11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9df

Analysis

max time kernel
72s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/11/2024, 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe
Size

92KB
MD5

dba8a2006346a918cbad67519ec6a0b0
SHA1

ea0834d0326119e0739be23cfe81f562a354a698
SHA256

11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9df
SHA512

103d81b4b4069c44baf1053f9f66d2b5d371195cee749f183faa3b2cc294bead5476f6348cd52c1e8fdb85c73add998615977c565a520915cd89ce44f036c663
SSDEEP

768:4zW4wnebSdDlmkok6lRGXu+jKZAOWjpiRHVAGr4PzpyRAJ7IwnDoSdQ:41bC4Bk6lMTOWw4PkRAPo9

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 10 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system\\SVCHOST.EXE\""	11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\SVCHOST.EXE\""	EBRR.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system\\SVCHOST.EXE\""	EBRR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\SVCHOST.EXE\""	mmtask.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\SVCHOST.EXE\""	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system\\SVCHOST.EXE\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\SVCHOST.EXE\""	11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system\\SVCHOST.EXE\""	mmtask.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\SVCHOST.EXE\""	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system\\SVCHOST.EXE\""	SVCHOST.EXE

Executes dropped EXE 64 IoCs

pid	Process
2600	EBRR.EXE
484	EBRR.EXE
2928	mmtask.exe
780	EBRR.EXE
2884	mmtask.exe
2876	SVCHOST.EXE
2744	EBRR.EXE
2560	mmtask.exe
844	SVCHOST.EXE
2480	SVCHOST.EXE
1820	EBRR.EXE
2348	mmtask.exe
1968	SVCHOST.EXE
2968	SVCHOST.EXE
1636	SVCHOST.EXE
1028	EBRR.EXE
3008	SVCHOST.EXE
2180	mmtask.exe
1928	EBRR.EXE
2492	SVCHOST.EXE
448	mmtask.exe
2544	mmtask.exe
2224	EBRR.EXE
1192	EBRR.EXE
2012	SVCHOST.EXE
752	SVCHOST.EXE
872	SVCHOST.EXE
1856	SVCHOST.EXE
2168	SVCHOST.EXE
1252	SVCHOST.EXE
2376	mmtask.exe
1640	mmtask.exe
2232	SVCHOST.EXE
1788	SVCHOST.EXE
1804	SVCHOST.EXE
2400	SVCHOST.EXE
2584	EBRR.EXE
2948	EBRR.EXE
2060	mmtask.exe
1692	EBRR.EXE
2144	EBRR.EXE
320	EBRR.EXE
2788	SVCHOST.EXE
2196	mmtask.exe
2940	mmtask.exe
2816	mmtask.exe
2896	SVCHOST.EXE
2240	SVCHOST.EXE
2736	mmtask.exe
2680	SVCHOST.EXE
2872	SVCHOST.EXE
2696	SVCHOST.EXE
2704	SVCHOST.EXE
1248	SVCHOST.EXE
2924	SVCHOST.EXE
2712	SVCHOST.EXE
1044	EBRR.EXE
2668	EBRR.EXE
1280	mmtask.exe
1244	EBRR.EXE
1256	EBRR.EXE
2568	mmtask.exe
2980	mmtask.exe
2036	EBRR.EXE

Loads dropped DLL 64 IoCs

pid	Process
2392	11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe
2392	11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe
2600	EBRR.EXE
2600	EBRR.EXE
2600	EBRR.EXE
2600	EBRR.EXE
2928	mmtask.exe
2928	mmtask.exe
2928	mmtask.exe
2928	mmtask.exe
2876	SVCHOST.EXE
2876	SVCHOST.EXE
2876	SVCHOST.EXE
2876	SVCHOST.EXE
2876	SVCHOST.EXE
2876	SVCHOST.EXE
2480	SVCHOST.EXE
2480	SVCHOST.EXE
2480	SVCHOST.EXE
2480	SVCHOST.EXE
2480	SVCHOST.EXE
2928	mmtask.exe
2876	SVCHOST.EXE
2928	mmtask.exe
2876	SVCHOST.EXE
2876	SVCHOST.EXE
2876	SVCHOST.EXE
2928	mmtask.exe
2928	mmtask.exe
2600	EBRR.EXE
2600	EBRR.EXE
2392	11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe
2392	11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe
2600	EBRR.EXE
2928	mmtask.exe
2480	SVCHOST.EXE
2600	EBRR.EXE
2480	SVCHOST.EXE
2928	mmtask.exe
2928	mmtask.exe
2392	11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe
2876	SVCHOST.EXE
2480	SVCHOST.EXE
2480	SVCHOST.EXE
2600	EBRR.EXE
2600	EBRR.EXE
2600	EBRR.EXE
2876	SVCHOST.EXE
2876	SVCHOST.EXE
2392	11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe
2600	EBRR.EXE
2392	11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe
2876	SVCHOST.EXE
2600	EBRR.EXE
2928	mmtask.exe
2876	SVCHOST.EXE
2928	mmtask.exe
2480	SVCHOST.EXE
2480	SVCHOST.EXE
2392	11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe
2392	11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe
2600	EBRR.EXE
2600	EBRR.EXE
2480	SVCHOST.EXE

