0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687c

Analysis

max time kernel
72s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe
Size

92KB
MD5

8341d75812d2fcee2076c6f682debb40
SHA1

ff5b92df98020469a7bd71bb8baa6ffb67d0334f
SHA256

0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687c
SHA512

c97a73d9ff3315b78312636cfa23938872bcb8fcd5b8464a3b944d291a69b5436250435ddb52457895dcb0d50efa1f377e003c4678a7218169c519ab0389f8b5
SSDEEP

768:4zW4wnebSdDlmkok6lRGXu+jKZAOWjpiRHVAGr4PzpyRAJ7IwnDoSdA:41bC4Bk6lMTOWw4PkRAPoh

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 10 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\SVCHOST.EXE\""	0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system\\SVCHOST.EXE\""	EBRR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\SVCHOST.EXE\""	mmtask.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system\\SVCHOST.EXE\""	mmtask.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\SVCHOST.EXE\""	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system\\SVCHOST.EXE\""	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system\\SVCHOST.EXE\""	0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\SVCHOST.EXE\""	EBRR.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system\\SVCHOST.EXE\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\SVCHOST.EXE\""	SVCHOST.EXE

Executes dropped EXE 64 IoCs

pid	Process
2576	EBRR.EXE
2640	EBRR.EXE
2468	mmtask.exe
2740	EBRR.EXE
2568	mmtask.exe
2952	SVCHOST.EXE
1036	EBRR.EXE
1060	mmtask.exe
1604	SVCHOST.EXE
1272	SVCHOST.EXE
2832	EBRR.EXE
1724	mmtask.exe
1168	SVCHOST.EXE
1096	SVCHOST.EXE
1944	SVCHOST.EXE
1868	EBRR.EXE
1624	EBRR.EXE
2216	SVCHOST.EXE
2144	mmtask.exe
1596	SVCHOST.EXE
1032	mmtask.exe
888	mmtask.exe
2996	SVCHOST.EXE
1400	EBRR.EXE
264	SVCHOST.EXE
2396	SVCHOST.EXE
336	mmtask.exe
2896	EBRR.EXE
2768	SVCHOST.EXE
2312	SVCHOST.EXE
2164	SVCHOST.EXE
2340	SVCHOST.EXE
1980	mmtask.exe
868	SVCHOST.EXE
2076	SVCHOST.EXE
2368	EBRR.EXE
1716	SVCHOST.EXE
1920	mmtask.exe
1580	EBRR.EXE
1684	EBRR.EXE
1564	mmtask.exe
2660	EBRR.EXE
2876	mmtask.exe
2580	EBRR.EXE
2224	SVCHOST.EXE
2472	SVCHOST.EXE
2480	mmtask.exe
2548	mmtask.exe
1328	SVCHOST.EXE
2448	SVCHOST.EXE
2524	SVCHOST.EXE
2112	SVCHOST.EXE
1228	SVCHOST.EXE
328	SVCHOST.EXE
2128	SVCHOST.EXE
2408	SVCHOST.EXE
2064	EBRR.EXE
1572	EBRR.EXE
1704	EBRR.EXE
2840	mmtask.exe
2796	mmtask.exe
2828	SVCHOST.EXE
2804	EBRR.EXE
1452	mmtask.exe

Loads dropped DLL 64 IoCs

pid	Process
2268	0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe
2268	0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe
2576	EBRR.EXE
2576	EBRR.EXE
2576	EBRR.EXE
2576	EBRR.EXE
2468	mmtask.exe
2468	mmtask.exe
2468	mmtask.exe
2468	mmtask.exe
2952	SVCHOST.EXE
2952	SVCHOST.EXE
2952	SVCHOST.EXE
2952	SVCHOST.EXE
2952	SVCHOST.EXE
2952	SVCHOST.EXE
1272	SVCHOST.EXE
1272	SVCHOST.EXE
1272	SVCHOST.EXE
1272	SVCHOST.EXE
1272	SVCHOST.EXE
2468	mmtask.exe
1272	SVCHOST.EXE
1272	SVCHOST.EXE
2952	SVCHOST.EXE
2952	SVCHOST.EXE
2952	SVCHOST.EXE
2952	SVCHOST.EXE
2576	EBRR.EXE
2268	0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe
2268	0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe
1272	SVCHOST.EXE
1272	SVCHOST.EXE
2576	EBRR.EXE
2576	EBRR.EXE
2952	SVCHOST.EXE
2576	EBRR.EXE
2576	EBRR.EXE
2468	mmtask.exe
2468	mmtask.exe
2268	0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe
2468	mmtask.exe
2468	mmtask.exe
2576	EBRR.EXE
2952	SVCHOST.EXE
2952	SVCHOST.EXE
2468	mmtask.exe
2952	SVCHOST.EXE
2268	0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe
2952	SVCHOST.EXE
2268	0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe
1272	SVCHOST.EXE
1272	SVCHOST.EXE
2268	0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe
2268	0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe
2576	EBRR.EXE
2576	EBRR.EXE
1272	SVCHOST.EXE
1272	SVCHOST.EXE
2468	mmtask.exe
2468	mmtask.exe
2576	EBRR.EXE
2576	EBRR.EXE
2468	mmtask.exe

