e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8

Analysis

max time kernel
71s
max time network
121s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe
Size

92KB
MD5

b68939b3180672fc885489ced335b2b9
SHA1

a86beca3af3688ccfa106a361b3eced560e4c402
SHA256

e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8
SHA512

22346ba8366fb7ef57d86dfad54e93053ec6ffbaa4d894db57d3d5a73d87454f5d9c4637ac268c163837afb62934468da50c6a798536af2f031695ae85df9a67
SSDEEP

768:4zW4wnebSdDlmkok6lRGXu+jKZAOWjpiRHVAGr4PzpyRAJ7IwnDoSd1:41bC4Bk6lMTOWw4PkRAPoU

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 10 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\SVCHOST.EXE\""	EBRR.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system\\SVCHOST.EXE\""	EBRR.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system\\SVCHOST.EXE\""	mmtask.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system\\SVCHOST.EXE\""	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system\\SVCHOST.EXE\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\SVCHOST.EXE\""	e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system\\SVCHOST.EXE\""	e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\SVCHOST.EXE\""	mmtask.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\SVCHOST.EXE\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\SVCHOST.EXE\""	SVCHOST.EXE

Executes dropped EXE 64 IoCs

pid	Process
2332	EBRR.EXE
1700	EBRR.EXE
2172	mmtask.exe
2852	EBRR.EXE
2760	mmtask.exe
2804	SVCHOST.EXE
2676	EBRR.EXE
2660	mmtask.exe
2860	SVCHOST.EXE
668	SVCHOST.EXE
1756	EBRR.EXE
1004	mmtask.exe
2940	SVCHOST.EXE
1560	SVCHOST.EXE
2012	SVCHOST.EXE
1452	EBRR.EXE
2980	EBRR.EXE
2992	EBRR.EXE
2288	SVCHOST.EXE
2724	mmtask.exe
2388	mmtask.exe
496	SVCHOST.EXE
1860	mmtask.exe
2108	SVCHOST.EXE
1356	SVCHOST.EXE
1776	SVCHOST.EXE
896	SVCHOST.EXE
1640	mmtask.exe
2052	SVCHOST.EXE
2516	SVCHOST.EXE
1952	EBRR.EXE
580	SVCHOST.EXE
2440	mmtask.exe
1036	SVCHOST.EXE
888	EBRR.EXE
3048	EBRR.EXE
2192	SVCHOST.EXE
2996	EBRR.EXE
1584	SVCHOST.EXE
1748	mmtask.exe
2492	EBRR.EXE
2916	EBRR.EXE
2452	SVCHOST.EXE
2020	mmtask.exe
2756	SVCHOST.EXE
2768	mmtask.exe
2816	mmtask.exe
2856	mmtask.exe
3024	SVCHOST.EXE
2716	SVCHOST.EXE
2200	SVCHOST.EXE
2640	SVCHOST.EXE
2632	SVCHOST.EXE
2872	SVCHOST.EXE
2628	SVCHOST.EXE
2148	SVCHOST.EXE
2472	EBRR.EXE
2644	EBRR.EXE
1956	mmtask.exe
2304	mmtask.exe
1164	EBRR.EXE
1312	EBRR.EXE
1600	SVCHOST.EXE
2376	EBRR.EXE

Loads dropped DLL 64 IoCs

pid	Process
2708	e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe
2708	e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe
2332	EBRR.EXE
2332	EBRR.EXE
2332	EBRR.EXE
2332	EBRR.EXE
2172	mmtask.exe
2172	mmtask.exe
2172	mmtask.exe
2172	mmtask.exe
2804	SVCHOST.EXE
2804	SVCHOST.EXE
2804	SVCHOST.EXE
2804	SVCHOST.EXE
2804	SVCHOST.EXE
2804	SVCHOST.EXE
668	SVCHOST.EXE
668	SVCHOST.EXE
668	SVCHOST.EXE
668	SVCHOST.EXE
668	SVCHOST.EXE
2172	mmtask.exe
2804	SVCHOST.EXE
2172	mmtask.exe
2804	SVCHOST.EXE
668	SVCHOST.EXE
2172	mmtask.exe
2172	mmtask.exe
668	SVCHOST.EXE
2172	mmtask.exe
2172	mmtask.exe
2804	SVCHOST.EXE
2804	SVCHOST.EXE
668	SVCHOST.EXE
668	SVCHOST.EXE
2172	mmtask.exe
2172	mmtask.exe
2332	EBRR.EXE
2332	EBRR.EXE
2708	e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe
2708	e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe
2804	SVCHOST.EXE
2804	SVCHOST.EXE
2172	mmtask.exe
2172	mmtask.exe
2708	e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe
2172	mmtask.exe
2172	mmtask.exe
2804	SVCHOST.EXE
2804	SVCHOST.EXE
2332	EBRR.EXE
2332	EBRR.EXE
2708	e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe
2708	e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe
2172	mmtask.exe
2804	SVCHOST.EXE
668	SVCHOST.EXE
2804	SVCHOST.EXE
668	SVCHOST.EXE
2172	mmtask.exe
2172	mmtask.exe
668	SVCHOST.EXE
668	SVCHOST.EXE
2804	SVCHOST.EXE

