c41899315b2f3dad512ed1f58746e59fdb2f9717badcf7b2c861c1248d945991

Analysis

max time kernel
148s
max time network
124s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cgi19-alptsevs-h555.exe_.exe
Size

569KB
MD5

e9b9c39dd91c7fac1ee0b92e018a21bd
SHA1

1ddcf37b32f90f864b51adba3f4bd3a0f5ea935f
SHA256

388cc8da15d0fbee9bb9fb87715c8f2967b1584a12e30b4ea1ebbc27ff3b557b
SHA512

dee5a5da3fe70e5d15f48ba9e8d9204a2de641b91e22a8e3ddb7dfaa1aafd6d943bb21188985bb8d40836fc6e24ee2df9a9d988f5ea8048d30517cd6bf7e3add
SSDEEP

12288:j3nZMhJ+ubNmz0C4nkspjhPMy7NxkIXGUikyjk0y0xjYfYK4zjibVWidV3BtGN:j3nZqfbkz94h9P1+sbi3j2Bwjifv3BAN

Score

7^/10

bootkit discovery persistence spyware stealer

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral19/files/0x0005000000019f71-52.dat	acprotect

Deletes itself 1 IoCs

pid	Process
2764	svchost.exe

Executes dropped EXE 64 IoCs

pid	Process
2788	svschost.exe
2848	nsf.exe
2816	svschost.exe
2040	nsf.exe
2524	svschost.exe
744	svschost.exe
1396	svchost.exe
2780	svschost.exe
2812	nsf.exe
2760	svschost.exe
2392	svchost.exe
1988	svchost.exe
2224	svschost.exe
828	svchost.exe
620	svchost.exe
976	svchost.exe
2152	svchost.exe
1852	svchost.exe
2832	svchost.exe
1716	svchost.exe
2100	svchost.exe
3012	svchost.exe
2784	svchost.exe
2312	svchost.exe
1340	svchost.exe
2140	svchost.exe
2544	svchost.exe
2828	svchost.exe
1664	svchost.exe
1604	svchost.exe
832	svchost.exe
296	svchost.exe
620	svchost.exe
1600	svchost.exe
108	svchost.exe
2500	svchost.exe
2348	svchost.exe
2624	svchost.exe
2620	svchost.exe
2812	svchost.exe
2928	svchost.exe
2896	svchost.exe
2900	svchost.exe
2392	svchost.exe
3028	svchost.exe
860	svchost.exe
2792	svchost.exe
952	svchost.exe
2004	svchost.exe
1860	svchost.exe
2408	svchost.exe
1008	svchost.exe
2216	svchost.exe
884	svchost.exe
2180	svchost.exe
2268	svchost.exe
1388	svchost.exe
2116	svchost.exe
1260	svchost.exe
2220	svchost.exe
1040	svchost.exe
2192	svchost.exe
1696	svchost.exe
2532	svchost.exe

