62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
Size

92KB
MD5

4d0ff662db3c28bdefae42d1f46e28fe
SHA1

18a0c14eac56a83564f9a2ad0fe68e759f72ac7e
SHA256

62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe
SHA512

b91410d864c12d09b8680f1e352bfffb47489bfa92691ef35618e27f98e60b2f50692992dc640a69998b164626ed5c196afbcbde4390fb938a4406b4c7532126
SSDEEP

768:4zW4wnebSdDlmkok6lRGXu+jKZAOWjpiRHVAGr4PzpyRAJ7IwnDoSd5:41bC4Bk6lMTOWw4PkRAPoI

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 10 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

mmtask.exeSVCHOST.EXESVCHOST.EXE62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exeEBRR.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\SVCHOST.EXE\""	mmtask.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system\\SVCHOST.EXE\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\SVCHOST.EXE\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\SVCHOST.EXE\""	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system\\SVCHOST.EXE\""	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system\\SVCHOST.EXE\""	mmtask.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\SVCHOST.EXE\""	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system\\SVCHOST.EXE\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\SVCHOST.EXE\""	EBRR.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system\\SVCHOST.EXE\""	EBRR.EXE

Executes dropped EXE 64 IoCs

Processes:

EBRR.EXEEBRR.EXEmmtask.exeEBRR.EXEmmtask.exeSVCHOST.EXEEBRR.EXEmmtask.exeSVCHOST.EXESVCHOST.EXEEBRR.EXEmmtask.exeSVCHOST.EXESVCHOST.EXESVCHOST.EXEEBRR.EXESVCHOST.EXEEBRR.EXESVCHOST.EXEmmtask.exeSVCHOST.EXEmmtask.exemmtask.exeEBRR.EXESVCHOST.EXEmmtask.exeSVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXEEBRR.EXEEBRR.EXEEBRR.EXEEBRR.EXEEBRR.EXEmmtask.exemmtask.exemmtask.exemmtask.exeSVCHOST.EXESVCHOST.EXESVCHOST.EXEmmtask.exeSVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXEEBRR.EXEEBRR.EXEEBRR.EXEmmtask.exemmtask.exeEBRR.EXESVCHOST.EXEmmtask.exeSVCHOST.EXESVCHOST.EXEmmtask.exeSVCHOST.EXE

pid	process
1984	EBRR.EXE
2360	EBRR.EXE
2792	mmtask.exe
2720	EBRR.EXE
2440	mmtask.exe
2624	SVCHOST.EXE
2856	EBRR.EXE
2628	mmtask.exe
3036	SVCHOST.EXE
636	SVCHOST.EXE
1864	EBRR.EXE
860	mmtask.exe
1312	SVCHOST.EXE
1620	SVCHOST.EXE
3020	SVCHOST.EXE
2036	EBRR.EXE
1764	SVCHOST.EXE
2636	EBRR.EXE
2248	SVCHOST.EXE
3056	mmtask.exe
1872	SVCHOST.EXE
2280	mmtask.exe
1476	mmtask.exe
1600	EBRR.EXE
1128	SVCHOST.EXE
2284	mmtask.exe
920	SVCHOST.EXE
1636	SVCHOST.EXE
1532	SVCHOST.EXE
320	SVCHOST.EXE
1952	SVCHOST.EXE
2228	SVCHOST.EXE
2172	EBRR.EXE
1732	EBRR.EXE
2344	EBRR.EXE
1744	EBRR.EXE
1728	EBRR.EXE
884	mmtask.exe
2492	mmtask.exe
2244	mmtask.exe
2264	mmtask.exe
2808	SVCHOST.EXE
2276	SVCHOST.EXE
2736	SVCHOST.EXE
788	mmtask.exe
576	SVCHOST.EXE
2932	SVCHOST.EXE
2820	SVCHOST.EXE
2604	SVCHOST.EXE
2740	SVCHOST.EXE
2848	SVCHOST.EXE
2908	SVCHOST.EXE
2844	EBRR.EXE
2764	EBRR.EXE
2856	EBRR.EXE
2592	mmtask.exe
2652	mmtask.exe
2608	EBRR.EXE
1036	SVCHOST.EXE
644	mmtask.exe
2996	SVCHOST.EXE
3040	SVCHOST.EXE
2468	mmtask.exe
1756	SVCHOST.EXE

Loads dropped DLL 64 IoCs

Processes:

62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exeEBRR.EXEmmtask.exeSVCHOST.EXESVCHOST.EXE