Modifies system executable filetype association 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	EBRR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	mmtask.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SVCHOST.EXE

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\EBRR.EXE	0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe
File created	C:\Windows\SysWOW64\mmtask.exe	SVCHOST.EXE
File created	C:\Windows\SysWOW64\mmtask.exe	0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe
File opened for modification	C:\Windows\SysWOW64\mmtask.exe	0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe
File created	C:\Windows\SysWOW64\EBRR.EXE	EBRR.EXE
File opened for modification	C:\Windows\SysWOW64\mmtask.exe	EBRR.EXE
File opened for modification	C:\Windows\SysWOW64\mmtask.exe	mmtask.exe
File opened for modification	C:\Windows\SysWOW64\mmtask.exe	SVCHOST.EXE
File opened for modification	C:\Windows\SysWOW64\EBRR.EXE	EBRR.EXE
File created	C:\Windows\SysWOW64\mmtask.exe	EBRR.EXE
File opened for modification	C:\Windows\SysWOW64\EBRR.EXE	mmtask.exe
File created	C:\Windows\SysWOW64\mmtask.exe	SVCHOST.EXE
File created	C:\Windows\SysWOW64\EBRR.EXE	SVCHOST.EXE
File opened for modification	C:\Windows\SysWOW64\mmtask.exe	SVCHOST.EXE
File created	C:\Windows\SysWOW64\EBRR.EXE	0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe
File created	C:\Windows\SysWOW64\EBRR.EXE	mmtask.exe
File created	C:\Windows\SysWOW64\mmtask.exe	mmtask.exe
File created	C:\Windows\SysWOW64\EBRR.EXE	SVCHOST.EXE
File opened for modification	C:\Windows\SysWOW64\EBRR.EXE	SVCHOST.EXE
File opened for modification	C:\Windows\SysWOW64\EBRR.EXE	SVCHOST.EXE

Drops file in Windows directory 20 IoCs

description	ioc	Process
File created	C:\Windows\SVCHOST.EXE	0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe
File created	C:\Windows\system\SVCHOST.EXE	0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe
File created	C:\Windows\SVCHOST.EXE	mmtask.exe
File opened for modification	C:\Windows\system\SVCHOST.EXE	SVCHOST.EXE
File created	C:\Windows\system\SVCHOST.EXE	SVCHOST.EXE
File opened for modification	C:\Windows\system\SVCHOST.EXE	SVCHOST.EXE
File opened for modification	C:\Windows\SVCHOST.EXE	EBRR.EXE
File created	C:\Windows\SVCHOST.EXE	SVCHOST.EXE
File created	C:\Windows\system\SVCHOST.EXE	mmtask.exe
File created	C:\Windows\system\SVCHOST.EXE	EBRR.EXE
File opened for modification	C:\Windows\system\SVCHOST.EXE	0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe
File opened for modification	C:\Windows\SVCHOST.EXE	mmtask.exe
File opened for modification	C:\Windows\system\SVCHOST.EXE	EBRR.EXE
File opened for modification	C:\Windows\SVCHOST.EXE	0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe
File created	C:\Windows\SVCHOST.EXE	EBRR.EXE
File opened for modification	C:\Windows\SVCHOST.EXE	SVCHOST.EXE
File created	C:\Windows\system\SVCHOST.EXE	SVCHOST.EXE
File created	C:\Windows\SVCHOST.EXE	SVCHOST.EXE
File opened for modification	C:\Windows\SVCHOST.EXE	SVCHOST.EXE
File opened for modification	C:\Windows\system\SVCHOST.EXE	mmtask.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EBRR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EBRR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EBRR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EBRR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 43 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 7400310000000000fd58b58d1100557365727300600008000400efbeee3a851afd58b58d2a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	EBRR.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4a0031000000000076593b3c102054656d700000360008000400efbefd58b58d76593b3c2a000000ff010000000002000000000000000000000000000000540065006d007000000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	mmtask.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 4c00310000000000fd58408f10204c6f63616c00380008000400efbefd58b58dfd58408f2a000000fe0100000000020000000000000000000000000000004c006f00630061006c00000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 5200310000000000fd58b58d122041707044617461003c0008000400efbefd58b58dfd58b58d2a000000eb0100000000020000000000000000000000000000004100700070004400610074006100000016000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4c00310000000000fd587b92100041646d696e00380008000400efbefd58b58dfd587b922a00000030000000000004000000000000000000000000000000410064006d0069006e00000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 = c80031000000000076593b3c16003043463641347e310000b00008000400efbe76593b3c76593b3c2a000000628b010000000700000000000000000000000000000030006300660036006100340063006200330063003400360061003400310037006100620039003200650033003300340066003000390033003700390038003500330035003600370063006100340034003300300037006100350030003800620031003900300038006600620030003000340035006500650036003800370063004e00000018000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SVCHOST.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2268	0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe
2268	0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe
2268	0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe
2268	0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe
2268	0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe
2268	0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe
2268	0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe
2268	0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe
2576	EBRR.EXE
2576	EBRR.EXE
2576	EBRR.EXE
2576	EBRR.EXE
2576	EBRR.EXE
2576	EBRR.EXE
2576	EBRR.EXE
2576	EBRR.EXE
2468	mmtask.exe
2468	mmtask.exe
2468	mmtask.exe
2468	mmtask.exe
2468	mmtask.exe
2468	mmtask.exe
2468	mmtask.exe
2468	mmtask.exe
2952	SVCHOST.EXE
2952	SVCHOST.EXE
2952	SVCHOST.EXE
2952	SVCHOST.EXE
2952	SVCHOST.EXE
2952	SVCHOST.EXE
2952	SVCHOST.EXE
2952	SVCHOST.EXE
2952	SVCHOST.EXE
2952	SVCHOST.EXE
1272	SVCHOST.EXE
1272	SVCHOST.EXE
1272	SVCHOST.EXE
1272	SVCHOST.EXE
1272	SVCHOST.EXE
1272	SVCHOST.EXE
1272	SVCHOST.EXE
1272	SVCHOST.EXE
1272	SVCHOST.EXE
1272	SVCHOST.EXE
1272	SVCHOST.EXE
1272	SVCHOST.EXE
1272	SVCHOST.EXE
1272	SVCHOST.EXE
1272	SVCHOST.EXE
1272	SVCHOST.EXE
1272	SVCHOST.EXE
1272	SVCHOST.EXE
1272	SVCHOST.EXE
1272	SVCHOST.EXE
2952	SVCHOST.EXE
2952	SVCHOST.EXE
2952	SVCHOST.EXE
2952	SVCHOST.EXE
2952	SVCHOST.EXE
2952	SVCHOST.EXE
2952	SVCHOST.EXE
2952	SVCHOST.EXE
2952	SVCHOST.EXE
2952	SVCHOST.EXE