Modifies system executable filetype association 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	EBRR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	mmtask.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\EBRR.EXE	e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe
File opened for modification	C:\Windows\SysWOW64\mmtask.exe	mmtask.exe
File opened for modification	C:\Windows\SysWOW64\mmtask.exe	e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe
File created	C:\Windows\SysWOW64\EBRR.EXE	e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe
File opened for modification	C:\Windows\SysWOW64\EBRR.EXE	EBRR.EXE
File created	C:\Windows\SysWOW64\mmtask.exe	SVCHOST.EXE
File opened for modification	C:\Windows\SysWOW64\mmtask.exe	SVCHOST.EXE
File created	C:\Windows\SysWOW64\EBRR.EXE	SVCHOST.EXE
File opened for modification	C:\Windows\SysWOW64\EBRR.EXE	SVCHOST.EXE
File created	C:\Windows\SysWOW64\mmtask.exe	EBRR.EXE
File opened for modification	C:\Windows\SysWOW64\mmtask.exe	EBRR.EXE
File created	C:\Windows\SysWOW64\mmtask.exe	mmtask.exe
File created	C:\Windows\SysWOW64\mmtask.exe	SVCHOST.EXE
File opened for modification	C:\Windows\SysWOW64\mmtask.exe	SVCHOST.EXE
File created	C:\Windows\SysWOW64\mmtask.exe	e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe
File created	C:\Windows\SysWOW64\EBRR.EXE	EBRR.EXE
File created	C:\Windows\SysWOW64\EBRR.EXE	mmtask.exe
File opened for modification	C:\Windows\SysWOW64\EBRR.EXE	mmtask.exe
File created	C:\Windows\SysWOW64\EBRR.EXE	SVCHOST.EXE
File opened for modification	C:\Windows\SysWOW64\EBRR.EXE	SVCHOST.EXE

Drops file in Windows directory 20 IoCs

description	ioc	Process
File created	C:\Windows\SVCHOST.EXE	mmtask.exe
File opened for modification	C:\Windows\SVCHOST.EXE	SVCHOST.EXE
File opened for modification	C:\Windows\SVCHOST.EXE	e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe
File opened for modification	C:\Windows\system\SVCHOST.EXE	e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe
File opened for modification	C:\Windows\SVCHOST.EXE	EBRR.EXE
File created	C:\Windows\system\SVCHOST.EXE	EBRR.EXE
File created	C:\Windows\SVCHOST.EXE	e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe
File created	C:\Windows\system\SVCHOST.EXE	e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe
File created	C:\Windows\system\SVCHOST.EXE	SVCHOST.EXE
File opened for modification	C:\Windows\SVCHOST.EXE	SVCHOST.EXE
File created	C:\Windows\system\SVCHOST.EXE	mmtask.exe
File created	C:\Windows\SVCHOST.EXE	EBRR.EXE
File created	C:\Windows\SVCHOST.EXE	SVCHOST.EXE
File opened for modification	C:\Windows\system\SVCHOST.EXE	SVCHOST.EXE
File created	C:\Windows\system\SVCHOST.EXE	SVCHOST.EXE
File opened for modification	C:\Windows\system\SVCHOST.EXE	SVCHOST.EXE
File opened for modification	C:\Windows\SVCHOST.EXE	mmtask.exe
File created	C:\Windows\SVCHOST.EXE	SVCHOST.EXE
File opened for modification	C:\Windows\system\SVCHOST.EXE	mmtask.exe
File opened for modification	C:\Windows\system\SVCHOST.EXE	EBRR.EXE

