:4084
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:3108
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1612
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1484
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:232
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:3928
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:3112
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2116
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:4752
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:3456
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1312
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:3696
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:672
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4596
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:4152
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:316
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:3828
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2216
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2588
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1484
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:3960
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1196
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:5044
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1244
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1840
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:4216
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:3872
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4552
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3056
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1292
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:3892
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:3080
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4592
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:4236
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2144
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:4064
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:5004
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:4004
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:940
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:3332
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1444
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1800
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1116
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2580
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2836
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:216
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:768
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2004
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:4944
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2516
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1408
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:3644
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:3624
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1848
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2728
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:944
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:3660
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1660
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1268
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1408
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2972
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:3492
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2224
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:3388
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:3996
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:4248
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2584
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:4216
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1116
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:3684
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1244
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:3500
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:5068
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1856
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1444
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1780
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2708
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:220
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2224
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:4464
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:4944
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:5108
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2576
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:4828
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1044
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:3248
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:3056
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1804
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1840
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2584
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2256
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:4784
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:4608
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2776
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:628
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2516
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2388
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2984
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:4428
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3940
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1476
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:3388
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1244
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:5036
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:3552
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2680
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1116
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:4444
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1780
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2336
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1716
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:716
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:4432
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2200
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:5108
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2972
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:3368
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2776
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:744
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2496
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2196
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:4956
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:4064
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1248
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2352
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1208
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:3688
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:4520
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:5048
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:3320
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:4828
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:3652
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:5072
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:5056
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1364
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2460
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:3084
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:4828
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:5036
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2120
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:3364
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4244
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2380
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2124
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:860
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:4592
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:3536
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4588
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2120
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:4152
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1240
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1224
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:4892
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:5040
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:3148
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2388
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:4216
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:5048
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3552
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4736
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1440
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:540
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3144
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3064
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3152
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2452
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  - Executes dropped EXE
  PID:944
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:4384
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:3520
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:4732
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1660
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1936
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:4644
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1428
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1520
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4436
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1476
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1812
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:4532
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:4308
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2088
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4004
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:4776
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2128
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3516
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:4384
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:3872
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:4532
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1188
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:716
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1172
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:4056
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:864
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1428
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:3716
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2516
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1548
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3696
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2420
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:4244
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:640
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1060
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:4576
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:4588
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2128
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1200
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:744
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:4532
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2588
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:4004
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2680
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2628
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:3400
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1512
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2676
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:5112
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2552
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2776
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:3056
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:3008
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1804
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3672
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:516
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1344
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2940
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:3696
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1932
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:4888
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1160
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2628
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2452
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2716
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:4820
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:4592
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:868
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2420
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  - System Location Discovery: System Language Discovery
  PID:224
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2224
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:5056
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:3996
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:4540
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2380
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:4236
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2148
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:3936
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:5004
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:4848
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1292
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2460
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:4204
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:3464
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:3536
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1548
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1312
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:716
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:752
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:244
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:3892
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2324
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2544
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:4820
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5052
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:3140
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3048
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:5004
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1476
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:3244
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2784
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:3716
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:4912
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:4216
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1312
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1392
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1984
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:3368
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:4736
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:768
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:3276
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:4400
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2540
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:4336
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1816
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:4576
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:3932
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2496
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1344
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2588
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:3064
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:672
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:4608
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2460
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:716
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:4420
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2552
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:4028
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:4540
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:3952
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:3364
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1704
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1224
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:3688
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1416
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3308
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:4164
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:3116
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:3832
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1548
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:4216
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:544
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1224
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:3644
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:3188
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:3828
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:792
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1444
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2120
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1932
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1776
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:728
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:232
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:5004
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:3008
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:3540
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:3392
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:4956
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2540
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1776
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:4216
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1588
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:3140
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:3256
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2312
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:4164
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:4028
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:4912
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:4528
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:528
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2136
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:3940
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:4160
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2460
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:4752
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2324
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:4204
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:672
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2200
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:3064
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2144
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:216
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:116
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:3604
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:4236
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1580
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2368
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1916
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:4404