Modifies system executable filetype association 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	mmtask.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	EBRR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SVCHOST.EXE

Drops file in System32 directory 20 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\EBRR.EXE	EBRR.EXE
File opened for modification	C:\Windows\SysWOW64\EBRR.EXE	EBRR.EXE
File created	C:\Windows\SysWOW64\mmtask.exe	SVCHOST.EXE
File opened for modification	C:\Windows\SysWOW64\mmtask.exe	SVCHOST.EXE
File opened for modification	C:\Windows\SysWOW64\EBRR.EXE	11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe
File opened for modification	C:\Windows\SysWOW64\EBRR.EXE	mmtask.exe
File created	C:\Windows\SysWOW64\mmtask.exe	mmtask.exe
File created	C:\Windows\SysWOW64\EBRR.EXE	SVCHOST.EXE
File opened for modification	C:\Windows\SysWOW64\mmtask.exe	EBRR.EXE
File opened for modification	C:\Windows\SysWOW64\mmtask.exe	SVCHOST.EXE
File created	C:\Windows\SysWOW64\EBRR.EXE	SVCHOST.EXE
File created	C:\Windows\SysWOW64\mmtask.exe	SVCHOST.EXE
File opened for modification	C:\Windows\SysWOW64\EBRR.EXE	SVCHOST.EXE
File opened for modification	C:\Windows\SysWOW64\EBRR.EXE	SVCHOST.EXE
File created	C:\Windows\SysWOW64\mmtask.exe	11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe
File opened for modification	C:\Windows\SysWOW64\mmtask.exe	11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe
File created	C:\Windows\SysWOW64\EBRR.EXE	11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe
File created	C:\Windows\SysWOW64\mmtask.exe	EBRR.EXE
File created	C:\Windows\SysWOW64\EBRR.EXE	mmtask.exe
File opened for modification	C:\Windows\SysWOW64\mmtask.exe	mmtask.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File created	C:\Windows\system\SVCHOST.EXE	SVCHOST.EXE
File opened for modification	C:\Windows\system\SVCHOST.EXE	SVCHOST.EXE
File created	C:\Windows\system\SVCHOST.EXE	mmtask.exe
File created	C:\Windows\SVCHOST.EXE	EBRR.EXE
File opened for modification	C:\Windows\SVCHOST.EXE	EBRR.EXE
File created	C:\Windows\system\SVCHOST.EXE	11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe
File opened for modification	C:\Windows\SVCHOST.EXE	SVCHOST.EXE
File opened for modification	C:\Windows\SVCHOST.EXE	SVCHOST.EXE
File created	C:\Windows\system\SVCHOST.EXE	SVCHOST.EXE
File created	C:\Windows\system\SVCHOST.EXE	EBRR.EXE
File created	C:\Windows\SVCHOST.EXE	11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe
File created	C:\Windows\SVCHOST.EXE	SVCHOST.EXE
File opened for modification	C:\Windows\system\SVCHOST.EXE	EBRR.EXE
File opened for modification	C:\Windows\SVCHOST.EXE	11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe
File created	C:\Windows\SVCHOST.EXE	mmtask.exe
File opened for modification	C:\Windows\SVCHOST.EXE	mmtask.exe
File created	C:\Windows\SVCHOST.EXE	SVCHOST.EXE
File opened for modification	C:\Windows\system\SVCHOST.EXE	SVCHOST.EXE
File opened for modification	C:\Windows\system\SVCHOST.EXE	mmtask.exe
File opened for modification	C:\Windows\system\SVCHOST.EXE	11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EBRR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EBRR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EBRR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EBRR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EBRR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EBRR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 43 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4a0031000000000076591a73102054656d700000360008000400efbe4a59dc4476591a732a00000001020000000002000000000000000000000000000000540065006d007000000014000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 4c003100000000004a591d4610204c6f63616c00380008000400efbe4a59dc444a591d462a000000000200000000020000000000000000000000000000004c006f00630061006c00000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	mmtask.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 52003100000000004a59dc44122041707044617461003c0008000400efbe4a59dc444a59dc442a000000ed0100000000020000000000000000000000000000004100700070004400610074006100000016000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SVCHOST.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 = c80031000000000076591a7316003131393436457e310000b00008000400efbe76591a7376591a732a0000005195010000000700000000000000000000000000000031003100390034003600650030003900620062003800350037003000330064003300650036006500370066003700380064003300660031003200330066003000650036003800660030003300370035003900660030003000350064003100310038003800380036003400370038006100640031003400610061003900640066004e00000018000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4c003100000000004a59e549100041646d696e00380008000400efbe4a59dc444a59e5492a00000033000000000003000000000000000000000000000000410064006d0069006e00000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	EBRR.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Pictures"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 74003100000000004a59dc441100557365727300600008000400efbeee3a851a4a59dc442a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SVCHOST.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2392	11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe
2392	11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe
2392	11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe
2392	11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe
2392	11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe
2392	11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe
2392	11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe
2392	11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe
2600	EBRR.EXE
2600	EBRR.EXE
2600	EBRR.EXE
2600	EBRR.EXE
2600	EBRR.EXE
2600	EBRR.EXE
2600	EBRR.EXE
2600	EBRR.EXE
2928	mmtask.exe
2928	mmtask.exe
2928	mmtask.exe
2928	mmtask.exe
2928	mmtask.exe
2928	mmtask.exe
2928	mmtask.exe
2928	mmtask.exe
2928	mmtask.exe
2928	mmtask.exe
2876	SVCHOST.EXE
2876	SVCHOST.EXE
2876	SVCHOST.EXE
2876	SVCHOST.EXE
2876	SVCHOST.EXE
2876	SVCHOST.EXE
2876	SVCHOST.EXE
2876	SVCHOST.EXE
2876	SVCHOST.EXE
2876	SVCHOST.EXE
2480	SVCHOST.EXE
2480	SVCHOST.EXE
2480	SVCHOST.EXE
2480	SVCHOST.EXE
2480	SVCHOST.EXE
2480	SVCHOST.EXE
2480	SVCHOST.EXE
2480	SVCHOST.EXE
2480	SVCHOST.EXE
2480	SVCHOST.EXE
2876	SVCHOST.EXE
2876	SVCHOST.EXE
2876	SVCHOST.EXE
2876	SVCHOST.EXE
2876	SVCHOST.EXE
2876	SVCHOST.EXE
2876	SVCHOST.EXE
2876	SVCHOST.EXE
2876	SVCHOST.EXE
2876	SVCHOST.EXE
2480	SVCHOST.EXE
2480	SVCHOST.EXE
2480	SVCHOST.EXE
2480	SVCHOST.EXE
2480	SVCHOST.EXE
2480	SVCHOST.EXE
2480	SVCHOST.EXE
2480	SVCHOST.EXE