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EBRR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EBRR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EBRR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4c003100000000004a595748100041646d696e00380008000400efbe4a59dc444a5957482a00000033000000000003000000000000000000000000000000410064006d0069006e00000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4a003100000000007e59b328102054656d700000360008000400efbe4a59dc447e59b3282a00000001020000000002000000000000000000000000000000540065006d007000000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	EBRR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SVCHOST.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 4c003100000000004a591d4610204c6f63616c00380008000400efbe4a59dc444a591d462a000000000200000000020000000000000000000000000000004c006f00630061006c00000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 52003100000000004a59dc44122041707044617461003c0008000400efbe4a59dc444a59dc442a000000ed0100000000020000000000000000000000000000004100700070004400610074006100000016000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	mmtask.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Pictures"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 = c6003100000000007e59b32816004536364233317e310000ae0008000400efbe7e59b3287e59b3282a0000004a6d01000000080000000000000000000000000000006500360036006200330031003500660038003900630031006400380034003500300037003300390065006300390064003900310032003300630063006300330039003100390063006300300065003300650039003300640039003800340064003600300035003300350038003400330066003300370064006200610061003800000018000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 74003100000000004a59dc441100557365727300600008000400efbeee3a851a4a59dc442a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2708	e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe
2708	e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe
2708	e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe
2708	e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe
2708	e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe
2708	e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe
2708	e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe
2708	e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe
2332	EBRR.EXE
2332	EBRR.EXE
2332	EBRR.EXE
2332	EBRR.EXE
2332	EBRR.EXE
2332	EBRR.EXE
2332	EBRR.EXE
2332	EBRR.EXE
2332	EBRR.EXE
2332	EBRR.EXE
2172	mmtask.exe
2172	mmtask.exe
2172	mmtask.exe
2172	mmtask.exe
2172	mmtask.exe
2172	mmtask.exe
2172	mmtask.exe
2172	mmtask.exe
2172	mmtask.exe
2172	mmtask.exe
2804	SVCHOST.EXE
2804	SVCHOST.EXE
2804	SVCHOST.EXE
2804	SVCHOST.EXE
2804	SVCHOST.EXE
2804	SVCHOST.EXE
2804	SVCHOST.EXE
2804	SVCHOST.EXE
2804	SVCHOST.EXE
2804	SVCHOST.EXE
668	SVCHOST.EXE
668	SVCHOST.EXE
668	SVCHOST.EXE
668	SVCHOST.EXE
668	SVCHOST.EXE
668	SVCHOST.EXE
668	SVCHOST.EXE
668	SVCHOST.EXE
668	SVCHOST.EXE
668	SVCHOST.EXE
668	SVCHOST.EXE
668	SVCHOST.EXE
668	SVCHOST.EXE
2804	SVCHOST.EXE
2804	SVCHOST.EXE
2804	SVCHOST.EXE
2804	SVCHOST.EXE
2804	SVCHOST.EXE
2804	SVCHOST.EXE
2804	SVCHOST.EXE
2804	SVCHOST.EXE
2804	SVCHOST.EXE
2804	SVCHOST.EXE
668	SVCHOST.EXE
668	SVCHOST.EXE
668	SVCHOST.EXE