pid	process
3008	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
3008	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
1984	EBRR.EXE
1984	EBRR.EXE
1984	EBRR.EXE
1984	EBRR.EXE
2792	mmtask.exe
2792	mmtask.exe
2792	mmtask.exe
2792	mmtask.exe
2624	SVCHOST.EXE
2624	SVCHOST.EXE
2624	SVCHOST.EXE
2624	SVCHOST.EXE
2624	SVCHOST.EXE
2624	SVCHOST.EXE
636	SVCHOST.EXE
636	SVCHOST.EXE
636	SVCHOST.EXE
636	SVCHOST.EXE
636	SVCHOST.EXE
2792	mmtask.exe
2624	SVCHOST.EXE
2792	mmtask.exe
2624	SVCHOST.EXE
636	SVCHOST.EXE
2624	SVCHOST.EXE
636	SVCHOST.EXE
2624	SVCHOST.EXE
1984	EBRR.EXE
1984	EBRR.EXE
636	SVCHOST.EXE
636	SVCHOST.EXE
3008	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
2624	SVCHOST.EXE
3008	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
2624	SVCHOST.EXE
1984	EBRR.EXE
1984	EBRR.EXE
1984	EBRR.EXE
1984	EBRR.EXE
3008	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
1984	EBRR.EXE
2624	SVCHOST.EXE
2792	mmtask.exe
2624	SVCHOST.EXE
2792	mmtask.exe
1984	EBRR.EXE
1984	EBRR.EXE
3008	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
3008	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
1984	EBRR.EXE
1984	EBRR.EXE
2624	SVCHOST.EXE
636	SVCHOST.EXE
636	SVCHOST.EXE
2624	SVCHOST.EXE
3008	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
3008	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
2792	mmtask.exe
2792	mmtask.exe
636	SVCHOST.EXE
636	SVCHOST.EXE
1984	EBRR.EXE

Modifies system executable filetype association 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

SVCHOST.EXESVCHOST.EXE62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exemmtask.exeEBRR.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	mmtask.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	EBRR.EXE

Drops file in System32 directory 20 IoCs

Processes:

SVCHOST.EXEEBRR.EXEmmtask.exeSVCHOST.EXE62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\EBRR.EXE	SVCHOST.EXE
File created	C:\Windows\SysWOW64\mmtask.exe	SVCHOST.EXE
File opened for modification	C:\Windows\SysWOW64\EBRR.EXE	EBRR.EXE
File opened for modification	C:\Windows\SysWOW64\mmtask.exe	EBRR.EXE
File created	C:\Windows\SysWOW64\EBRR.EXE	mmtask.exe
File opened for modification	C:\Windows\SysWOW64\EBRR.EXE	mmtask.exe
File created	C:\Windows\SysWOW64\EBRR.EXE	SVCHOST.EXE
File created	C:\Windows\SysWOW64\mmtask.exe	mmtask.exe
File opened for modification	C:\Windows\SysWOW64\mmtask.exe	SVCHOST.EXE
File opened for modification	C:\Windows\SysWOW64\EBRR.EXE	SVCHOST.EXE
File created	C:\Windows\SysWOW64\mmtask.exe	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
File created	C:\Windows\SysWOW64\mmtask.exe	EBRR.EXE
File created	C:\Windows\SysWOW64\EBRR.EXE	SVCHOST.EXE
File created	C:\Windows\SysWOW64\mmtask.exe	SVCHOST.EXE
File opened for modification	C:\Windows\SysWOW64\mmtask.exe	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
File created	C:\Windows\SysWOW64\EBRR.EXE	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
File opened for modification	C:\Windows\SysWOW64\EBRR.EXE	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
File created	C:\Windows\SysWOW64\EBRR.EXE	EBRR.EXE
File opened for modification	C:\Windows\SysWOW64\mmtask.exe	mmtask.exe
File opened for modification	C:\Windows\SysWOW64\mmtask.exe	SVCHOST.EXE

Drops file in Windows directory 20 IoCs

Processes:

SVCHOST.EXEEBRR.EXEmmtask.exeSVCHOST.EXE62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe

description	ioc	process
File created	C:\Windows\system\SVCHOST.EXE	SVCHOST.EXE
File opened for modification	C:\Windows\system\SVCHOST.EXE	EBRR.EXE
File opened for modification	C:\Windows\SVCHOST.EXE	SVCHOST.EXE
File created	C:\Windows\system\SVCHOST.EXE	mmtask.exe
File created	C:\Windows\SVCHOST.EXE	EBRR.EXE
File created	C:\Windows\system\SVCHOST.EXE	EBRR.EXE
File created	C:\Windows\SVCHOST.EXE	SVCHOST.EXE
File created	C:\Windows\SVCHOST.EXE	SVCHOST.EXE
File opened for modification	C:\Windows\SVCHOST.EXE	SVCHOST.EXE
File opened for modification	C:\Windows\system\SVCHOST.EXE	mmtask.exe
File opened for modification	C:\Windows\system\SVCHOST.EXE	SVCHOST.EXE
File opened for modification	C:\Windows\SVCHOST.EXE	EBRR.EXE
File created	C:\Windows\SVCHOST.EXE	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
File opened for modification	C:\Windows\SVCHOST.EXE	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
File created	C:\Windows\SVCHOST.EXE	mmtask.exe
File opened for modification	C:\Windows\SVCHOST.EXE	mmtask.exe
File opened for modification	C:\Windows\system\SVCHOST.EXE	SVCHOST.EXE
File created	C:\Windows\system\SVCHOST.EXE	SVCHOST.EXE
File created	C:\Windows\system\SVCHOST.EXE	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
File opened for modification	C:\Windows\system\SVCHOST.EXE	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

EBRR.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXEmmtask.exemmtask.exemmtask.exeSVCHOST.EXEmmtask.exeEBRR.EXEmmtask.exeEBRR.EXEEBRR.EXEmmtask.exeSVCHOST.EXEEBRR.EXEmmtask.exeSVCHOST.EXEEBRR.EXEmmtask.exeSVCHOST.EXEmmtask.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EBRR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EBRR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EBRR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EBRR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EBRR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EBRR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 43 IoCs