Loads dropped DLL 43 IoCs

pid	Process
2860	cgi19-alptsevs-h555.exe_.exe
2860	cgi19-alptsevs-h555.exe_.exe
2860	cgi19-alptsevs-h555.exe_.exe
2860	cgi19-alptsevs-h555.exe_.exe
2860	cgi19-alptsevs-h555.exe_.exe
2860	cgi19-alptsevs-h555.exe_.exe
2860	cgi19-alptsevs-h555.exe_.exe
2860	cgi19-alptsevs-h555.exe_.exe
2860	cgi19-alptsevs-h555.exe_.exe
2848	nsf.exe
2860	cgi19-alptsevs-h555.exe_.exe
2860	cgi19-alptsevs-h555.exe_.exe
2860	cgi19-alptsevs-h555.exe_.exe
2860	cgi19-alptsevs-h555.exe_.exe
2860	cgi19-alptsevs-h555.exe_.exe
2860	cgi19-alptsevs-h555.exe_.exe
2860	cgi19-alptsevs-h555.exe_.exe
2860	cgi19-alptsevs-h555.exe_.exe
2860	cgi19-alptsevs-h555.exe_.exe
2040	nsf.exe
2860	cgi19-alptsevs-h555.exe_.exe
2860	cgi19-alptsevs-h555.exe_.exe
2860	cgi19-alptsevs-h555.exe_.exe
2860	cgi19-alptsevs-h555.exe_.exe
744	svschost.exe
2860	cgi19-alptsevs-h555.exe_.exe
2860	cgi19-alptsevs-h555.exe_.exe
2860	cgi19-alptsevs-h555.exe_.exe
2860	cgi19-alptsevs-h555.exe_.exe
2860	cgi19-alptsevs-h555.exe_.exe
2860	cgi19-alptsevs-h555.exe_.exe
2860	cgi19-alptsevs-h555.exe_.exe
2860	cgi19-alptsevs-h555.exe_.exe
2860	cgi19-alptsevs-h555.exe_.exe
2812	nsf.exe
2860	cgi19-alptsevs-h555.exe_.exe
2860	cgi19-alptsevs-h555.exe_.exe
2860	cgi19-alptsevs-h555.exe_.exe
2860	cgi19-alptsevs-h555.exe_.exe
2860	cgi19-alptsevs-h555.exe_.exe
2860	cgi19-alptsevs-h555.exe_.exe
2860	cgi19-alptsevs-h555.exe_.exe
2860	cgi19-alptsevs-h555.exe_.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\dvsdlk\\svchost.exe"	REG.exe

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9C9T5AL\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROVWYKHE\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	svchost.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L2BFB2JG\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MYC3PENY\desktop.ini	svchost.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	svschost.exe
File opened (read-only)	\??\N:	svschost.exe
File opened (read-only)	\??\X:	svschost.exe
File opened (read-only)	\??\E:	svschost.exe
File opened (read-only)	\??\G:	svschost.exe
File opened (read-only)	\??\J:	svschost.exe
File opened (read-only)	\??\P:	svschost.exe
File opened (read-only)	\??\T:	svschost.exe
File opened (read-only)	\??\U:	svschost.exe
File opened (read-only)	\??\V:	svschost.exe
File opened (read-only)	\??\W:	svschost.exe
File opened (read-only)	\??\H:	svschost.exe
File opened (read-only)	\??\K:	svschost.exe
File opened (read-only)	\??\O:	svschost.exe
File opened (read-only)	\??\S:	svschost.exe
File opened (read-only)	\??\B:	svschost.exe
File opened (read-only)	\??\I:	svschost.exe
File opened (read-only)	\??\Q:	svschost.exe
File opened (read-only)	\??\Y:	svschost.exe
File opened (read-only)	\??\Z:	svschost.exe
File opened (read-only)	\??\A:	svschost.exe
File opened (read-only)	\??\L:	svschost.exe
File opened (read-only)	\??\R:	svschost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	nsf.exe
File opened for modification	\??\PhysicalDrive0	nsf.exe
File opened for modification	\??\PhysicalDrive0	nsf.exe