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2708	e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe
2332	EBRR.EXE
1700	EBRR.EXE
2172	mmtask.exe
2852	EBRR.EXE
2760	mmtask.exe
2804	SVCHOST.EXE
2676	EBRR.EXE
2660	mmtask.exe
2860	SVCHOST.EXE
668	SVCHOST.EXE
1756	EBRR.EXE
1004	mmtask.exe
2940	SVCHOST.EXE
1560	SVCHOST.EXE
2012	SVCHOST.EXE
1452	EBRR.EXE
2980	EBRR.EXE
2288	SVCHOST.EXE
2724	mmtask.exe
2992	EBRR.EXE
496	SVCHOST.EXE
2388	mmtask.exe
1356	SVCHOST.EXE
2108	SVCHOST.EXE
1776	SVCHOST.EXE
896	SVCHOST.EXE
1640	mmtask.exe
1860	mmtask.exe
2516	SVCHOST.EXE
2052	SVCHOST.EXE
1952	EBRR.EXE
580	SVCHOST.EXE
1036	SVCHOST.EXE
2440	mmtask.exe
2192	SVCHOST.EXE
888	EBRR.EXE
1584	SVCHOST.EXE
1748	mmtask.exe
3048	EBRR.EXE
2996	EBRR.EXE
2492	EBRR.EXE
2452	SVCHOST.EXE
2756	SVCHOST.EXE
2020	mmtask.exe
2916	EBRR.EXE
2768	mmtask.exe
2816	mmtask.exe
3024	SVCHOST.EXE
2716	SVCHOST.EXE
2200	SVCHOST.EXE
2856	mmtask.exe
2640	SVCHOST.EXE
2632	SVCHOST.EXE
2872	SVCHOST.EXE
2628	SVCHOST.EXE
2148	SVCHOST.EXE
2472	EBRR.EXE
2644	EBRR.EXE
1956	mmtask.exe
2304	mmtask.exe
1164	EBRR.EXE
1312	EBRR.EXE
1600	SVCHOST.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 3056	2708	e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe	30
PID 2708 wrote to memory of 3056	2708	e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe	30
PID 2708 wrote to memory of 3056	2708	e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe	30
PID 2708 wrote to memory of 3056	2708	e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe	30
PID 2708 wrote to memory of 2332	2708	e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe	31
PID 2708 wrote to memory of 2332	2708	e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe	31
PID 2708 wrote to memory of 2332	2708	e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe	31
PID 2708 wrote to memory of 2332	2708	e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe	31
PID 2332 wrote to memory of 1700	2332	EBRR.EXE	33
PID 2332 wrote to memory of 1700	2332	EBRR.EXE	33
PID 2332 wrote to memory of 1700	2332	EBRR.EXE	33
PID 2332 wrote to memory of 1700	2332	EBRR.EXE	33
PID 2332 wrote to memory of 2172	2332	EBRR.EXE	34
PID 2332 wrote to memory of 2172	2332	EBRR.EXE	34
PID 2332 wrote to memory of 2172	2332	EBRR.EXE	34
PID 2332 wrote to memory of 2172	2332	EBRR.EXE	34
PID 2172 wrote to memory of 2852	2172	mmtask.exe	35
PID 2172 wrote to memory of 2852	2172	mmtask.exe	35
PID 2172 wrote to memory of 2852	2172	mmtask.exe	35
PID 2172 wrote to memory of 2852	2172	mmtask.exe	35
PID 2172 wrote to memory of 2760	2172	mmtask.exe	36
PID 2172 wrote to memory of 2760	2172	mmtask.exe	36
PID 2172 wrote to memory of 2760	2172	mmtask.exe	36
PID 2172 wrote to memory of 2760	2172	mmtask.exe	36
PID 2172 wrote to memory of 2804	2172	mmtask.exe	37
PID 2172 wrote to memory of 2804	2172	mmtask.exe	37
PID 2172 wrote to memory of 2804	2172	mmtask.exe	37
PID 2172 wrote to memory of 2804	2172	mmtask.exe	37
PID 2804 wrote to memory of 2676	2804	SVCHOST.EXE	38
PID 2804 wrote to memory of 2676	2804	SVCHOST.EXE	38
PID 2804 wrote to memory of 2676	2804	SVCHOST.EXE	38
PID 2804 wrote to memory of 2676	2804	SVCHOST.EXE	38
PID 2804 wrote to memory of 2660	2804	SVCHOST.EXE	39
PID 2804 wrote to memory of 2660	2804	SVCHOST.EXE	39
PID 2804 wrote to memory of 2660	2804	SVCHOST.EXE	39
PID 2804 wrote to memory of 2660	2804	SVCHOST.EXE	39
PID 2804 wrote to memory of 2860	2804	SVCHOST.EXE	270
PID 2804 wrote to memory of 2860	2804	SVCHOST.EXE	270
PID 2804 wrote to memory of 2860	2804	SVCHOST.EXE	270
PID 2804 wrote to memory of 2860	2804	SVCHOST.EXE	270
PID 2804 wrote to memory of 668	2804	SVCHOST.EXE	42
PID 2804 wrote to memory of 668	2804	SVCHOST.EXE	42
PID 2804 wrote to memory of 668	2804	SVCHOST.EXE	42
PID 2804 wrote to memory of 668	2804	SVCHOST.EXE	42
PID 668 wrote to memory of 1756	668	SVCHOST.EXE	43
PID 668 wrote to memory of 1756	668	SVCHOST.EXE	43
PID 668 wrote to memory of 1756	668	SVCHOST.EXE	43
PID 668 wrote to memory of 1756	668	SVCHOST.EXE	43
PID 668 wrote to memory of 1004	668	SVCHOST.EXE	213
PID 668 wrote to memory of 1004	668	SVCHOST.EXE	213
PID 668 wrote to memory of 1004	668	SVCHOST.EXE	213
PID 668 wrote to memory of 1004	668	SVCHOST.EXE	213
PID 668 wrote to memory of 2940	668	SVCHOST.EXE	338
PID 668 wrote to memory of 2940	668	SVCHOST.EXE	338
PID 668 wrote to memory of 2940	668	SVCHOST.EXE	338
PID 668 wrote to memory of 2940	668	SVCHOST.EXE	338
PID 668 wrote to memory of 1560	668	SVCHOST.EXE	346
PID 668 wrote to memory of 1560	668	SVCHOST.EXE	346
PID 668 wrote to memory of 1560	668	SVCHOST.EXE	346
PID 668 wrote to memory of 1560	668	SVCHOST.EXE	346
PID 2172 wrote to memory of 2012	2172	mmtask.exe	155
PID 2172 wrote to memory of 2012	2172	mmtask.exe	155
PID 2172 wrote to memory of 2012	2172	mmtask.exe	155
PID 2172 wrote to memory of 2012	2172	mmtask.exe	155