Processes:

explorer.exeSVCHOST.EXEmmtask.exe62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exeEBRR.EXESVCHOST.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 = c6003100000000007559514a16003632423234327e310000ae0008000400efbe7559514a7559514a2a000000b96a01000000080000000000000000000000000000003600320062003200340032006100350065006600380036006100660032003400360061003400610064006600370035006500300035003000640064003400360062003900380034006300360034006600660033006500300061006400370064003900620036003000390063006200320062006300330032003500620066006500000018000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 52003100000000002359a529122041707044617461003c0008000400efbe2359a5292359a5292a000000eb0100000000020000000000000000000000000000004100700070004400610074006100000016000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 4c003100000000002359cd2a10204c6f63616c00380008000400efbe2359a5292359cd2a2a000000fe0100000000020000000000000000000000000000004c006f00630061006c00000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4a003100000000007559514a102054656d700000360008000400efbe2359a5297559514a2a000000ff010000000002000000000000000000000000000000540065006d007000000014000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SVCHOST.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 74003100000000002359a5291100557365727300600008000400efbeee3a851a2359a5292a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4c0031000000000023598830100041646d696e00380008000400efbe2359a529235988302a00000030000000000004000000000000000000000000000000410064006d0069006e00000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	mmtask.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	EBRR.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SVCHOST.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exeEBRR.EXEmmtask.exeSVCHOST.EXESVCHOST.EXE

pid	process
3008	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
3008	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
3008	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
3008	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
3008	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
3008	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
3008	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
3008	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
1984	EBRR.EXE
1984	EBRR.EXE
1984	EBRR.EXE
1984	EBRR.EXE
1984	EBRR.EXE
1984	EBRR.EXE
1984	EBRR.EXE
1984	EBRR.EXE
1984	EBRR.EXE
1984	EBRR.EXE
2792	mmtask.exe
2792	mmtask.exe
2792	mmtask.exe
2792	mmtask.exe
2792	mmtask.exe
2792	mmtask.exe
2792	mmtask.exe
2792	mmtask.exe
2792	mmtask.exe
2792	mmtask.exe
2624	SVCHOST.EXE
2624	SVCHOST.EXE
2624	SVCHOST.EXE
2624	SVCHOST.EXE
2624	SVCHOST.EXE
2624	SVCHOST.EXE
2624	SVCHOST.EXE
2624	SVCHOST.EXE
2624	SVCHOST.EXE
2624	SVCHOST.EXE
636	SVCHOST.EXE
636	SVCHOST.EXE
636	SVCHOST.EXE
636	SVCHOST.EXE
636	SVCHOST.EXE
636	SVCHOST.EXE
636	SVCHOST.EXE
636	SVCHOST.EXE
636	SVCHOST.EXE
636	SVCHOST.EXE
2624	SVCHOST.EXE
2624	SVCHOST.EXE
2624	SVCHOST.EXE
2624	SVCHOST.EXE
2624	SVCHOST.EXE
2624	SVCHOST.EXE
2624	SVCHOST.EXE
2624	SVCHOST.EXE
2624	SVCHOST.EXE
2624	SVCHOST.EXE
636	SVCHOST.EXE
636	SVCHOST.EXE
636	SVCHOST.EXE
636	SVCHOST.EXE
636	SVCHOST.EXE
636	SVCHOST.EXE

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exeEBRR.EXEEBRR.EXEmmtask.exeEBRR.EXEmmtask.exeSVCHOST.EXEEBRR.EXEmmtask.exeSVCHOST.EXESVCHOST.EXEEBRR.EXEmmtask.exeSVCHOST.EXESVCHOST.EXESVCHOST.EXEEBRR.EXESVCHOST.EXESVCHOST.EXEmmtask.exeEBRR.EXESVCHOST.EXEEBRR.EXESVCHOST.EXEmmtask.exemmtask.exeSVCHOST.EXEmmtask.exeSVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXEEBRR.EXEEBRR.EXEEBRR.EXEEBRR.EXEmmtask.exemmtask.exemmtask.exemmtask.exeEBRR.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXEmmtask.exeSVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXEEBRR.EXEEBRR.EXEmmtask.exemmtask.exeEBRR.EXESVCHOST.EXEEBRR.EXESVCHOST.EXESVCHOST.EXEmmtask.exemmtask.exe

pid	process
3008	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
1984	EBRR.EXE
2360	EBRR.EXE
2792	mmtask.exe
2720	EBRR.EXE
2440	mmtask.exe
2624	SVCHOST.EXE
2856	EBRR.EXE
2628	mmtask.exe
3036	SVCHOST.EXE
636	SVCHOST.EXE
1864	EBRR.EXE
860	mmtask.exe
1312	SVCHOST.EXE
1620	SVCHOST.EXE
3020	SVCHOST.EXE
2036	EBRR.EXE
1764	SVCHOST.EXE
2248	SVCHOST.EXE
3056	mmtask.exe
2636	EBRR.EXE
1872	SVCHOST.EXE
1600	EBRR.EXE
1128	SVCHOST.EXE
1476	mmtask.exe
2280	mmtask.exe
920	SVCHOST.EXE
2284	mmtask.exe
1532	SVCHOST.EXE
1636	SVCHOST.EXE
320	SVCHOST.EXE
1952	SVCHOST.EXE
2228	SVCHOST.EXE
1732	EBRR.EXE
2172	EBRR.EXE
2344	EBRR.EXE
1744	EBRR.EXE
884	mmtask.exe
2244	mmtask.exe
2264	mmtask.exe
2492	mmtask.exe
1728	EBRR.EXE
2808	SVCHOST.EXE
2276	SVCHOST.EXE
2736	SVCHOST.EXE
576	SVCHOST.EXE
2820	SVCHOST.EXE
788	mmtask.exe
2932	SVCHOST.EXE
2604	SVCHOST.EXE
2740	SVCHOST.EXE
2848	SVCHOST.EXE
2908	SVCHOST.EXE
2844	EBRR.EXE
2764	EBRR.EXE
2592	mmtask.exe
2652	mmtask.exe
2856	EBRR.EXE
1036	SVCHOST.EXE
2608	EBRR.EXE
2996	SVCHOST.EXE
3040	SVCHOST.EXE
644	mmtask.exe
2468	mmtask.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exeEBRR.EXEmmtask.exeSVCHOST.EXESVCHOST.EXE