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2392	11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe
2600	EBRR.EXE
484	EBRR.EXE
2928	mmtask.exe
780	EBRR.EXE
2884	mmtask.exe
2876	SVCHOST.EXE
2744	EBRR.EXE
2560	mmtask.exe
844	SVCHOST.EXE
2480	SVCHOST.EXE
1820	EBRR.EXE
2348	mmtask.exe
1968	SVCHOST.EXE
2968	SVCHOST.EXE
1636	SVCHOST.EXE
1028	EBRR.EXE
3008	SVCHOST.EXE
2492	SVCHOST.EXE
1928	EBRR.EXE
448	mmtask.exe
2544	mmtask.exe
1192	EBRR.EXE
2180	mmtask.exe
2224	EBRR.EXE
2012	SVCHOST.EXE
752	SVCHOST.EXE
1856	SVCHOST.EXE
872	SVCHOST.EXE
2168	SVCHOST.EXE
1252	SVCHOST.EXE
2376	mmtask.exe
1640	mmtask.exe
2232	SVCHOST.EXE
1788	SVCHOST.EXE
2400	SVCHOST.EXE
1804	SVCHOST.EXE
2584	EBRR.EXE
2948	EBRR.EXE
2060	mmtask.exe
1692	EBRR.EXE
320	EBRR.EXE
2144	EBRR.EXE
2788	SVCHOST.EXE
2196	mmtask.exe
2940	mmtask.exe
2816	mmtask.exe
2240	SVCHOST.EXE
2896	SVCHOST.EXE
2736	mmtask.exe
2680	SVCHOST.EXE
2872	SVCHOST.EXE
2696	SVCHOST.EXE
2704	SVCHOST.EXE
1248	SVCHOST.EXE
2924	SVCHOST.EXE
2712	SVCHOST.EXE
1044	EBRR.EXE
2668	EBRR.EXE
1244	EBRR.EXE
1256	EBRR.EXE
2568	mmtask.exe
1280	mmtask.exe
1772	SVCHOST.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2384	2392	11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe	30
PID 2392 wrote to memory of 2384	2392	11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe	30
PID 2392 wrote to memory of 2384	2392	11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe	30
PID 2392 wrote to memory of 2384	2392	11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe	30
PID 2392 wrote to memory of 2600	2392	11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe	32
PID 2392 wrote to memory of 2600	2392	11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe	32
PID 2392 wrote to memory of 2600	2392	11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe	32
PID 2392 wrote to memory of 2600	2392	11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe	32
PID 2600 wrote to memory of 484	2600	EBRR.EXE	33
PID 2600 wrote to memory of 484	2600	EBRR.EXE	33
PID 2600 wrote to memory of 484	2600	EBRR.EXE	33
PID 2600 wrote to memory of 484	2600	EBRR.EXE	33
PID 2600 wrote to memory of 2928	2600	EBRR.EXE	34
PID 2600 wrote to memory of 2928	2600	EBRR.EXE	34
PID 2600 wrote to memory of 2928	2600	EBRR.EXE	34
PID 2600 wrote to memory of 2928	2600	EBRR.EXE	34
PID 2928 wrote to memory of 780	2928	mmtask.exe	35
PID 2928 wrote to memory of 780	2928	mmtask.exe	35