Drops file in System32 directory 61 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat	svchost.exe
File opened for modification	C:\Windows\System32\catroot2\edb006BF.log	svchost.exe
File opened for modification	C:\Windows\System32\catroot2\edb006C7.log	svchost.exe
File opened for modification	C:\Windows\System32\catroot2\edb006CE.log	svchost.exe
File opened for modification	C:\Windows\System32\catroot2\edb006D2.log	svchost.exe
File opened for modification	C:\Windows\System32\catroot2\edb006D3.log	svchost.exe
File created	C:\Windows\SysWOW64\NoSafeMode.dll	cgi19-alptsevs-h555.exe_.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat	svchost.exe
File opened for modification	C:\Windows\System32\catroot2\edb006C0.log	svchost.exe
File opened for modification	C:\Windows\System32\catroot2\edb006C5.log	svchost.exe
File opened for modification	C:\Windows\System32\catroot2\edb006D4.log	svchost.exe
File created	C:\Windows\SysWOW64\sdelete.dll	cgi19-alptsevs-h555.exe_.exe
File opened for modification	C:\Windows\System32\catroot2\edb.log	svchost.exe
File opened for modification	C:\Windows\System32\catroot2\edb006C6.log	svchost.exe
File opened for modification	C:\Windows\System32\de-DE\SystemPropertiesProtection.exe.mui	svchost.exe
File created	C:\Windows\SysWOW64\nsf.exe	cgi19-alptsevs-h555.exe_.exe
File created	C:\Windows\SysWOW64\svschost.exe	cgi19-alptsevs-h555.exe_.exe
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_259457087	cgi19-alptsevs-h555.exe_.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.cat	svchost.exe
File opened for modification	C:\Windows\System32\catroot2\edb006C9.log	svchost.exe
File opened for modification	C:\Windows\System32\catroot2\edb006CD.log	svchost.exe
File opened for modification	C:\Windows\System32\catroot2\edb006D0.log	svchost.exe
File opened for modification	C:\Windows\SysWOW64\default2.sfx	cgi19-alptsevs-h555.exe_.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~en-US~6.1.7600.16385.cat	svchost.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat	svchost.exe
File opened for modification	C:\Windows\System32\catroot2\edb006C2.log	svchost.exe
File opened for modification	C:\Windows\System32\catroot2\edb006C4.log	svchost.exe
File opened for modification	C:\Windows\System32\de-DE\SystemPropertiesComputerName.exe.mui	svchost.exe
File opened for modification	C:\Windows\System32\catroot2\edb006C3.log	svchost.exe
File opened for modification	C:\Windows\System32\catroot2\edb006CF.log	svchost.exe
File opened for modification	C:\Windows\System32\catroot2\edb006D1.log	svchost.exe
File opened for modification	C:\Windows\System32\de-DE\SystemPropertiesDataExecutionPrevention.exe.mui	svchost.exe
File opened for modification	C:\Windows\SysWOW64\csrss32.dll	cgi19-alptsevs-h555.exe_.exe
File opened for modification	C:\Windows\SysWOW64\NoSafeMode.dll	cgi19-alptsevs-h555.exe_.exe
File created	C:\Windows\SysWOW64\default2.sfx	cgi19-alptsevs-h555.exe_.exe
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_259469427	cgi19-alptsevs-h555.exe_.exe
File opened for modification	C:\Windows\System32\catroot2\edb006BD.log	svchost.exe
File opened for modification	C:\Windows\System32\catroot2\edb006BE.log	svchost.exe
File opened for modification	C:\Windows\System32\catroot2\edb006D5.log	svchost.exe
File opened for modification	C:\Windows\System32\de-DE\SystemPropertiesPerformance.exe.mui	svchost.exe
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_259449740	cgi19-alptsevs-h555.exe_.exe
File opened for modification	C:\Windows\SysWOW64\svschost.exe	cgi19-alptsevs-h555.exe_.exe
File created	C:\Windows\SysWOW64\csrss64.dll	cgi19-alptsevs-h555.exe_.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.cat	svchost.exe
File opened for modification	C:\Windows\System32\catroot2\edb006CB.log	svchost.exe
File opened for modification	C:\Windows\SysWOW64\cfwin32.dll	cgi19-alptsevs-h555.exe_.exe
File opened for modification	C:\Windows\SysWOW64\sdelete.dll	cgi19-alptsevs-h555.exe_.exe
File opened for modification	C:\Windows\System32\de-DE\SystemPropertiesAdvanced.exe.mui	svchost.exe
File opened for modification	C:\Windows\System32\de-DE\SystemPropertiesRemote.exe.mui	svchost.exe
File opened for modification	C:\Windows\SysWOW64\nsf.exe	cgi19-alptsevs-h555.exe_.exe
File opened for modification	C:\Windows\System32\catroot2\edb006C8.log	svchost.exe
File created	C:\Windows\SysWOW64\cfwin32.dll	cgi19-alptsevs-h555.exe_.exe
File created	C:\Windows\SysWOW64\csrss32.dll	cgi19-alptsevs-h555.exe_.exe
File opened for modification	C:\Windows\System32\catroot2\edb006C1.log	svchost.exe
File opened for modification	C:\Windows\System32\catroot2\edb006CC.log	svchost.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat	svchost.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\csrss64.dll	cgi19-alptsevs-h555.exe_.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	svchost.exe
File opened for modification	C:\Windows\System32\catroot2\edb006CA.log	svchost.exe