description	pid	process	target process
PID 3008 wrote to memory of 2112	3008	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe	explorer.exe
PID 3008 wrote to memory of 2112	3008	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe	explorer.exe
PID 3008 wrote to memory of 2112	3008	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe	explorer.exe
PID 3008 wrote to memory of 2112	3008	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe	explorer.exe
PID 3008 wrote to memory of 1984	3008	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe	EBRR.EXE
PID 3008 wrote to memory of 1984	3008	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe	EBRR.EXE
PID 3008 wrote to memory of 1984	3008	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe	EBRR.EXE
PID 3008 wrote to memory of 1984	3008	62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe	EBRR.EXE
PID 1984 wrote to memory of 2360	1984	EBRR.EXE	EBRR.EXE
PID 1984 wrote to memory of 2360	1984	EBRR.EXE	EBRR.EXE
PID 1984 wrote to memory of 2360	1984	EBRR.EXE	EBRR.EXE
PID 1984 wrote to memory of 2360	1984	EBRR.EXE	EBRR.EXE
PID 1984 wrote to memory of 2792	1984	EBRR.EXE	mmtask.exe
PID 1984 wrote to memory of 2792	1984	EBRR.EXE	mmtask.exe
PID 1984 wrote to memory of 2792	1984	EBRR.EXE	mmtask.exe
PID 1984 wrote to memory of 2792	1984	EBRR.EXE	mmtask.exe
PID 2792 wrote to memory of 2720	2792	mmtask.exe	EBRR.EXE
PID 2792 wrote to memory of 2720	2792	mmtask.exe	EBRR.EXE
PID 2792 wrote to memory of 2720	2792	mmtask.exe	EBRR.EXE
PID 2792 wrote to memory of 2720	2792	mmtask.exe	EBRR.EXE
PID 2792 wrote to memory of 2440	2792	mmtask.exe	mmtask.exe
PID 2792 wrote to memory of 2440	2792	mmtask.exe	mmtask.exe
PID 2792 wrote to memory of 2440	2792	mmtask.exe	mmtask.exe
PID 2792 wrote to memory of 2440	2792	mmtask.exe	mmtask.exe
PID 2792 wrote to memory of 2624	2792	mmtask.exe	SVCHOST.EXE
PID 2792 wrote to memory of 2624	2792	mmtask.exe	SVCHOST.EXE
PID 2792 wrote to memory of 2624	2792	mmtask.exe	SVCHOST.EXE
PID 2792 wrote to memory of 2624	2792	mmtask.exe	SVCHOST.EXE
PID 2624 wrote to memory of 2856	2624	SVCHOST.EXE	EBRR.EXE
PID 2624 wrote to memory of 2856	2624	SVCHOST.EXE	EBRR.EXE
PID 2624 wrote to memory of 2856	2624	SVCHOST.EXE	EBRR.EXE
PID 2624 wrote to memory of 2856	2624	SVCHOST.EXE	EBRR.EXE
PID 2624 wrote to memory of 2628	2624	SVCHOST.EXE	mmtask.exe
PID 2624 wrote to memory of 2628	2624	SVCHOST.EXE	mmtask.exe
PID 2624 wrote to memory of 2628	2624	SVCHOST.EXE	mmtask.exe
PID 2624 wrote to memory of 2628	2624	SVCHOST.EXE	mmtask.exe
PID 2624 wrote to memory of 3036	2624	SVCHOST.EXE	SVCHOST.EXE
PID 2624 wrote to memory of 3036	2624	SVCHOST.EXE	SVCHOST.EXE
PID 2624 wrote to memory of 3036	2624	SVCHOST.EXE	SVCHOST.EXE
PID 2624 wrote to memory of 3036	2624	SVCHOST.EXE	SVCHOST.EXE
PID 2624 wrote to memory of 636	2624	SVCHOST.EXE	SVCHOST.EXE
PID 2624 wrote to memory of 636	2624	SVCHOST.EXE	SVCHOST.EXE
PID 2624 wrote to memory of 636	2624	SVCHOST.EXE	SVCHOST.EXE
PID 2624 wrote to memory of 636	2624	SVCHOST.EXE	SVCHOST.EXE
PID 636 wrote to memory of 1864	636	SVCHOST.EXE	mmtask.exe
PID 636 wrote to memory of 1864	636	SVCHOST.EXE	mmtask.exe
PID 636 wrote to memory of 1864	636	SVCHOST.EXE	mmtask.exe
PID 636 wrote to memory of 1864	636	SVCHOST.EXE	mmtask.exe
PID 636 wrote to memory of 860	636	SVCHOST.EXE	mmtask.exe
PID 636 wrote to memory of 860	636	SVCHOST.EXE	mmtask.exe
PID 636 wrote to memory of 860	636	SVCHOST.EXE	mmtask.exe
PID 636 wrote to memory of 860	636	SVCHOST.EXE	mmtask.exe
PID 636 wrote to memory of 1312	636	SVCHOST.EXE	SVCHOST.EXE
PID 636 wrote to memory of 1312	636	SVCHOST.EXE	SVCHOST.EXE
PID 636 wrote to memory of 1312	636	SVCHOST.EXE	SVCHOST.EXE
PID 636 wrote to memory of 1312	636	SVCHOST.EXE	SVCHOST.EXE
PID 636 wrote to memory of 1620	636	SVCHOST.EXE	SVCHOST.EXE
PID 636 wrote to memory of 1620	636	SVCHOST.EXE	SVCHOST.EXE
PID 636 wrote to memory of 1620	636	SVCHOST.EXE	SVCHOST.EXE
PID 636 wrote to memory of 1620	636	SVCHOST.EXE	SVCHOST.EXE
PID 2792 wrote to memory of 3020	2792	mmtask.exe	SVCHOST.EXE
PID 2792 wrote to memory of 3020	2792	mmtask.exe	SVCHOST.EXE
PID 2792 wrote to memory of 3020	2792	mmtask.exe	SVCHOST.EXE
PID 2792 wrote to memory of 3020	2792	mmtask.exe	SVCHOST.EXE