C:\Users\Admin\AppData\Local\Temp\e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe
"C:\Users\Admin\AppData\Local\Temp\e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Users\Admin\AppData\Local\Temp\e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8\
  2⤵
  PID:3056
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1700
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2852
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2760
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Loads dropped DLL
      Modifies system executable filetype association
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2676
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2660
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2860
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Modifies system executable filetype association
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:668
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1756
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1004
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2940
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1560
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2992
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1860
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2052
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1036
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2492
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2020
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3024
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2640
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2644
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2304
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2960
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2956
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1716
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2504
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1736
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1960
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1700
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2424
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2948
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2748
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:380
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2932
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1764
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:584
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2992
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1524
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1740
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1588
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:3064
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2736
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2864
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2680
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1616
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1004
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2976
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2960
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1720
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2288
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1532
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1396
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2436
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2468
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2908
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1748
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1684
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2140
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2148
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1972
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1980
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2488
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:904
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2168
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1952
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1860
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:844
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1588
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2660
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2864
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:320
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1152
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1200
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2976
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1764
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1360
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1100
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2584
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1056
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1948
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1128
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2380
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2816
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:3056
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2888
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2800
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1796
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1044
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1112
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1932
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1760
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2920
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1772
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:408
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2296
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:888
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1952
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2476
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2720
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1428
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2888
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1220
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2872
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2748
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1732
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2964
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2388
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1764
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:308
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1440
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2056
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2936
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2452
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2640
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2816
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2884
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2928
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2792
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2864
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2896
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1304
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1804
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1708
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2472
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2144
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1524
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2244
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2192
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2248
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1860
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2672
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1740
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2728
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:3056
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2136
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1912
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1224
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1608
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:484
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1764
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2072
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1440
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:580
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2612
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2248
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2796
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2512
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1752
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1480
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1808
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:760
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2088
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:316
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2208
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1000
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1408
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2340
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:376
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2192
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:988
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:3012
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2440
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2464
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1540
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2836
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2860
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2652
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2032
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2932
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:904
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2488
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:876
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:3000
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2504
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2356
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2168
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2680
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2780
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2856
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2764
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1756
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2800
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2028
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1564
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2964
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2376
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2956
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1524
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1212
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1080
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1128
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2640
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2768
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1700
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2676
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1916
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1816
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1220
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:1360
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2952
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:1980
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2336
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:376
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1776
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2612
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:2876
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2996
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:2128
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2884
      - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        6⤵
        
        PID:1576
      - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        6⤵
        
        PID:2900
      - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        6⤵
        
        PID:1972
      - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        6⤵
        
        PID:2860
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1452
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2388
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1776
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:896
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:888
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1748
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2452
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2756
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2472
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1956
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1600
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1964
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2612
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1036
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2552
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2324
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2912
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2136
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2632
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2140
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1912
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1408
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2252
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1484
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2108
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:408
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1536
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2384
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:3056
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2788
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2912
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2836
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1972
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2644
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2964
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1732
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2376
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2456
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2404
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1960
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1576
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2828
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2660
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2744
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2808
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2968
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:3068
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2472
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1968
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2080
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1356
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2120
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2416
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1128
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1752
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:3048
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2996
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2636
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2748
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2140
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2944
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1560
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:764
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2184
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1536
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2336
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1556
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2464
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1908
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2972
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2656
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2664
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2212
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1312
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1452
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2472
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1600
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1484
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2992
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1640
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2428
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2612
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:448
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2204
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2756
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2852
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2680
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2916
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2864
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2664
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2944
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2292
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1308
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1164
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:828
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1000
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1968
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2956
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:876
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2284
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2372
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2248
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2456
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2044
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2752
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1480
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1576
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2012
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2032
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2280
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2224
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1100
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2064
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2156
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1340
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:3012
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2796
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2832
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1908
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1808
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:380
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1928
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2292
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2280
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1264
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2388
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2196
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2536
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1904
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1356
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1340
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2128
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1248
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1428
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2904
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2652
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:380
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2140
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1308
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1720
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:828
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1200
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2180
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1536
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2936
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:448
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:3064
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2456
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2676
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2828
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2792
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2904
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1812
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2808
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1004
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1728
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2080
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2376
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1716
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:3020
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:376
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2604
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1080
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1556
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1688
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2768
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2828
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1428
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1816
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1784
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1044
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1452
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1968
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:496
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1724
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1716
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2276
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1776
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1356
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1948
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2372
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:1556
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1240
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2456
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1588
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2940
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2764
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1312
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1484
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2184
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1000
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:3068
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:896
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2144
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:1716
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2540
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1104
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:3064
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2916
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:2728
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:1056
    - - C:\Windows\system\SVCHOST.EXE
        