PID 2928 wrote to memory of 780	2928	mmtask.exe	35
PID 2928 wrote to memory of 780	2928	mmtask.exe	35
PID 2928 wrote to memory of 2884	2928	mmtask.exe	36
PID 2928 wrote to memory of 2884	2928	mmtask.exe	36
PID 2928 wrote to memory of 2884	2928	mmtask.exe	36
PID 2928 wrote to memory of 2884	2928	mmtask.exe	36
PID 2928 wrote to memory of 2876	2928	mmtask.exe	37
PID 2928 wrote to memory of 2876	2928	mmtask.exe	37
PID 2928 wrote to memory of 2876	2928	mmtask.exe	37
PID 2928 wrote to memory of 2876	2928	mmtask.exe	37
PID 2876 wrote to memory of 2744	2876	SVCHOST.EXE	38
PID 2876 wrote to memory of 2744	2876	SVCHOST.EXE	38
PID 2876 wrote to memory of 2744	2876	SVCHOST.EXE	38
PID 2876 wrote to memory of 2744	2876	SVCHOST.EXE	38
PID 2876 wrote to memory of 2560	2876	SVCHOST.EXE	39
PID 2876 wrote to memory of 2560	2876	SVCHOST.EXE	39
PID 2876 wrote to memory of 2560	2876	SVCHOST.EXE	39
PID 2876 wrote to memory of 2560	2876	SVCHOST.EXE	39
PID 2876 wrote to memory of 844	2876	SVCHOST.EXE	40
PID 2876 wrote to memory of 844	2876	SVCHOST.EXE	40
PID 2876 wrote to memory of 844	2876	SVCHOST.EXE	40
PID 2876 wrote to memory of 844	2876	SVCHOST.EXE	40
PID 2876 wrote to memory of 2480	2876	SVCHOST.EXE	42
PID 2876 wrote to memory of 2480	2876	SVCHOST.EXE	42
PID 2876 wrote to memory of 2480	2876	SVCHOST.EXE	42
PID 2876 wrote to memory of 2480	2876	SVCHOST.EXE	42
PID 2480 wrote to memory of 1820	2480	SVCHOST.EXE	43
PID 2480 wrote to memory of 1820	2480	SVCHOST.EXE	43
PID 2480 wrote to memory of 1820	2480	SVCHOST.EXE	43
PID 2480 wrote to memory of 1820	2480	SVCHOST.EXE	43
PID 2480 wrote to memory of 2348	2480	SVCHOST.EXE	44
PID 2480 wrote to memory of 2348	2480	SVCHOST.EXE	44
PID 2480 wrote to memory of 2348	2480	SVCHOST.EXE	44
PID 2480 wrote to memory of 2348	2480	SVCHOST.EXE	44
PID 2480 wrote to memory of 1968	2480	SVCHOST.EXE	45
PID 2480 wrote to memory of 1968	2480	SVCHOST.EXE	45
PID 2480 wrote to memory of 1968	2480	SVCHOST.EXE	45
PID 2480 wrote to memory of 1968	2480	SVCHOST.EXE	45
PID 2480 wrote to memory of 2968	2480	SVCHOST.EXE	235
PID 2480 wrote to memory of 2968	2480	SVCHOST.EXE	235
PID 2480 wrote to memory of 2968	2480	SVCHOST.EXE	235
PID 2480 wrote to memory of 2968	2480	SVCHOST.EXE	235
PID 2928 wrote to memory of 1636	2928	mmtask.exe	103
PID 2928 wrote to memory of 1636	2928	mmtask.exe	103
PID 2928 wrote to memory of 1636	2928	mmtask.exe	103
PID 2928 wrote to memory of 1636	2928	mmtask.exe	103