C:\Users\Admin\AppData\Local\Temp\62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe
"C:\Users\Admin\AppData\Local\Temp\62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Users\Admin\AppData\Local\Temp\62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe\
  2⤵
  PID:2112
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2360
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2720
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2440
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Loads dropped DLL
      Modifies system executable filetype association
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2856
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2628
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3036
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Modifies system executable filetype association
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:636
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1864
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:860
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1312
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1620
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2636
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2280
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1636
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2228
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1728
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:788
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2848
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2908
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:3068
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:924
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:968
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1636
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2364
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:332
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2752
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1364
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2860
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1864
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:840
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:540
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2052
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1540
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1048
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2172
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2548
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1728
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2940
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2840
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1848
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2920
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2844
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2448
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1692
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2496
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1952
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:956
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2184
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2864
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2796
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2632
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2820
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1700
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1608
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:3012
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1796
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1476
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:3064
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1660
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1564
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:968
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2224
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2724
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2864
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2752
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2708
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2924
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2388
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1304
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2556
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2016
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1372
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2412
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2500
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1484
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2720
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2712
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2752
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1720
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2760
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2996
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1604
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2600
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2396
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2904
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2144
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2460
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1660
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2024
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2280
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2360
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2748
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2344
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2492
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:3052
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2900
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1700
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1956
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2696
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2116
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:3068
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2124
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1676
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2960
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2544
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2280
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2024
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2912
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:3016
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2832
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2548
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2012
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1112
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2924
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1312
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1700
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2396
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2552
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2116
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1968
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1704
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2056
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:316
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1632
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2932
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:596
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1064
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2688
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2788
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2740
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2608
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2468
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1432
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2476
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1288
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2396
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2116
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2016
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1600
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2632
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1992
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2276
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2344
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2852
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2764
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2888
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2752
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2776
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2880
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2652
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2152
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2396
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1356
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2252
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1780
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2240
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:968
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2172
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:816
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2812
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2788
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2888
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2708
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2924
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1432
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:840
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1612
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2124
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1924
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1740
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1748
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2240
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:956
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1636
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2020
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2816
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2720
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:3044
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1688
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2112
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2636
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2716
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:3060
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2448
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:292
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2552
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2532
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1960
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1016
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2424
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2472
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2140
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2956
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2460
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2112
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1252
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1956
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:840
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1604
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2552
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1588
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2560
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2296
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2172
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2372
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2864
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2736
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2756
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2688
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2440
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2128
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1712
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2036
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3056
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1872
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1128
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2172
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2492
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:576
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2740
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2856
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:644
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1916
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2916
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2212
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1536
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1800
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:704
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2196
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2688
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2740
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2604
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2856
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2608
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1252
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1304
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2208
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2068
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2240
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1372
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2512
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:884
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2408
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2112
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2392
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2600
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1756
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:820
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2220
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1276
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2324
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1380
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2500
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1688
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2824
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2828
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2652
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1312
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1168
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2904
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2220
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1276
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2200
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1800
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1668
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2244
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2788
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2736
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2668
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:3036
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1620
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2584
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2120
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2124
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1960
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2540
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:912
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2184
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2808
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2700
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2688
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2112
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:644
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2608
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2592
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2584
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:3028
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2192
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1676
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:888
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1276
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2240
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1372
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1064
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2364
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2784
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2812
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:3048
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2312
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:644
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1612
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:3036
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2188
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2448
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2252
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1780
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2532
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:592
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2472
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:884
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:788
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2492
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:876
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2112
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2644
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:3012
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:868
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2192
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2856
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:3068
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1748
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1648
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1016
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1800
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2364
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2680
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2308
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2816
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2196
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:3032
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1804
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1420
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2152
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:540
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2664
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1604
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1968
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1784
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1660
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1776
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2412
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2756
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3016
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2492
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2920
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2460
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2820
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2876
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:3012
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2844
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2236
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:3036
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2216
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1528
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2932
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2020
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2432
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:320
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1364
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2440
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:584
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2616
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:860
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2612
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1596
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2652
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2248
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:292
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1536
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1868
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:592
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2056
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2632
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2216
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2576
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2512
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2956
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2712
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1856
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2708
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1036
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1596
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1964
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2248
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1476
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:592
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1124
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2412
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2824
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1364
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1728
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1744
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2848
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2644
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1036
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2652
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1964
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2192
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1532
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2396
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1704
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1776
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1800
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2576
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2816
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2796
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2740
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1720
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:3048
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2916
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3020
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2344
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2264
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2808
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2820
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2608
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2468
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1936
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:820
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2132
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1660
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1048
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:320
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2428
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2268
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:3016
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2956
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      System Location Discovery: System Language Discovery
      PID:2924
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:868
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1168
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2904
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1796
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2556
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1924
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:924
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2344
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:816
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2824
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2492
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2924
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1956
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2036
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1596
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1820
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2144
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1520
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1780
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1372
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1248
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2056
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2296
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2760
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2060
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2876
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2716
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1552
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2572
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:564
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2960
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1636
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1752
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2020
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2140
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      System Location Discovery: System Language Discovery
      PID:576
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2628
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2392
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1956
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2856
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2904
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2400
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1676
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1660
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2068
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1800
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2280
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2364
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2428
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:884
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1752