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2268	0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe
2576	EBRR.EXE
2640	EBRR.EXE
2468	mmtask.exe
2740	EBRR.EXE
2568	mmtask.exe
2952	SVCHOST.EXE
1036	EBRR.EXE
1060	mmtask.exe
1604	SVCHOST.EXE
1272	SVCHOST.EXE
2832	EBRR.EXE
1724	mmtask.exe
1168	SVCHOST.EXE
1096	SVCHOST.EXE
1944	SVCHOST.EXE
1868	EBRR.EXE
1624	EBRR.EXE
2216	SVCHOST.EXE
1596	SVCHOST.EXE
2144	mmtask.exe
2996	SVCHOST.EXE
1032	mmtask.exe
1400	EBRR.EXE
264	SVCHOST.EXE
888	mmtask.exe
2396	SVCHOST.EXE
2896	EBRR.EXE
336	mmtask.exe
2768	SVCHOST.EXE
2312	SVCHOST.EXE
2164	SVCHOST.EXE
2340	SVCHOST.EXE
1980	mmtask.exe
868	SVCHOST.EXE
2076	SVCHOST.EXE
1716	SVCHOST.EXE
2368	EBRR.EXE
1580	EBRR.EXE
1684	EBRR.EXE
1564	mmtask.exe
2876	mmtask.exe
2580	EBRR.EXE
2660	EBRR.EXE
2224	SVCHOST.EXE
2472	SVCHOST.EXE
1328	SVCHOST.EXE
2448	SVCHOST.EXE
2548	mmtask.exe
2480	mmtask.exe
2524	SVCHOST.EXE
2112	SVCHOST.EXE
1228	SVCHOST.EXE
328	SVCHOST.EXE
2128	SVCHOST.EXE
2408	SVCHOST.EXE
2064	EBRR.EXE
1704	EBRR.EXE
1572	EBRR.EXE
2840	mmtask.exe
2828	SVCHOST.EXE
1276	SVCHOST.EXE
2796	mmtask.exe
2804	EBRR.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2960	2268	0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe	29
PID 2268 wrote to memory of 2960	2268	0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe	29
PID 2268 wrote to memory of 2960	2268	0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe	29
PID 2268 wrote to memory of 2960	2268	0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe	29
PID 2268 wrote to memory of 2576	2268	0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe	31
PID 2268 wrote to memory of 2576	2268	0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe	31
PID 2268 wrote to memory of 2576	2268	0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe	31
PID 2268 wrote to memory of 2576	2268	0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe	31
PID 2576 wrote to memory of 2640	2576	EBRR.EXE	32
PID 2576 wrote to memory of 2640	2576	EBRR.EXE	32
PID 2576 wrote to memory of 2640	2576	EBRR.EXE	32
PID 2576 wrote to memory of 2640	2576	EBRR.EXE	32
PID 2576 wrote to memory of 2468	2576	EBRR.EXE	33
PID 2576 wrote to memory of 2468	2576	EBRR.EXE	33
PID 2576 wrote to memory of 2468	2576	EBRR.EXE	33
PID 2576 wrote to memory of 2468	2576	EBRR.EXE	33
PID 2468 wrote to memory of 2740	2468	mmtask.exe	34
PID 2468 wrote to memory of 2740	2468	mmtask.exe	34
PID 2468 wrote to memory of 2740	2468	mmtask.exe	34
PID 2468 wrote to memory of 2740	2468	mmtask.exe	34
PID 2468 wrote to memory of 2568	2468	mmtask.exe	35
PID 2468 wrote to memory of 2568	2468	mmtask.exe	35
PID 2468 wrote to memory of 2568	2468	mmtask.exe	35
PID 2468 wrote to memory of 2568	2468	mmtask.exe	35
PID 2468 wrote to memory of 2952	2468	mmtask.exe	36
PID 2468 wrote to memory of 2952	2468	mmtask.exe	36
PID 2468 wrote to memory of 2952	2468	mmtask.exe	36
PID 2468 wrote to memory of 2952	2468	mmtask.exe	36
PID 2952 wrote to memory of 1036	2952	SVCHOST.EXE	37
PID 2952 wrote to memory of 1036	2952	SVCHOST.EXE	37
PID 2952 wrote to memory of 1036	2952	SVCHOST.EXE	37
PID 2952 wrote to memory of 1036	2952	SVCHOST.EXE	37
PID 2952 wrote to memory of 1060	2952	SVCHOST.EXE	38
PID 2952 wrote to memory of 1060	2952	SVCHOST.EXE	38
PID 2952 wrote to memory of 1060	2952	SVCHOST.EXE	38
PID 2952 wrote to memory of 1060	2952	SVCHOST.EXE	38
PID 2952 wrote to memory of 1604	2952	SVCHOST.EXE	155
PID 2952 wrote to memory of 1604	2952	SVCHOST.EXE	155
PID 2952 wrote to memory of 1604	2952	SVCHOST.EXE	155
PID 2952 wrote to memory of 1604	2952	SVCHOST.EXE	155
PID 2952 wrote to memory of 1272	2952	SVCHOST.EXE	40
PID 2952 wrote to memory of 1272	2952	SVCHOST.EXE	40
PID 2952 wrote to memory of 1272	2952	SVCHOST.EXE	40
PID 2952 wrote to memory of 1272	2952	SVCHOST.EXE	40
PID 1272 wrote to memory of 2832	1272	SVCHOST.EXE	41
PID 1272 wrote to memory of 2832	1272	SVCHOST.EXE	41
PID 1272 wrote to memory of 2832	1272	SVCHOST.EXE	41
PID 1272 wrote to memory of 2832	1272	SVCHOST.EXE	41
PID 1272 wrote to memory of 1724	1272	SVCHOST.EXE	42
PID 1272 wrote to memory of 1724	1272	SVCHOST.EXE	42
PID 1272 wrote to memory of 1724	1272	SVCHOST.EXE	42
PID 1272 wrote to memory of 1724	1272	SVCHOST.EXE	42
PID 1272 wrote to memory of 1168	1272	SVCHOST.EXE	99
PID 1272 wrote to memory of 1168	1272	SVCHOST.EXE	99
PID 1272 wrote to memory of 1168	1272	SVCHOST.EXE	99
PID 1272 wrote to memory of 1168	1272	SVCHOST.EXE	99
PID 1272 wrote to memory of 1096	1272	SVCHOST.EXE	44
PID 1272 wrote to memory of 1096	1272	SVCHOST.EXE	44
PID 1272 wrote to memory of 1096	1272	SVCHOST.EXE	44
PID 1272 wrote to memory of 1096	1272	SVCHOST.EXE	44
PID 2468 wrote to memory of 1944	2468	mmtask.exe	173
PID 2468 wrote to memory of 1944	2468	mmtask.exe	173
PID 2468 wrote to memory of 1944	2468	mmtask.exe	173
PID 2468 wrote to memory of 1944	2468	mmtask.exe	173