C:\Users\Admin\AppData\Local\Temp\11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe
"C:\Users\Admin\AppData\Local\Temp\11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Users\Admin\AppData\Local\Temp\11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN\
  2⤵
  PID:2384
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:484
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:780
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2884
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Loads dropped DLL
      Modifies system executable filetype association
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2876
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2744
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2560
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:844
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Modifies system executable filetype association
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2480
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1820
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2348
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1968
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2968
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1192
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2376
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2232
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1804
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:320
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2940
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2680
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2696
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1044
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1280
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1092
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1496
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:848
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:872
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:304
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1988
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2952
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:3036
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2692
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2416
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:3060
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2476
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1280
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2364
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2012
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2216
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2108
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:760
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2124
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2900
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2684
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1036
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:300
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:828
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1708
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1716
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2968
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2444
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2256
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1952
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2944
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2892
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2816
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2508
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2384
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:624
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2976
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1304
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2880
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2140
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1340
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2164
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:304
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2520
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1048
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2920
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2888
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1980
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2992
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2612
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2772
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1640
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1140
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1536
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2080
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2256
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:868
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2724
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2792
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2296
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2676
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2900
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2736
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:3008
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2488
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:3068
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1716
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1496
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2968
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1672
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:536
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1588
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2060
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2908
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2416
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2892
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2696
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2700
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2952
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1664
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1044
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2976
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2992
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:3048
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1152
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2956
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:976
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1672
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2164
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1804
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1268
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2892
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2696
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2676
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1820
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1760
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1440
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1320
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2040
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1984
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:3016
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1804
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1776
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2636
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2788
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:304
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2924
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1504
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1772
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2120
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2512
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2072
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:576
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1152
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:976
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1496
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2216
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1340
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2196
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2108
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:760
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1268
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:304
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1784
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2696
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2068
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2980
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:660
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2132
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1508
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:268
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:604
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2088
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2192
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2796
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1676
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2984
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:272
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2732
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2932
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2792
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2144
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1820
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1304
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:3008
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:3064
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2956
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:976
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1576
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2412
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1916
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2444
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1600
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1060
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2508
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2828
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2840
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2996
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2212
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2068
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2872
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2568
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2712
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2536
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:876
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1700
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2880
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2140
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2204
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1340
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1552
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1964
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:760
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1252
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:888
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2892
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2696
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2972
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1688
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:3000
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2532
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2484
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:448
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2128
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2412
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2796
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2948
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:484
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1252
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2076
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1028
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2180
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:872
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2168
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2584
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2060
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2788
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2240
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2668
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2568
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1772
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2968
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1800
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2864
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1288
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1776
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1724
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1740
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:548
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2888
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2752
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2040
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1360
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1092
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:268
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1000
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2236
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:272
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1580
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2840
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2716
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2176
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1744
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2756
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2068
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2072
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:340
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1508
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1800
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:876
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1588
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2776
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2404
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:3036
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2680
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2712
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2076
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1760
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2476
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2364
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1092
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1492
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2444
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2188
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2764
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2732
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:3036
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2736
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1220
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:828
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2780
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2412
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2140
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2400
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1776
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2112
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1484
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2708
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2744
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1248
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2384
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2716
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2032
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1908
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:3064
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:692
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:448
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1532
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2880
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2288
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2204
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2236
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2844
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2912
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:780
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1324
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2500
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1248
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1820
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2684
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:3068
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2476
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2332
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:896
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2360
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2192
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1684
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2188
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2236
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2804
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1724
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1740
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1324
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2296
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2068
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:3008
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2084
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1272
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1152
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2160
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1716
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1496
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2360
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2192
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2516
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1936
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2444
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2804
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1060
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2720
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2520
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1740
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2212
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1044
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:3008
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2960
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2492
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:3064
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1332
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2660
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1000
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2852
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2776
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:868
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:272
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2248
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2892
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2840
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:3060
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1740
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1236
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1592
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1320
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:3064
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2780
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1640
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1192
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1576
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:536
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:888
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2236
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:320
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2896
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2924
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:304
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1540
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1292
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2684
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1560
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1592
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2484
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2772
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1332
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:604
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2040
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2660
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2544
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1616
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1580
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2580
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2636
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2848
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1772
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1220
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2500
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2008
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2784
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:3004
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2992
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1760
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1016
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1648
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:604
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1576
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1496
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1776
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1696
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2624
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2688
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2752
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2120
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1740
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1560
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2488
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:3004
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2132
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2224
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2088
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1000
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1588
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2576
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2220
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2832
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:760
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2908
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1584
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1636
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1928
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2544
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2012
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1856
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1692
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2736
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2704
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1248
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1256
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2512
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2148
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2128
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2544
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1052
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1064
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1580
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2832
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2144
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2684
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2688
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1708
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2492
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:3048
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2524
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2192
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:752
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2544
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2596
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2764
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2916
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2724
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2212
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1980
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1852
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1152
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2364
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:836
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2200
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1268
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2544
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2060
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2788
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1740
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2900
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2684
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1744
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1440
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2484
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1716
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1016
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2088
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2128
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2108
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1288
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:868
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      System Location Discovery: System Language Discovery
      PID:2788
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2700
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2384
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:3004