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2440
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:584
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1920
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1856
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2860
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:868
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1252
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1596
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1796
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1520
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2120
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1160
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2200
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2420
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1540
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      System Location Discovery: System Language Discovery
      PID:2496
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2408
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2140
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2956
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2764
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2644
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2880
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1168
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:920
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1260
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2516
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2356
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1772
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2348
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:912
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2808
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2408
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2060
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:3048
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1420
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1684
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1288
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1820
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2388
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1872
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1536
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1380
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1476
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1776
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1540
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2096
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1744
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:3044
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2440
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2884
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      System Location Discovery: System Language Discovery
      PID:2708
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      System Location Discovery: System Language Discovery
      PID:1920
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      System Location Discovery: System Language Discovery
      PID:868
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2124
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2540
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2660
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1124
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2564
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1636
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2496
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2372
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1744
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2928
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2688
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2628
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1420
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:920
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1344
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:3068
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1868
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2220
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2516
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1648
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:344
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1372
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2380
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2700
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2344
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2748
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      System Location Discovery: System Language Discovery
      PID:1856
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2312
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      System Location Discovery: System Language Discovery
      PID:2392
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:3032
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:3048
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1964
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1100
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1796
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2052
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1968
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1800
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1016
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:3000
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2824
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2732
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2224
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2852
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1920
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2876
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2656
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2880
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2584
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2856
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1532
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:868
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2520
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:888
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2056
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2992
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2500
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2276
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1540
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:576
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2148
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2224
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:644
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2760
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1684
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2000
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2260
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2468
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:3028
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:3036
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2692
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2544
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2280
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1992
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1528
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2264
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2732
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2140
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2708
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1744
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1432
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:3040
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2468
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1036
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1764
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2248
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1600
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2284
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1532
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1952
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1732
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:884
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2276
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2932
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2844
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2592
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1036
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2996
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1100
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1124
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2100
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2724
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2380
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2304
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2392
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:556
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:956
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2676
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2096
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2436
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:940
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:3052
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1920
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1872
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1960
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:696
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1484
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2756
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1720
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:3036
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:3024
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:840
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1052
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1820
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1124
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2496
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2560
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2216
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2836
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2900
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1764
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1168
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:3028
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2844
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2676
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2472
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:968
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2852
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2848
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2304
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2616
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:3036
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1304
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1960
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1144
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1632
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2264
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2604
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2752
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2612
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1604
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2904
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2400
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2520
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1308
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:756
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1952
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:956
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2436
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2680
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1584
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2764
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1728
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2640
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:3024
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2556
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:888
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2520
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:924
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2560
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2380
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2268
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:788
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2848
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2000
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:3060
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1964
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2208
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2284
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:892
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2720
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2408
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:884
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1712
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1036
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1848
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2192
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2052
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1872
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2068
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1784
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1636
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2428
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2764
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2260
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2584
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1288
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1168
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:696
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2324
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1704
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2268
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2148
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2304
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2260
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1144
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:840
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1680
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1308
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2540
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2324
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1808
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2724
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2268
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2344
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:3044
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2920
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:788
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1916
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1612
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1288
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2236
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2068
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2660
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2340
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2200
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2348
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1248
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1144
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2764
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2820
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2188
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1476
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:920
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:320
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1744
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2244
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2736
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2604
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2764
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2652
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3040
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1820
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1052
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2236
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1924
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:912
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2216
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2512
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1992
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2848
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2844
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2312
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1936
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2152
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1748
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2544
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1772
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:912
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2508
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2784
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2432
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2012
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2708
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:3032
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2764
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1308
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2252
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2068
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1732
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:320
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2020
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2548
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:576
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2956
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1112
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2468
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1432
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1288
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2248
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1748
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1872
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:956
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2348
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2720
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1584
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2828
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1036
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1864
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2876
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2552
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1596
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1820
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1356
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1536
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1968
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2544
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2496
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1668
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2432
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:876
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:576
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:3040
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2696
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2636
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1628
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1356
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:564
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1292
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2284
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2172
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1484
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2244
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1752
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2796
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2640
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:584
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1908
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:3040
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2916
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2388
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2584
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1748
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2220
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2564
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1528
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1248
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2184
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1488
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2508
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1720
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1804
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2716
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:3060
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1344
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1680
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2904
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1304
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2068
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2632
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2352
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1592
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2512
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2824
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2940
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2224
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2820
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:860
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1720
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1036
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:3056
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2212
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2856
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1872
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1732
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1692
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1292
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2420
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2200
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2020
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1668
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2940
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2440
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1728
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2740
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1112
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:940
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1864
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1612
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1288
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:808
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1532
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2692
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:888
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2360
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1660
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1748
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:316
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2372
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2244
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1488
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1744
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2476
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2320
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2448
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:780
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1872
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2116
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2660
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:704
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:912
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2380
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1668
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2680
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2900
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2764
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2312
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2468
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1252
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1700
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2320
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2152
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2692
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1356
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2420
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1592
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1248
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2508
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2704
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2408
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1312
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1608
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2128
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2916
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2320
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  - System Location Discovery: System Language Discovery
  PID:780
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1308
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2676
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:756
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2356
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:592
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1372
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2268
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2508
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2828
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2788
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2132
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1820
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2064
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2600