C:\Users\Admin\AppData\Local\Temp\0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe
"C:\Users\Admin\AppData\Local\Temp\0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Users\Admin\AppData\Local\Temp\0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN\
  2⤵
  PID:2960
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2640
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2740
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2568
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Loads dropped DLL
      Modifies system executable filetype association
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2952
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1036
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1060
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1604
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Modifies system executable filetype association
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1272
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2832
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1724
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1168
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1096
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1868
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1032
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2396
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2312
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1684
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2876
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2472
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2448
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2064
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2840
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2828
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1276
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2216
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1868
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2516
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1796
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2136
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1088
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2368
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2732
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:440
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:328
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2348
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:772
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1372
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1700
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2356
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1136
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:3064
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1884
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2252
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:3024
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1688
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2948
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2760
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1692
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1636
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1528
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1092
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1764
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1632
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2396
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1884
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:880
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1548
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2540
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2672
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2544
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2560
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1892
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1156
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1636
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:816
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2412
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2936
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1196
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1460
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:984
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2252
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2332
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2660
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:3000
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1200
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2192
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2812
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2808
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1528
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2036
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2208
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1596
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2388
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1016
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2860
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2664
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2136
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2164
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2656
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2248
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1100
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2192
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2812
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2836
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2096
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2144
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1520
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1532
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2516
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2340
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2768
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2860
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1960
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2124
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2200
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2480
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1060
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2192
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:656
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:3004
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1032
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2916
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2336
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1596
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2516
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2944
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1916
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2848
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2460
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2616
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1604
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1036
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1564
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:632
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1964
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1972
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2828
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1636
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2936
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2704
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2640
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:780
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2308
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2896
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1584
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1088
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:3008
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:864
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2200
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:3000
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:604
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2932
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2084
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1984
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:820
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:756
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2036
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1872
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2388
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2344
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2332
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2864
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2104
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:3008
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2200
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1888
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1100
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1156
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2828
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2804
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1764
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2940
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:984
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1676
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2984
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2224
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1960
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:812
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1952
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2660
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1928
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2060
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2480
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1528
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1156
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1956
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2704
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1872
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:540
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1628
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1516
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1548
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2340
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1072
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2128
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1036
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1792
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2348
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2288
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2144
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2096
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1712
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:296
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2632
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:540
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1740
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:880
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2156
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2224
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2340
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1604
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2248
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:864
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:3044
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1456
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:776
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1700
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2144
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:564
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2880
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1624
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2144
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2996
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:264
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2368
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        Executes dropped EXE
        