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1592
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1280
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1668
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1576
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2224
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2204
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2544
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2596
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1268
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1740
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2920
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2568
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1960
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1812
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:828
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1928
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2000
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2136
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:3056
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1576
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1000
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2444
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2828
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2028
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1060
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2120
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2084
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1744
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2664
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:3040
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1984
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1496
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1860
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1580
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1600
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2576
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1692
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2828
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2824
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2212
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2384
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2488
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      System Location Discovery: System Language Discovery
      PID:2684
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1304
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1560
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:3040
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2316
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2436
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:848
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2288
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2984
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2108
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2236
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2912
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2756
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2900
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:3036
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1256
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2784
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2612
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1708
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:940
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:924
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2040
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:448
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2176
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1556
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2904
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1964
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2720
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1048
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2940
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2568
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:3008
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2328
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1088
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      System Location Discovery: System Language Discovery
      PID:2512
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1140
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2012
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:752
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1496
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1684
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2268
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2580
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2028
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2404
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2560
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2900
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2816
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:3068
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2148
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2072
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1280
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2224
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1000
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      System Location Discovery: System Language Discovery
      PID:1752
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1632
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2908
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2744
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2704
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2940
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:3020
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:828
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1248
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2888
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2024
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:848
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2088
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1664
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1804
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1692
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2232
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1632
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2884
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2108
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2240
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2588
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2920
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1952
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:624
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2664
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1856
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:3064
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:872
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2072
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1016
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      System Location Discovery: System Language Discovery
      PID:836
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2168
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2864
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1536
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2288
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2268
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:808
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2676
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3008
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2492
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2224
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1640
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1788
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2400
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2144
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2816
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2872
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2712
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    - Executes dropped EXE
    PID:2036
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1560
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2536
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2436
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2188
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2248
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2212
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:672
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2756
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2068
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1980
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:660
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2516
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1492
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2864
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2208
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2920
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1292
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:3052
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1324
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2008
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2476
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:584
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2400
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2516
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:888
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2432
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1724
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2348
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1688
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2224
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1752
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2112
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2708
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2240
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2820
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2940
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1784
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2740
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1512
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1064
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:548
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1692
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2404
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2688
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:3020
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1044
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2328
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2348
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1320
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:268
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2024
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:752
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1988
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2776
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1288
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:672
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2816
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1292
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1760
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2888
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2168
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:332
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1000
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1616
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1252
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:304
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2708
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2520
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:780
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1292
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1248
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2036
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2484
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:340
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2168
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1052
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:896
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2884
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1064
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2696
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2704
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1592
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2684
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:572
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2200
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1536
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2516
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2188
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:320
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2028
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2560
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2824
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:844
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2992
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2640
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1052
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1748
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2216
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:3044
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2836
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1288
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1772
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:780
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2212
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2120
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2416
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1360
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:3056
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1240
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1192
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:484
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2776
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1048
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1844
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2348
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2132
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:584
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:924
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:3056
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:3016
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2268
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2904
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2520
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2296
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2840
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:844
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2328
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2524
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1124
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2092
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:332
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2108
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2580
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:3052
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:448
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:752
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1252
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2948
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2196
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2896
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2924
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1244
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1636
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2616
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:836
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2640
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1648
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2108
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2636
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2912
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2916
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:320
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:780
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:808
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2736
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1700
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:3008
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2036
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1560
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:3024
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:448
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:604
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:888
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2112
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1696
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2384
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2700
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2248
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1304
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:3060
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1908
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2036
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2660
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2232
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1732
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1988
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2080
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2576
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2908
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2824
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2716
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1236
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2664
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1852
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:756
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2360
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1332
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2660
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2388
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1632
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2844
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2988
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:844
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1828
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1152
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1908
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:572
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2360
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:836
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1340
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1916
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2388
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2984
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:3044
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2840
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2240
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1504
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:808
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1236
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2888
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1708
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:3040
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1808
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2360
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2140
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1788
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:888
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2576
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2260
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1696
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2764
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2704
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:300
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2900
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2668
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1980
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:828
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2000
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2376
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1280
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1716
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:584
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2516
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2204
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:536
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:760
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2944
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2792
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2688
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2076
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2716
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2512
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1852
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1996
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1508
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1016
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:572
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2200
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1916
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1944
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2800
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2112
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2624
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2828
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:3052
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2792
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:660
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1856
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1272
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:3048
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2136
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1016
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2224
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2436
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2152
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1916
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:548
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2984
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2732
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2624
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:780
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:300
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1248
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:3032
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1440
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2476
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1512
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:848
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:572
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1668
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1804
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2340
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:980
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2220
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1696
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2096
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1960
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2952
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:3036
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2496
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2712
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1996
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2376
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2968
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2364
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2164
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1052
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1788
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2884
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1484
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2836
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2588
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:3052
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2584
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:624
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2664
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2144
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2972
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2512
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1280
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:332
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2316
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2288
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1676
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2820
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1036
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2260
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2756
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1540
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1256
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2916
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2640
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2616
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:576
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:572
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:976
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2012
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2216
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1944
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2788
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1752
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2248
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1060
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1968
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2240
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:3012
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2584