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\62b242a5ef86af246a4adf75e050dd46b984c64ff3e0ad7d9b609cb2bc325bfe\Naskah.rtf

Filesize
188B

MD5
853035ec9d6fbf7cf9243c5cd2ed52c9

SHA1
65db1419ad274aface533f87b958b7b21e5f32b7

SHA256
f6e97c8120a4039043a8b132da995cccab7ed38a842251927577bd2f3cb5c1bb

SHA512
f53d97de0a1462ad580e98de40f8629dd282dcd7cf1bdad060064cba4718cdbbfb86e151de1c8e9352083ae61d11bc392dd11cf538513d8fb99f1f469e2c6b79

Download Submit
C:\Windows\SVCHOST.EXE

Filesize
92KB

MD5
e6680da722334c6516b7e9b7068726e3

SHA1
cdece0551b96f103736102c010d30459c60b3683

SHA256
ef713350d8ce7db70793a542c60322299cd2e02d2434414ebc52d0a993a7bbcf

SHA512
740167bb671feac861a63d6ae88c59e6d88247dd8bcb0e65c55e59ac597a792ad22edf50dfaac6c76d2205eb5445c9ca90df7bd121cae4d52f07dab58e810e5b

Download Submit
\Windows\SysWOW64\EBRR.EXE

Filesize
92KB

MD5
4c479b3b8273ace1f882dc9ce3e1e8e8

SHA1
a95b5f1c7a5adcceb15e9c82da9bdd5ab48588e0

SHA256
5f1bf29d9642cc4d490a330b6411ef9a8b0bce44b4a8641c0c2ca2eb7ae032de

SHA512
61f3fa78caf0a0e5514ea8d955a87f090c033efa3a622a8a0173f685619ffa7b29932ad55d495fa3dd641ae33f179bf4f9db749441783f938bdbde7eb24441b8

Download Submit
\Windows\SysWOW64\mmtask.exe

Filesize
92KB

MD5
7d4b2e15094f580c8649a22010f34506

SHA1
3a6d4b534e7ed9aafbca6b4c82f80ae75c03f16a

SHA256
f1bd5ab1b484bae42712c7ca5d585a98609c011e8389b8840368dbe7b6ebb93a

SHA512
6d4c3eadbc7f683e41110a1997f5a1bfa94f3e7e62edebe098ac93370398dd0b45fe7f30a6a626b49a67506db7c56b32d5484a4538f39abb944623d5ed9be09c

Download Submit
\Windows\system\SVCHOST.EXE

Filesize
92KB

MD5
03ffa652533a8e3c49d4b04b820e8b69

SHA1
2e78dbc62d21b92af431b52eb563de11299a1754

SHA256
7643fb3d28497787a9e3f8673f3304ef76b52a824f68d211ab3c98b25dcab3ed

SHA512
9dd74747282b27b39c7b24ac2cd7aeea8881f84806a7beefe6fd50bc8923008e070eae775c82b287a500ca9e727004bc1444216184b52a2dbe9c0f5de5923218

Download Submit
memory/596-1711-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/636-130-0x0000000000330000-0x000000000034F000-memory.dmp

Filesize
124KB

Download
memory/636-129-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/636-119-0x0000000000330000-0x000000000034F000-memory.dmp