        PID:1920
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2224
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1328
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1704
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2796
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1428
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2936
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2296
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:564
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1532
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2232
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:824
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2200
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:3008
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2464
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1928
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2512
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1792
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1604
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1232
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2292
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:296
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1696
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2624
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2704
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1160
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2528
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2164
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2732
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2844
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2476
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2064
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:624
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2796
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1656
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2384
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1596
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1072
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1944
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2156
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1516
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:3060
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2164
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1640
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1424
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:836
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2448
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1464
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2240
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1872
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2364
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1884
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2864
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1716
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2544
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1600
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2056
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1572
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1720
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2916
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1984
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2356
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2216
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:920
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2516
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2320
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:872
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2312
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2492
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2724
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2800
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2844
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1200
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1572
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2032
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2448
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2484
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1408
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2412
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:888
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2856
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2212
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2092
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2652
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:3024
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2076
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2496
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1036
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2564
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1100
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1720
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:108
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2448
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:3068
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1944
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2640
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1820
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2900
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1524
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1584
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2520
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2684
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2584
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2660
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2272
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2128
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1600
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1704
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2932
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1940
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2888
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1464
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1408
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:900
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2240
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2344
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2100
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1264
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1548
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2724
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2612
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1640
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2760
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1572
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1588
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:3004
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1756
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2072
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1740
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:872
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:780
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:264
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1056
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1504
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2204
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1716
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2988
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2724
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1096
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1124
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2444
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2812
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1000
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1136
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:356
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2036
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2632
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2712
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2624
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2156
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2504
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2580
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1716
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1228
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2628
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:864
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1600
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1200
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1428
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2144
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:108
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2032
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2880
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1064
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1196
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2940
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2712
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:880
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2984
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1948
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1960
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1088
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2844
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2500
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1928
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2016
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1000
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2736
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2888
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2916
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1880
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1868
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1160
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2668
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2184
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2396
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1876
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2148
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2892
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1220
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2740
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2476
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2996
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:816
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2804
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2888
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2412
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1632
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1092
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1944
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2896
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1980
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2076
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1716
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2580
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2480
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:328
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2408
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2292
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1764
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2180
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1944
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:540
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2328
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:988
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2092
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2628
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2800
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2016
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2944
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2036
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1568
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1944
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:552
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2896
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:860
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2176
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2552
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2660
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:3008
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:236
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2480
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2032
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2288
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2072
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1232
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:3068
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:576
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1532
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2160
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2328
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2076
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2060
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1004
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:3032
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2444
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      System Location Discovery: System Language Discovery
      PID:1124
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1680
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2012
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1656
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:896
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2516
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1648
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2768
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      System Location Discovery: System Language Discovery
      PID:2312
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2068
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2224
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2656
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2732
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2488
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1940
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:3020
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2736
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2072
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1628
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:332
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2156
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1264
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1884
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1716
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2940
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2028
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2512
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2948
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1892
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:776
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2796
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1700
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1624
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2196
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1536
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:900
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:896
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1872
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1804
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2308
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2156
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2368
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1088
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2672
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2724
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2732
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1336
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2844
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1200
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:776
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1452
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:356
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2072
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2052
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1520
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1400
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2340
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1504
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:824
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      System Location Discovery: System Language Discovery
      PID:3060
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2544
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2732
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2348
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2444
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2032
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1424
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2836
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:440
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2448
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1660
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:540
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1160
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1820
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2156
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2396
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1920
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2104
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2744
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2560
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1600
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1668
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2464
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2808
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1636
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2292
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:552
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1696
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:488
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:880
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2984
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2252
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2856
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2600
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2580
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      System Location Discovery: System Language Discovery
      PID:2068
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2248
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:3032
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1220
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1292
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2840
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1200
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1720
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1656
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:3064
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1460
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:972
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:880
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1820
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2344
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2860
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1688
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1004
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2740
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2892
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1124
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      System Location Discovery: System Language Discovery
      PID:940
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2524
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2216
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:296
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2256
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1880
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1092
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2076
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2768
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:624
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1820