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\11946e09bb85703d3e6e7f78d3f123f0e68f03759f005d118886478ad14aa9dfN\Cantik.bmp

Filesize
64KB

MD5
7ab9246655e40e5d922e1f92560128f5

SHA1
a989d0611485d2429f5b33a4124126415b02390f

SHA256
3ed10a9452b56114f9f6fb3f65f02e8d6b906897271793e4b410c08e3bde9772

SHA512
3fe741419bc727d23f18b0979dbadeaa69d418a7f290c816afaf2c4eabd1475ff4f7b543ea699e93f0dce96592e058a55e7a9f0aa3094c200a863df40c4b2c50

Download Submit
C:\Windows\SVCHOST.EXE

Filesize
92KB

MD5
c78b8333c12399c1047732e0bc87e5e4

SHA1
beeed5acb917706539657548f4ff938dc7fa97e5

SHA256
218a49fbaf78c78385cdd4ebcf7e7a29e796675916c85655216e705420156f6b

SHA512
58d66f7d47d46ffda48799c8acca15320063fa2b7ebd4160ecccf388a63410d7da24003219c56c89653fb8969ee543e45caaaec14b2ef8b493b5ba276299b63b

Download Submit
C:\Windows\SysWOW64\mmtask.exe

Filesize
92KB

MD5
09c5b2aba7178438f62b37406702fa18

SHA1
b9a329b51560d4b10619ad4a7e994a5ba405a741

SHA256
0aa97f2391bcf26c1fc5e9e188d8baa797d49572b2e670fbf8604eed3d0df2a0

SHA512
4116f8d0d912b59264de91aa9264b8f1af681dd8143333ae5fcfdd3cab9274668dafff8cd83d6b15d155e0285ab94aacd512d198ec68a4dbdde7dd87bfdb47e6

Download Submit
\Windows\SysWOW64\EBRR.EXE

Filesize
92KB

MD5
9336c0f18b2b9be3f0e9b303f41d1c8f

SHA1
bd5ce24f9c12f7f3ff2056355dcd26ff0513edc6

SHA256
0c4bdfa821f18cc467f445d876ec897f1beb44170f963bf8a2935c7560bb7f11

SHA512
57e6b5439912776a8dd798c15284cc04e1c07a7479d305cc4d318a80a5e74c2349e0a52fcd80e0720ab319a11fa16f6f630bc7d22829c8e4fc6db822f2a7f2d2

Download Submit
\Windows\system\SVCHOST.EXE

Filesize
92KB

MD5
752a0b32f10a8ee9afe70499e2f47480

SHA1
6c26e4aa292dd9a2bff48685ce15c99e4423d894

SHA256
eaff210dc351a3eac0c5b60b748e396a80018af676cdee58e9147d9e4ddcba92

SHA512
5494eb024bd199fbc7952f9851acdab3ee98ce2877ff7bb6c6b2e1bee06a98967e1d0dea379b5a959545f42892f29b8b4975afe8beefe85cc1684aa9728a4e13

Download Submit
memory/300-719-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/340-1666-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/448-211-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/484-31-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/484-24-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/536-1555-0x0000000077390000-0x00000000774AF000-memory.dmp

Filesize
1.1MB

Download
memory/536-1396-0x0000000077390000-0x00000000774AF000-memory.dmp

Filesize
1.1MB

Download
memory/536-1397-0x00000000774B0000-0x00000000775AA000-memory.dmp

Filesize
1000KB

Download
memory/752-235-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/844-100-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/844-92-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/872-221-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1028-166-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1124-2465-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/1124-2464-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/1152-751-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1192-226-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1192-230-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1252-229-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1320-1662-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/1592-2143-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/1592-2142-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/1636-153-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1636-149-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1640-236-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1640-244-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1640-238-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1648-1510-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1672-1004-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1672-1006-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1708-1831-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1708-1830-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1708-542-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/1788-245-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1788-242-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/1788-243-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/1804-257-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1820-125-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1856-213-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1928-177-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1968-135-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1996-2147-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2012-216-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2028-1906-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2028-1907-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2128-998-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2128-997-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2168-224-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2168-220-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2168-218-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2180-233-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2180-202-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2196-284-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2224-225-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2232-241-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2232-248-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2232-2373-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2232-2372-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2364-569-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2364-570-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2376-240-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2392-215-0x00000000003E0000-0x00000000003FF000-memory.dmp