Filesize
124KB

Download
memory/636-162-0x0000000000330000-0x000000000034F000-memory.dmp

Filesize
124KB

Download
memory/636-114-0x0000000000330000-0x000000000034F000-memory.dmp

Filesize
124KB

Download
memory/636-178-0x0000000000330000-0x000000000034F000-memory.dmp

Filesize
124KB

Download
memory/636-120-0x0000000000330000-0x000000000034F000-memory.dmp

Filesize
124KB

Download
memory/636-233-0x0000000000330000-0x000000000034F000-memory.dmp

Filesize
124KB

Download
memory/636-266-0x0000000000330000-0x000000000034F000-memory.dmp

Filesize
124KB

Download
memory/704-2611-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/704-2612-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/860-126-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/884-268-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/912-2175-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/912-2173-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/956-2171-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/956-2172-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1052-967-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/1112-2695-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1112-2696-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1128-225-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1128-215-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1276-2610-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1312-125-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1312-127-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1476-205-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1532-222-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1584-1573-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1596-1151-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1600-2759-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/1620-134-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1636-229-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1700-2737-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/1728-267-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1728-281-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1732-246-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1744-253-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1756-347-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/1756-345-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/1764-157-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1804-510-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1864-115-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1872-175-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1872-177-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1872-183-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1924-2626-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1952-226-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1984-248-0x00000000002E0000-0x00000000002FF000-memory.dmp

Filesize
124KB

Download
memory/1984-213-0x00000000002E0000-0x00000000002FF000-memory.dmp

Filesize
124KB

Download
memory/1984-55-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1984-197-0x00000000002E0000-0x00000000002FF000-memory.dmp

Filesize
124KB

Download
memory/1984-239-0x00000000002E0000-0x00000000002FF000-memory.dmp

Filesize
124KB

Download
memory/1984-16-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1984-254-0x00000000002E0000-0x00000000002FF000-memory.dmp

Filesize
124KB

Download
memory/1984-220-0x00000000002E0000-0x00000000002FF000-memory.dmp

Filesize
124KB

Download
memory/1984-22-0x00000000002E0000-0x00000000002FF000-memory.dmp

Filesize
124KB

Download
memory/1984-221-0x00000000002E0000-0x00000000002FF000-memory.dmp

Filesize
124KB

Download
memory/1984-23-0x00000000002E0000-0x00000000002FF000-memory.dmp

Filesize
124KB

Download
memory/1984-235-0x00000000002E0000-0x00000000002FF000-memory.dmp

Filesize
124KB

Download
memory/1984-214-0x00000000002E0000-0x00000000002FF000-memory.dmp

Filesize
124KB

Download
memory/1984-247-0x00000000002E0000-0x00000000002FF000-memory.dmp

Filesize
124KB

Download
memory/1984-212-0x00000000002E0000-0x00000000002FF000-memory.dmp

Filesize
124KB

Download
memory/1984-236-0x00000000002E0000-0x00000000002FF000-memory.dmp

Filesize
124KB

Download
memory/2036-159-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2140-1071-0x00000000001C0000-0x00000000001D0000-memory.dmp

Filesize
64KB

Download
memory/2152-2274-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2152-2273-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2172-2026-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2172-245-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2172-2025-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2176-48-0x0000000003A10000-0x0000000003A20000-memory.dmp

Filesize
64KB

Download
memory/2224-2204-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2224-2203-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2228-230-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2248-187-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2264-272-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2276-282-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2280-199-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2280-206-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2284-209-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2344-255-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2360-31-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2380-2832-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2396-2300-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/2396-2298-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/2440-58-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2440-1897-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/2440-1898-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/2472-2672-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2472-2671-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2492-277-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2560-1025-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2560-1026-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2604-505-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2604-1431-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/2604-504-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2624-174-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2624-185-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2624-124-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2624-240-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2624-244-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2624-269-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2624-169-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2624-101-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2624-107-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2624-234-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2624-231-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2624-77-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2624-207-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2624-196-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2624-208-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2628-86-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2636-186-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2716-2719-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2716-2720-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2720-52-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2736-2532-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2736-2531-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2736-295-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2756-2693-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2756-2694-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2764-1587-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2764-1588-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2792-173-0x00000000002D0000-0x00000000002EF000-memory.dmp

Filesize
124KB

Download
memory/2792-232-0x00000000002D0000-0x00000000002EF000-memory.dmp

Filesize
124KB

Download
memory/2792-243-0x00000000002D0000-0x00000000002EF000-memory.dmp

Filesize
124KB

Download
memory/2792-80-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2792-290-0x00000000002D0000-0x00000000002EF000-memory.dmp

Filesize
124KB

Download
memory/2792-143-0x00000000002D0000-0x00000000002EF000-memory.dmp

Filesize
124KB

Download
memory/2792-45-0x00000000002D0000-0x00000000002EF000-memory.dmp

Filesize
124KB

Download
memory/2792-67-0x00000000002D0000-0x00000000002EF000-memory.dmp

Filesize
124KB

Download
memory/2792-278-0x00000000002D0000-0x00000000002EF000-memory.dmp

Filesize
124KB

Download
memory/2820-2880-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2820-2879-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2856-79-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2860-528-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2864-1081-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/3008-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3008-14-0x00000000002E0000-0x00000000002FF000-memory.dmp

Filesize
124KB

Download
memory/3008-200-0x00000000002E0000-0x00000000002FF000-memory.dmp

Filesize
124KB

Download
memory/3008-198-0x00000000002E0000-0x00000000002FF000-memory.dmp

Filesize
124KB

Download
memory/3008-289-0x00000000002E0000-0x00000000002FF000-memory.dmp

Filesize
124KB

Download
memory/3008-47-0x00000000002E0000-0x00000000002FF000-memory.dmp

Filesize
124KB

Download
memory/3008-44-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3020-141-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/3020-150-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3020-145-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3036-94-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3056-184-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download