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:860
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2104
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1892
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2488
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:656
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1680
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1672
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1424
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2232
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2292
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2036
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1596
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1400
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2088
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2076
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2876
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2684
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1524
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:860
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1336
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:836
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1956
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2012
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2736
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1052
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:552
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2216
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1596
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1400
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:336
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2164
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:868
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2660
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2548
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2112
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2128
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2804
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1168
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:3068
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1212
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2388
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:888
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:872
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2848
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2564
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:624
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1680
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1956
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1408
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1740
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1864
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2388
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1640
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2628
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:440
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2836
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2036
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1864
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2244
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2848
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2684
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:604
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1428
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2984
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:780
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1876
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1088
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1920
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2500
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1704
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1000
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1072
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:320
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:820
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:380
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1648
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2308
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:3024
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2068
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2864
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1292
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1096
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2892
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:604
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1428
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:440
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:920
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2636
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1016
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:988
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2540
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2744
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2988
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:448
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1292
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1984
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1764
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:552
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2984
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:784
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1016
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1264
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2184
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1688
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:448
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1692
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1572
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2096
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1452
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1536
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:488
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:972
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2984
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:3040
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2068
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2408
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:236
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:328
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2888
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1092
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2260
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1532
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:784
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:824
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2184
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1088
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2112
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2272
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2836
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2032
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:296
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:440
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2240
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1912
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1804
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2132
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2520
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2472
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2148
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:236
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1668
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1940
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1636
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1660
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1052
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1676
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2236
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1552
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2328
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2960
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:3060
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2472
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2660
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:448
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1124
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1600
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2932
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1464
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:264
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:784
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2452
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2904
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1088
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2548
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:3000
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2408
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2464
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1100
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1656
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1872
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:888
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2768
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2340
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1580
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1564
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2524
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1228
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1572
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  - Executes dropped EXE
  PID:1452
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1408
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1556
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2704
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1916
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:336
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1516
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1640
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1684
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2620
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1328
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2272
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1092
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2084
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1052
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1872
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:784
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1796
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2140
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1584
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2368
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2848
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2492
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:836
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1964
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1984
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1372
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2196
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1628
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1212
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1740
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2260
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:988
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2124
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2200
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2988
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2548
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2948
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1952
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1556
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1276
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1232
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1408
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1796
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1056
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2136
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1960
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2564
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2844
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1228
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2464
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1756
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2524
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1624
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2012
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2336
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1804
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2624
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1504
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:336
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2184
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1088
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:3060
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2660
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2740
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2488
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2548
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1756
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2828
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2036
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1136
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1912
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2640
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1212
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2160
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2332
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2068
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2876
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2112
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:3032
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2816
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2548
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1572
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1156
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1756
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1680
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2812
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2256
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1064
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2936
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:320
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1632
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2344
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:868
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2396
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2504
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1884
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2496
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2028
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2564
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2476
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1200
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1680
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1092
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1868
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1052
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1872
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1864
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:264
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2720
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2132
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1524
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:812
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1916
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2676
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:3060
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1792
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2064
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1928
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1168
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1456
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1956
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2804
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2208
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:896
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2320
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2528
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2768
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2340
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1876
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2520
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2496
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  - System Location Discovery: System Language Discovery
  PID:864
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2056
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:236
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2464
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:836
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2228
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2736
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2880
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2356
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:756
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1408
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:920
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:488
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1552
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2204
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2864
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2340
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1916
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2676
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1040
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2064
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1640
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1888
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1624
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2292
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1944
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2936
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1740
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2244
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:336
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:868
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:824
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2332
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2600
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2520
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:3008
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1952
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1888
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1572
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1964
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:772
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1972
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2824
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2412
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1944
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:332
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:684
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1612
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1532
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2388
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2124
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2308
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2164
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2856
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2800
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:320
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2060
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:632
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1952
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1668
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1156
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1200
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:276
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2232
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:440