Filesize
124KB

Download
memory/2392-252-0x00000000003E0000-0x00000000003FF000-memory.dmp

Filesize
124KB

Download
memory/2392-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2392-15-0x00000000003E0000-0x00000000003FF000-memory.dmp

Filesize
124KB

Download
memory/2392-10-0x00000000003E0000-0x00000000003FF000-memory.dmp

Filesize
124KB

Download
memory/2392-282-0x00000000003E0000-0x00000000003FF000-memory.dmp

Filesize
124KB

Download
memory/2392-57-0x00000000003E0000-0x00000000003FF000-memory.dmp

Filesize
124KB

Download
memory/2392-55-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2392-186-0x00000000003E0000-0x00000000003FF000-memory.dmp

Filesize
124KB

Download
memory/2392-214-0x00000000003E0000-0x00000000003FF000-memory.dmp

Filesize
124KB

Download
memory/2392-69-0x00000000003E0000-0x00000000003FF000-memory.dmp

Filesize
124KB

Download
memory/2400-253-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2400-250-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2416-1427-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2416-506-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2416-505-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2480-283-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/2480-227-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/2480-256-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/2480-228-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/2480-110-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2480-137-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2480-119-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/2480-128-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/2492-176-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2492-173-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2544-205-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2560-93-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2576-1573-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2576-1572-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2584-263-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2592-50-0x0000000003A90000-0x0000000003AA0000-memory.dmp

Filesize
64KB

Download
memory/2600-17-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2600-79-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2600-261-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2600-265-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2600-74-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2600-234-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2600-83-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2600-201-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2600-160-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2600-258-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2600-39-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2616-1488-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/2616-1489-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/2688-2428-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/2688-2429-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/2696-305-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/2696-306-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/2744-87-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2756-2424-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2756-2425-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2788-1745-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2788-1746-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2816-2114-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2816-2115-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2820-1088-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2840-2431-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2840-2430-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2840-2270-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2840-2271-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2876-217-0x0000000000250000-0x000000000026F000-memory.dmp

Filesize
124KB

Download
memory/2876-136-0x0000000000250000-0x000000000026F000-memory.dmp

Filesize
124KB

Download
memory/2876-277-0x0000000000250000-0x000000000026F000-memory.dmp

Filesize
124KB

Download
memory/2876-251-0x0000000000250000-0x000000000026F000-memory.dmp

Filesize
124KB

Download
memory/2876-262-0x0000000000250000-0x000000000026F000-memory.dmp

Filesize
124KB

Download
memory/2876-129-0x0000000000250000-0x000000000026F000-memory.dmp

Filesize
124KB

Download
memory/2876-189-0x0000000000250000-0x000000000026F000-memory.dmp

Filesize
124KB

Download
memory/2876-73-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2876-109-0x0000000000250000-0x000000000026F000-memory.dmp

Filesize
124KB

Download
memory/2876-147-0x0000000000250000-0x000000000026F000-memory.dmp

Filesize
124KB

Download
memory/2876-112-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2876-150-0x0000000000250000-0x000000000026F000-memory.dmp

Filesize
124KB

Download
memory/2876-91-0x0000000000250000-0x000000000026F000-memory.dmp

Filesize
124KB

Download
memory/2884-56-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2884-2387-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2884-2386-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2884-59-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2888-1486-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/2928-148-0x0000000000310000-0x000000000032F000-memory.dmp

Filesize
124KB

Download
memory/2928-249-0x0000000000310000-0x000000000032F000-memory.dmp

Filesize
124KB

Download
memory/2928-188-0x0000000000310000-0x000000000032F000-memory.dmp

Filesize
124KB

Download
memory/2928-40-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2928-84-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2928-111-0x0000000000310000-0x000000000032F000-memory.dmp

Filesize
124KB

Download
memory/2928-47-0x0000000000310000-0x000000000032F000-memory.dmp

Filesize
124KB

Download
memory/2928-187-0x0000000000310000-0x000000000032F000-memory.dmp

Filesize
124KB

Download
memory/2928-212-0x0000000000310000-0x000000000032F000-memory.dmp

Filesize
124KB

Download
memory/2928-71-0x0000000000310000-0x000000000032F000-memory.dmp

Filesize
124KB

Download
memory/2948-280-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2968-152-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3000-741-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/3008-167-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3064-1341-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download