        C:\Windows\system\SVCHOST.EXE -s
        5⤵
        
        PID:2940
    - - C:\Windows\SysWOW64\EBRR.EXE
        
        C:\Windows\system32\EBRR.EXE -s
        5⤵
        
        PID:2688
    - - C:\Windows\SysWOW64\mmtask.exe
        
        C:\Windows\system32\mmtask.exe -s
        5⤵
        
        PID:1708
    - - C:\Windows\SVCHOST.EXE
        
        C:\Windows\SVCHOST.EXE -s
        5⤵
        
        PID:2968
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2012
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2980
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2724
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:496
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2108
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1952
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2440
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2192
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1584
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2916
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2856
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2872
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2148
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1312
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1916
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1784
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2248
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2536
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1772
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1056
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:324
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2368
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2744
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2800
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2792
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2012
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2208
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2232
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1104
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2164
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1752
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2604
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2440
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1480
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1676
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2892
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2844
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1044
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2472
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2952
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2300
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1904
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1356
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1212
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1680
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:3012
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2768
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2864
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2684
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:276
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2984
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2176
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2224
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:376
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2552
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2100
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:580
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2448
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2720
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2904
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1576
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2792
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1792
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2280
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2484
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2108
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1212
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1680
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:376
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1952
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1244
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2752
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2368
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2912
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1156
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2860
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2652
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1224
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2388
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1944
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2956
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1776
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:876
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:696
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1532
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2532
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2456
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2832
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1740
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1748
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2684
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1912
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1044
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2932
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2980
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2080
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2820
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2488
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:984
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2168
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2164
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1860
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1128
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2128
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2776
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2636
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1796
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2664
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1220
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:276
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1788
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1600
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1856
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:3000
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2936
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2168
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2548
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2368
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2692
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1688
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2476
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2836
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2652
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2896
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1312
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:584
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:632
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:3068
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2848
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2176
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:308
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2124
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1536
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1680
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:408
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2168
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1556
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2440
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1736
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:3048
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2516
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2448
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2764
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2148
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2968
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:764
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1112
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2376
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2960
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:608
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1904
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2416
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:696
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2212
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2260
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1740
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2780
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1796
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2616
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1808
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1972
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2484
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2052
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2076
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1980
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2612
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2372
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2776
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:3048
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2424
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1540
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2448
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2664
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2644
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1696
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2552
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2932
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:3044
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2340
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2352
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2100
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2212
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2844
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1540
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2616
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1560
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1932
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1044
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2696
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:1968
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1408
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:396
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:2820
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2276
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:844
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2248
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1860
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2044
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:1248
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:2684
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1740
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2236
  - - C:\Windows\SysWOW64\mmtask.exe
      C:\Windows\system32\mmtask.exe -s
      4⤵
      PID:2896
  - - C:\Windows\SVCHOST.EXE
      C:\Windows\SVCHOST.EXE -s
      4⤵
      PID:1812
  - - C:\Windows\system\SVCHOST.EXE
      C:\Windows\system\SVCHOST.EXE -s
      4⤵
      PID:1304
  - - C:\Windows\SysWOW64\EBRR.EXE
      C:\Windows\system32\EBRR.EXE -s
      4⤵
      PID:2028
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2288
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1356
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3048
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2768
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2200
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2628
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    - Executes dropped EXE
    PID:2376
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2284
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2056
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:580
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:3044
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2468
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2764
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2148
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2300
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2076
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2376
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2204
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1736
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2380
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2656
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2200
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1312
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1600
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1944
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1952
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:324
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2364
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2452
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2524
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1164
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1932
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2980
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1256
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1776
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1080
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:408
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1248
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2624
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2632
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1308
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1408
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2072
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:608
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:696
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2120
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2468
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2692
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1152
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1816
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1408
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2076
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2536
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1080
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2604
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:580
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1396
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2648
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2972
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2468
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1156
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2236
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2808
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2536
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:324
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2352
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1396
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1584
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:3012
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2908
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2900
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1560
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:484
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1004
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1200
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2956
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:608
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1948
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1556
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2856
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2636
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1816
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1604
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1408
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2244
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2372
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2436
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:3024
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2368
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1156
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1684
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:276
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:396
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2144
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1080
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2056
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1584
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1860
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2020
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2660
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1428
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2012
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2140
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2388
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2820
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:396
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2072
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2108
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2428
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1212
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2740
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1752
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2304
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2236
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2012
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2088
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:484
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2388
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2364
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:324
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:844
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1396
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1664
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2612
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2424
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2908
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1428
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1784
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2032
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2232
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:2164
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2352
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:1356
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1924
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1556
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:2260
- - C:\Windows\SysWOW64\mmtask.exe
    C:\Windows\system32\mmtask.exe -s
    3⤵
    PID:2928
- - C:\Windows\SVCHOST.EXE
    C:\Windows\SVCHOST.EXE -s
    3⤵
    PID:1404
- - C:\Windows\system\SVCHOST.EXE
    C:\Windows\system\SVCHOST.EXE -s
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\EBRR.EXE
    C:\Windows\system32\EBRR.EXE -s
    3⤵
    PID:1560
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1640
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2516
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:580
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2996
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2816
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2716
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2632
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1164
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1968
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1604
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1360
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:756
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:308
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2228
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2440
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2492
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2720
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2776
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2884
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2700
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:764
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2696
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1808
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2144
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:984
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:908
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1924
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2772
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2880
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2628
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2688
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  - System Location Discovery: System Language Discovery
  PID:764
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2176
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:316
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2724
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2056
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1056
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2180
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1128
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1588
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2760
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2648
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2916
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2860
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2872
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:396
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1916
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2076
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2724
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:896
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:448
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1428
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2492
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2884
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1748
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2940
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:632
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1164
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1000
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2056
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1104
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:896
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:988
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2796
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2128
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2448
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2828
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2856
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2616
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1684
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1756
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2252
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2980
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:496
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1200
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1536
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2384
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1212
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2504
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2120
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2308
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2128
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:3064
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2828
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2836
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2768
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2688
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1112
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:764
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1444
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2376
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2064
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1356
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:3000
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1340
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1752
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2780
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1428
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2648
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1756
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1684
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2200
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1452
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1256
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2952
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2080
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:828
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2108
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2428
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1640
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2604
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2260
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2128
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2640
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2464
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2824
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2904
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2700
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2948
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1404
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:396
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:496
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1944
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2336
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1776
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2284
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2524
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1588
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2692
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2476
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2632
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1812
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:320
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:584
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2292
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1264
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1604
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2384
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2628
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2352
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1212
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2288
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2120
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2160
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1056
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2772
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2648
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1756
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1156
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2968
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1932
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1112
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:756
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2176
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2536
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1396
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:696
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2876
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2452
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1736
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2704
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2844
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2632
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1152
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2292
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1004
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1000
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1856
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:308
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2176
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2604
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2204
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2168
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2740
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2756
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2660
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1912
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2716
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2664
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:380
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2012
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2200
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:1600
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2964
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:3044
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:1440
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2864
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:2100
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:2672
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  PID:2168
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2832
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1736
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1908
- C:\Windows\SVCHOST.EXE
  C:\Windows\SVCHOST.EXE -s
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2736
- C:\Windows\system\SVCHOST.EXE
  C:\Windows\system\SVCHOST.EXE -s
  2⤵
  PID:2304
- C:\Windows\SysWOW64\EBRR.EXE
  C:\Windows\system32\EBRR.EXE -s
  2⤵
  PID:1732
- C:\Windows\SysWOW64\mmtask.exe
  C:\Windows\system32\mmtask.exe -s
  2⤵
  PID:1224