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0cf6a4cb3c46a417ab92e334f09379853567ca44307a508b1908fb0045ee687cN\Naskah.rtf

Filesize
188B

MD5
853035ec9d6fbf7cf9243c5cd2ed52c9

SHA1
65db1419ad274aface533f87b958b7b21e5f32b7

SHA256
f6e97c8120a4039043a8b132da995cccab7ed38a842251927577bd2f3cb5c1bb

SHA512
f53d97de0a1462ad580e98de40f8629dd282dcd7cf1bdad060064cba4718cdbbfb86e151de1c8e9352083ae61d11bc392dd11cf538513d8fb99f1f469e2c6b79

Download Submit
C:\Windows\SVCHOST.EXE

Filesize
92KB

MD5
8dc53b44dbbf98f8326625755e57bd64

SHA1
8e3251db029a9126e4f4291a8175cd80724903d4

SHA256
a43a2baa61d64072070d63bfe1179d25d6af792782d1628f4617616efe91d604

SHA512
6854bb2aca8304abb51209ad40cc1e9e578a1285737ca0c3d5593e8b7cf2a572d19c41d8e164aee3e01ea8d8ed9ff9d6f90746aae0597f9d289f5f4f607a725a

Download Submit
\Windows\SysWOW64\EBRR.EXE

Filesize
92KB

MD5
a286cf1de37c39561f8ed23cb64cc52b

SHA1
8b670c74fc9c41d61d296176c045995244b7e303

SHA256
69e1c6f5ebd7ffe1ecdc0b1740fdb0548826be00ff5093f613adc7045a680af7

SHA512
aa223edb61b5a17d94c3db20ea4b091bf6cd2275be6421793a7976d6fbb17c607931800434f892d13eb811859a3621f62a49d8a1b4aedebd933ef9a8aeeaff4d

Download Submit
\Windows\SysWOW64\mmtask.exe

Filesize
92KB

MD5
822104e06fb919d9ec2baca298102247

SHA1
4e51ed3c5da9d82dd2ca8331b81df462e6b936cd

SHA256
ab0192846977685e069c23f445480c3fb1d4486d26557c05416440d3656c7166

SHA512
259c9b77b7791b10d5ad599456c347947e707515de9faa8aa7c505267240544d92924d229795eb456515f6528aa926ea50eb3371f62a13b76aa04bd965179fd9

Download Submit
\Windows\system\SVCHOST.EXE

Filesize
92KB

MD5
828514cd08745eed7d31e8fddb78cddb

SHA1
5d0f5b71502a0c3d4fb21e079f7e5320576df7f4

SHA256
4b644f0993624c89af0ee8645a6e215748bb90d59748a2f68d318163ae18ddc2

SHA512
236fb7097883ba702c51eca1309d2fe8c63013b46443479ea4e55772bb82eaf3204b8c8e7145ac6f40685fd04275387d09f79d9fcd2c5f3c2817208db784be77

Download Submit
memory/264-211-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/264-210-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/336-1258-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/336-235-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/380-3395-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/632-1652-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/784-4279-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/784-4278-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/888-213-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/888-218-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/888-212-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/1032-207-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1036-93-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1060-90-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1060-94-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1088-2305-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1088-2304-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1096-151-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1096-3843-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1096-3842-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1168-141-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1272-143-0x00000000002A0000-0x00000000002BF000-memory.dmp

Filesize
124KB

Download
memory/1272-133-0x00000000002A0000-0x00000000002BF000-memory.dmp

Filesize
124KB

Download
memory/1272-261-0x00000000002A0000-0x00000000002BF000-memory.dmp

Filesize
124KB

Download
memory/1272-161-0x00000000002A0000-0x00000000002BF000-memory.dmp

Filesize
124KB

Download
memory/1272-155-0x00000000002A0000-0x00000000002BF000-memory.dmp

Filesize
124KB

Download
memory/1272-153-0x00000000002A0000-0x00000000002BF000-memory.dmp

Filesize
124KB

Download
memory/1272-136-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1272-123-0x00000000002A0000-0x00000000002BF000-memory.dmp

Filesize
124KB

Download
memory/1272-191-0x00000000002A0000-0x00000000002BF000-memory.dmp

Filesize
124KB

Download
memory/1272-217-0x00000000002A0000-0x00000000002BF000-memory.dmp

Filesize
124KB

Download
memory/1272-178-0x00000000002A0000-0x00000000002BF000-memory.dmp

Filesize
124KB

Download
memory/1372-4234-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1400-219-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1596-183-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1604-104-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1604-97-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1624-173-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1648-1044-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1676-2592-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1676-2593-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1724-137-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1760-67-0x0000000004100000-0x0000000004110000-memory.dmp

Filesize
64KB

Download
memory/1764-4413-0x00000000003A0000-0x00000000003B0000-memory.dmp

Filesize
64KB

Download
memory/1864-838-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1864-840-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1868-192-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1892-2317-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/1892-2316-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/1920-294-0x00000000779C0000-0x0000000077ABA000-memory.dmp

Filesize
1000KB

Download
memory/1920-1790-0x00000000779C0000-0x0000000077ABA000-memory.dmp

Filesize
1000KB

Download
memory/1920-293-0x0000000077AC0000-0x0000000077BDF000-memory.dmp

Filesize
1.1MB

Download
memory/1920-1090-0x0000000077AC0000-0x0000000077BDF000-memory.dmp

Filesize
1.1MB

Download
memory/1920-1789-0x0000000077AC0000-0x0000000077BDF000-memory.dmp

Filesize
1.1MB

Download
memory/1944-171-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1952-3020-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1952-3021-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1972-4397-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/1972-4396-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2012-2542-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2076-252-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2144-198-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2164-245-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2180-3063-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2228-2710-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2228-2878-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2228-2711-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2228-2879-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2232-424-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2232-423-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2268-10-0x0000000000250000-0x000000000026F000-memory.dmp

Filesize
124KB

Download
memory/2268-262-0x0000000000250000-0x000000000026F000-memory.dmp

Filesize
124KB

Download
memory/2268-15-0x0000000000250000-0x000000000026F000-memory.dmp

Filesize
124KB

Download
memory/2268-275-0x0000000000250000-0x000000000026F000-memory.dmp

Filesize
124KB

Download
memory/2268-50-0x0000000000250000-0x000000000026F000-memory.dmp

Filesize
124KB

Download
memory/2268-231-0x0000000000250000-0x000000000026F000-memory.dmp

Filesize
124KB

Download
memory/2268-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2268-216-0x0000000000250000-0x000000000026F000-memory.dmp