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:856

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:3108

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv 87wVTN006U+g1hPJds21JQ.0.2
1⤵
PID:944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SVCHOST.EXE

Filesize
92KB

MD5
0aa5cfd0b2757043e3d835b1f864f89b

SHA1
ccb98f254b5074c75b9868c204bb565deeb3c8e8

SHA256
985c40a23a0eee3e84161d3533b2f699e9bb8655834656004f9d46583a3aa61f

SHA512
26bbb04afd984f66eac2cb557fc0735684dab824abf900579fc26f277d306b9ff83f839fb2459a0e6d049124b37e64c618982dc929e23666f8f39cc41eb063ba

Download Submit
C:\Windows\SysWOW64\EBRR.EXE

Filesize
92KB

MD5
2e2c028c4a11e36f03131402369fd25b

SHA1
9b04e744d9a7020e0011a8edc959410856e6a0b5

SHA256
e017dceb8010e81c53e7e603c98f58c59959535434fb6fc5c1c3f30f50fbb107

SHA512
bd751aaf5b3999eeb94cc89772717e40b6aa416f7cbeb6dcfc421f3ad0f820b1da7bff83f34a14e5e80206ff797c9062d19c8153bf45eccd510bd735d3045495

Download Submit
C:\Windows\SysWOW64\mmtask.exe

Filesize
92KB

MD5
db266776b0f09cbd843d9ffd5fd4248f

SHA1
52bce2843cb460551421c617a92f984639a4997d

SHA256
2d511ff19988e1a1b364b83c4023835ad1c43a3bc3a50dd75dba033e4274273f

SHA512
df3d3c47468cb36849724676b7ec179ee37aaffe5097ff7dff64f8aeed349e1c7477709b866798b662a3c8379026694aed7e4d79104b602699c7ea02c0759da1

Download Submit
C:\Windows\system\SVCHOST.EXE

Filesize
92KB

MD5
c0ee0f8f0bad21d38ab55d84b32e4feb

SHA1
813ff5234fa67cdef2a6d48d21fa240c3f0e2142

SHA256
968a0cf88b3e2a6dba598d9400da033d8a86d6b7c595964b33f6e7b8df35363f

SHA512
518b59d2a385bdd03dd6c261ba28e66aebb372144deacaa319a1091e711717bab49f7365c7d68f28fe9eb039f75c44e03aa2c8268acab747888ef297279a2200

Download Submit
memory/220-213-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/516-318-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/540-194-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/716-178-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/940-246-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/944-283-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1016-343-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1192-99-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1208-101-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1208-107-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1344-147-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1436-31-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1440-153-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1616-93-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1660-341-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1816-71-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1836-177-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1836-167-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1916-159-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1916-146-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1980-166-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2204-134-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2204-323-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2204-319-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2224-321-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2320-259-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2364-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2364-64-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2380-84-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2452-277-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2708-235-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2720-76-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2728-100-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2728-106-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2972-192-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2984-367-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3008-257-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3012-219-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3024-1847-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3024-75-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3032-347-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3036-250-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3048-304-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3064-220-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3116-169-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3144-224-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3152-248-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3188-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3244-216-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3260-240-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3260-228-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3340-363-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3372-245-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3532-48-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3552-126-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3568-115-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3624-229-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3652-364-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3672-92-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3680-52-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3812-113-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3868-330-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3872-305-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3892-260-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3916-179-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3988-149-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4116-39-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4124-60-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4168-170-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4204-348-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4236-307-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4384-298-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4404-218-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4408-279-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4448-317-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4448-322-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4512-130-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4532-148-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4608-278-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4644-196-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4680-324-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4680-320-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4732-329-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4736-122-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4736-144-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4740-350-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4796-303-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4820-280-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4912-23-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4912-14-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4928-67-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4948-81-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4952-252-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4988-150-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4988-145-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5000-168-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5036-306-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download