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2328

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e66b315f89c1d8450739ec9d9123ccc3919cc0e3e93d984d60535843f37dbaa8\Cantik.bmp

Filesize
64KB

MD5
7ab9246655e40e5d922e1f92560128f5

SHA1
a989d0611485d2429f5b33a4124126415b02390f

SHA256
3ed10a9452b56114f9f6fb3f65f02e8d6b906897271793e4b410c08e3bde9772

SHA512
3fe741419bc727d23f18b0979dbadeaa69d418a7f290c816afaf2c4eabd1475ff4f7b543ea699e93f0dce96592e058a55e7a9f0aa3094c200a863df40c4b2c50

Download Submit
C:\Windows\SVCHOST.EXE

Filesize
92KB

MD5
76c73d5d7af3a54582e25f19404f05d6

SHA1
d2f98c2cd8d07fd8a0fb5bb5f0e122bdfae48e2f

SHA256
3e0662ab6eed1b54333d6ca419f3dd39fd37bf482acae752c3cae4892be8dddd

SHA512
fa44b76116716fae2d71e42489173d3ec66d33a475dccaf20b40e4653502fbd9efa532e5d541b0cc3e9fa88b2d88e47fb6a5492b727b70f36e6b38f15f085fa9

Download Submit
\Windows\SysWOW64\EBRR.EXE

Filesize
92KB

MD5
cfef6319f9dc6d1fd555cd742e97a2c3

SHA1
8a3b2d6b2e7eb4dbca5a47ab25ff4c1bfb9c1224

SHA256
fe46d54e75c620dce1b6df76ff4bbf6ce0cdaef259b4df2165fd79207354eaa4

SHA512
5e775dd1f307433cbbc23fcf22929bb84f81e26c90a4a56cd6e825f5e231ca0aca58bbbffb69355e5c2185cb278ceb3c8f01281ca31fb1f96f99500ec26ad75e

Download Submit
\Windows\SysWOW64\mmtask.exe

Filesize
92KB

MD5
d583ee2af9bf26914cb19bb2430b58f6

SHA1
3d9cddd9c849817059ad5f7813076c92ff9fb2a9

SHA256
8f8c729794579b19bc60d9441adac6379f678da60ec164dcd705672eb80295ea

SHA512
7de7093e0b761ad24ceee3fd78d1861dd6b3b6d63adb63cc27569aa89c215b3a0a1b48fa38f38e8394b55a15040ca6d9283549e1adbafc4f8649a7e374645b92

Download Submit
\Windows\system\SVCHOST.EXE

Filesize
92KB

MD5
1da411974a3457c6f7a4609bbce20e2f

SHA1
5aa30bb68cd1db2315e9b41280be9c85a06a8440

SHA256
cec2a2863ddb7c91cc292f5635dfa6c587ddbbf3b178e5ad0273ca0a4abc3ef0

SHA512
284fbff0a8ab494ce6a7689b89f7fff56d2746ec94e34f0eed976af85c989108a0d88309b6197ff7b93128bf6a0052c9000305ae5f872e046e6e03ccb123e61b

Download Submit
memory/324-418-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/324-417-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/376-2465-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/376-2466-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/408-3116-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/496-188-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/580-223-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/580-221-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/580-226-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/632-2881-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/632-2880-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/668-151-0x0000000000290000-0x00000000002AF000-memory.dmp