Filesize
124KB

Download
memory/2268-45-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2268-215-0x0000000000250000-0x000000000026F000-memory.dmp

Filesize
124KB

Download
memory/2268-190-0x0000000000250000-0x000000000026F000-memory.dmp

Filesize
124KB

Download
memory/2268-263-0x0000000000250000-0x000000000026F000-memory.dmp

Filesize
124KB

Download
memory/2268-47-0x0000000000250000-0x000000000026F000-memory.dmp

Filesize
124KB

Download
memory/2296-3367-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/2300-3223-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2300-3222-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2312-230-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2312-247-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2340-243-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2368-260-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2396-228-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2468-108-0x00000000003B0000-0x00000000003CF000-memory.dmp

Filesize
124KB

Download
memory/2468-73-0x00000000003B0000-0x00000000003CF000-memory.dmp

Filesize
124KB

Download
memory/2468-40-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2468-269-0x00000000003B0000-0x00000000003CF000-memory.dmp

Filesize
124KB

Download
memory/2468-272-0x00000000003B0000-0x00000000003CF000-memory.dmp

Filesize
124KB

Download
memory/2468-273-0x00000000003B0000-0x00000000003CF000-memory.dmp

Filesize
124KB

Download
memory/2468-48-0x00000000003B0000-0x00000000003CF000-memory.dmp

Filesize
124KB

Download
memory/2468-154-0x00000000003B0000-0x00000000003CF000-memory.dmp

Filesize
124KB

Download
memory/2468-214-0x00000000003B0000-0x00000000003CF000-memory.dmp

Filesize
124KB

Download
memory/2468-116-0x00000000003B0000-0x00000000003CF000-memory.dmp

Filesize
124KB

Download
memory/2468-72-0x00000000003B0000-0x00000000003CF000-memory.dmp

Filesize
124KB

Download
memory/2468-82-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2468-89-0x00000000003B0000-0x00000000003CF000-memory.dmp

Filesize
124KB

Download
memory/2468-96-0x00000000003B0000-0x00000000003CF000-memory.dmp

Filesize
124KB

Download
memory/2468-177-0x00000000003B0000-0x00000000003CF000-memory.dmp

Filesize
124KB

Download
memory/2504-3451-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2504-3450-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2544-902-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2564-1651-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2568-61-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2576-232-0x0000000000250000-0x000000000026F000-memory.dmp

Filesize
124KB

Download
memory/2576-251-0x0000000000250000-0x000000000026F000-memory.dmp

Filesize
124KB

Download
memory/2576-56-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2576-268-0x0000000000250000-0x000000000026F000-memory.dmp

Filesize
124KB

Download
memory/2576-17-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2576-38-0x0000000000250000-0x000000000026F000-memory.dmp

Filesize
124KB

Download
memory/2576-24-0x0000000000250000-0x000000000026F000-memory.dmp

Filesize
124KB

Download
memory/2640-31-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2660-4523-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2660-4522-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2676-2123-0x00000000001C0000-0x00000000001D0000-memory.dmp

Filesize
64KB

Download
memory/2676-2122-0x00000000001C0000-0x00000000001D0000-memory.dmp

Filesize
64KB

Download
memory/2732-1465-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2740-51-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2740-54-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2768-2266-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2768-233-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2804-4409-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2812-1512-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2832-130-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2880-4237-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2880-4236-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2896-237-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2916-4098-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2916-4099-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2952-112-0x00000000003C0000-0x00000000003DF000-memory.dmp

Filesize
124KB

Download
memory/2952-250-0x00000000003C0000-0x00000000003DF000-memory.dmp

Filesize
124KB

Download
memory/2952-257-0x00000000003C0000-0x00000000003DF000-memory.dmp

Filesize
124KB

Download
memory/2952-274-0x00000000003C0000-0x00000000003DF000-memory.dmp

Filesize
124KB

Download
memory/2952-182-0x00000000003C0000-0x00000000003DF000-memory.dmp

Filesize
124KB

Download
memory/2952-117-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2952-270-0x00000000003C0000-0x00000000003DF000-memory.dmp

Filesize
124KB

Download
memory/2952-80-0x00000000003C0000-0x00000000003DF000-memory.dmp

Filesize
124KB

Download
memory/2952-179-0x00000000003C0000-0x00000000003DF000-memory.dmp

Filesize
124KB

Download
memory/2952-81-0x00000000003C0000-0x00000000003DF000-memory.dmp

Filesize
124KB

Download
memory/2952-75-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2952-271-0x00000000003C0000-0x00000000003DF000-memory.dmp

Filesize
124KB

Download
memory/2952-115-0x00000000003C0000-0x00000000003DF000-memory.dmp

Filesize
124KB

Download
memory/2952-135-0x00000000003C0000-0x00000000003DF000-memory.dmp

Filesize
124KB

Download
memory/2952-157-0x00000000003C0000-0x00000000003DF000-memory.dmp

Filesize
124KB

Download
memory/2952-156-0x00000000003C0000-0x00000000003DF000-memory.dmp

Filesize
124KB

Download
memory/2996-206-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3012-2610-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/3060-2303-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download