Filesize
124KB

Download
memory/668-250-0x0000000000290000-0x00000000002AF000-memory.dmp

Filesize
124KB

Download
memory/668-202-0x0000000000290000-0x00000000002AF000-memory.dmp

Filesize
124KB

Download
memory/668-269-0x0000000000290000-0x00000000002AF000-memory.dmp

Filesize
124KB

Download
memory/668-273-0x0000000000290000-0x00000000002AF000-memory.dmp

Filesize
124KB

Download
memory/668-126-0x0000000000290000-0x00000000002AF000-memory.dmp

Filesize
124KB

Download
memory/668-114-0x0000000000290000-0x00000000002AF000-memory.dmp

Filesize
124KB

Download
memory/668-140-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/888-246-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/888-259-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/904-2928-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/988-2008-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/988-2007-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/1004-125-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1036-229-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1036-230-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1248-2686-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/1264-1805-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/1356-192-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1356-196-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1452-162-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1560-139-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1572-2909-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/1572-2910-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/1584-261-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1588-2376-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/1588-2375-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/1640-210-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1684-2879-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1684-2882-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1684-901-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/1700-31-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1736-3160-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/1736-2527-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1736-2528-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1748-275-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1756-119-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1756-2890-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/1772-405-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1772-406-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1776-199-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1784-2886-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/1784-2885-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/1812-2561-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1812-2562-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1856-3080-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1856-3079-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1948-2342-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/1948-2341-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/1952-219-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1964-3582-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/1964-3585-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/2012-155-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2028-3693-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2028-3692-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2052-222-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2108-198-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2120-1390-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2140-525-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2172-69-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2172-288-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2172-245-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2172-225-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2172-200-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2172-238-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2172-201-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2172-90-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2172-187-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2172-249-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2172-235-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2172-236-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2172-178-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2172-263-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2172-84-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2172-169-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2172-75-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2172-46-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2172-291-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2172-271-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2172-167-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2172-186-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2172-54-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/2328-56-0x0000000003A50000-0x0000000003A60000-memory.dmp

Filesize
64KB

Download
memory/2332-17-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2332-23-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/2332-234-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/2332-53-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2332-38-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/2332-68-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/2332-274-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/2368-2994-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2384-2912-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2384-2911-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2388-189-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2416-1031-0x0000000077960000-0x0000000077A7F000-memory.dmp

Filesize
1.1MB

Download
memory/2416-1032-0x0000000077A80000-0x0000000077B7A000-memory.dmp

Filesize
1000KB

Download
memory/2416-3245-0x0000000077960000-0x0000000077A7F000-memory.dmp

Filesize
1.1MB

Download
memory/2416-3246-0x0000000077A80000-0x0000000077B7A000-memory.dmp

Filesize
1000KB

Download
memory/2440-237-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2452-266-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2452-267-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2452-265-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2492-272-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2516-218-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2548-1704-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2548-1705-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2660-88-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2664-1608-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/2664-1607-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/2664-2710-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2676-81-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2708-251-0x00000000003D0000-0x00000000003EF000-memory.dmp

Filesize
124KB

Download
memory/2708-47-0x00000000003D0000-0x00000000003EF000-memory.dmp

Filesize
124KB

Download
memory/2708-16-0x00000000003D0000-0x00000000003EF000-memory.dmp

Filesize
124KB

Download
memory/2708-45-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2708-10-0x00000000003D0000-0x00000000003EF000-memory.dmp

Filesize
124KB

Download
memory/2708-209-0x00000000003D0000-0x00000000003EF000-memory.dmp

Filesize
124KB

Download
memory/2708-233-0x00000000003D0000-0x00000000003EF000-memory.dmp

Filesize
124KB

Download
memory/2708-241-0x00000000003D0000-0x00000000003EF000-memory.dmp

Filesize
124KB

Download
memory/2708-264-0x00000000003D0000-0x00000000003EF000-memory.dmp

Filesize
124KB

Download
memory/2708-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2708-214-0x00000000003D0000-0x00000000003EF000-memory.dmp

Filesize
124KB

Download
memory/2724-175-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2736-2548-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2756-282-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2760-63-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2764-3036-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2764-3035-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2780-2067-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2804-247-0x0000000000320000-0x000000000033F000-memory.dmp

Filesize
124KB

Download
memory/2804-106-0x0000000000320000-0x000000000033F000-memory.dmp

Filesize
124KB

Download
memory/2804-76-0x0000000000320000-0x000000000033F000-memory.dmp

Filesize
124KB

Download
memory/2804-224-0x0000000000320000-0x000000000033F000-memory.dmp

Filesize
124KB

Download
memory/2804-112-0x0000000000320000-0x000000000033F000-memory.dmp

Filesize
124KB

Download
memory/2804-244-0x0000000000320000-0x000000000033F000-memory.dmp

Filesize
124KB

Download
memory/2804-104-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2804-168-0x0000000000320000-0x000000000033F000-memory.dmp

Filesize
124KB

Download
memory/2804-270-0x0000000000320000-0x000000000033F000-memory.dmp

Filesize
124KB

Download
memory/2804-154-0x0000000000320000-0x000000000033F000-memory.dmp

Filesize
124KB

Download
memory/2824-3000-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2824-2999-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2860-97-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2884-3808-0x00000000003A0000-0x00000000003B0000-memory.dmp

Filesize
64KB

Download
memory/2940-133-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2980-164-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2996-287-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2996-268-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3048-1890-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download