File opened for modification	C:\Windows\System32\de-DE\SystemPropertiesHardware.exe.mui	svchost.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.log	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupicons.jpg	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupiconsmask.bmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-install.log	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\install.log	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\uninstall.log	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_pitch_plugin.dll	svchost.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	svchost.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	svchost.exe
File opened for modification	C:\Windows\inf\setupapi.offline.log	svchost.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.mum	svchost.exe
File opened for modification	C:\Windows\setupact.log	svchost.exe
File opened for modification	C:\Windows\inf\setupapi.app.log	svchost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log	svchost.exe
File opened for modification	C:\Windows\Panther\DDACLSys.log	svchost.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.mum	svchost.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	svchost.exe
File opened for modification	C:\Windows\Fonts\TEMPSITC.TTF	svchost.exe
File opened for modification	C:\Windows\PolicyDefinitions\fr-FR\WindowsBackup.adml	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.log	svchost.exe
File opened for modification	C:\Windows\Panther\cbs_unattend.log	svchost.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\WindowsBackup.adml	svchost.exe
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\UserDataBackup.adml	svchost.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.mum	svchost.exe
File opened for modification	C:\Windows\CSC\v2.0.6\temp\ea-{367eafa8-3d79-11ef-ac21-ebb743719d9d}	svchost.exe
File opened for modification	C:\Windows\Performance\WinSAT\winsat.log	svchost.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\WindowsBackup.adml	svchost.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\UserDataBackup.adml	svchost.exe
File opened for modification	C:\Windows\inf\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG	svchost.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.mum	svchost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	svchost.exe
File opened for modification	C:\Windows\PolicyDefinitions\es-ES\UserDataBackup.adml	svchost.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	svchost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	svchost.exe
File opened for modification	C:\Windows\PolicyDefinitions\it-IT\UserDataBackup.adml	svchost.exe
File opened for modification	C:\Windows\PolicyDefinitions\it-IT\WindowsBackup.adml	svchost.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat	svchost.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.cat	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00001.log	svchost.exe
File opened for modification	C:\Windows\debug\PASSWD.LOG	svchost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	svchost.exe
File opened for modification	C:\Windows\PolicyDefinitions\UserDataBackup.admx	svchost.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat	svchost.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.mum	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	svchost.exe
File opened for modification	C:\Windows\Panther\setupact.log	svchost.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.cat	svchost.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat	svchost.exe
File opened for modification	C:\Windows\setuperr.log	svchost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	svchost.exe
File opened for modification	C:\Windows\PolicyDefinitions\es-ES\WindowsBackup.adml	svchost.exe
File opened for modification	C:\Windows\PolicyDefinitions\fr-FR\UserDataBackup.adml	svchost.exe
File opened for modification	C:\Windows\security\logs\scesetup.log	svchost.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.mum	svchost.exe
File opened for modification	C:\Windows\Panther\setuperr.log	svchost.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	svchost.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\UserDataBackup.adml	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG	svchost.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.mum	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	svchost.exe
File opened for modification	C:\Windows\Panther\cbs.log	svchost.exe
File opened for modification	C:\Windows\PFRO.log	svchost.exe
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\WindowsBackup.adml	svchost.exe
File opened for modification	C:\Windows\PolicyDefinitions\WindowsBackup.admx	svchost.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	svchost.exe
File opened for modification	C:\Windows\debug\sammui.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nsf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 30 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1892	PING.EXE
2228	PING.EXE
2312	PING.EXE
1932	PING.EXE
1584	PING.EXE
2912	PING.EXE
2256	PING.EXE
804	PING.EXE
1308	PING.EXE
2188	PING.EXE
2684	PING.EXE
1996	PING.EXE
1276	PING.EXE
2260	PING.EXE
2180	PING.EXE
868	PING.EXE
2500	PING.EXE
2592	PING.EXE
1976	PING.EXE
1544	PING.EXE
2616	PING.EXE
1692	PING.EXE
2904	PING.EXE
1692	PING.EXE
2092	PING.EXE
3040	PING.EXE
1740	PING.EXE
2788	PING.EXE
2964	PING.EXE
2948	PING.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe

Runs ping.exe 1 TTPs 30 IoCs

Remote System Discovery

T1018

pid	Process
1692	PING.EXE
2912	PING.EXE
1976	PING.EXE
1544	PING.EXE
2500	PING.EXE
2592	PING.EXE
2948	PING.EXE
2256	PING.EXE
868	PING.EXE
2228	PING.EXE
2312	PING.EXE
1996	PING.EXE
2616	PING.EXE
3040	PING.EXE
1276	PING.EXE
2788	PING.EXE
2188	PING.EXE
1892	PING.EXE
2092	PING.EXE
2904	PING.EXE
2180	PING.EXE
1740	PING.EXE
2964	PING.EXE
2684	PING.EXE
1932	PING.EXE
1692	PING.EXE
2260	PING.EXE
1584	PING.EXE
804	PING.EXE
1308	PING.EXE

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2848	nsf.exe
2040	nsf.exe
2812	nsf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2788	2860	cgi19-alptsevs-h555.exe_.exe	31
PID 2860 wrote to memory of 2788	2860	cgi19-alptsevs-h555.exe_.exe	31
PID 2860 wrote to memory of 2788	2860	cgi19-alptsevs-h555.exe_.exe	31
PID 2860 wrote to memory of 2788	2860	cgi19-alptsevs-h555.exe_.exe	31
PID 2860 wrote to memory of 2788	2860	cgi19-alptsevs-h555.exe_.exe	31
PID 2860 wrote to memory of 2788	2860	cgi19-alptsevs-h555.exe_.exe	31
PID 2860 wrote to memory of 2788	2860	cgi19-alptsevs-h555.exe_.exe	31
PID 2860 wrote to memory of 2848	2860	cgi19-alptsevs-h555.exe_.exe	32
PID 2860 wrote to memory of 2848	2860	cgi19-alptsevs-h555.exe_.exe	32
PID 2860 wrote to memory of 2848	2860	cgi19-alptsevs-h555.exe_.exe	32
PID 2860 wrote to memory of 2848	2860	cgi19-alptsevs-h555.exe_.exe	32
PID 2860 wrote to memory of 2848	2860	cgi19-alptsevs-h555.exe_.exe	32
PID 2860 wrote to memory of 2848	2860	cgi19-alptsevs-h555.exe_.exe	32
PID 2860 wrote to memory of 2848	2860	cgi19-alptsevs-h555.exe_.exe	32
PID 2860 wrote to memory of 2684	2860	cgi19-alptsevs-h555.exe_.exe	33
PID 2860 wrote to memory of 2684	2860	cgi19-alptsevs-h555.exe_.exe	33
PID 2860 wrote to memory of 2684	2860	cgi19-alptsevs-h555.exe_.exe	33
PID 2860 wrote to memory of 2684	2860	cgi19-alptsevs-h555.exe_.exe	33
PID 2860 wrote to memory of 2684	2860	cgi19-alptsevs-h555.exe_.exe	33
PID 2860 wrote to memory of 2684	2860	cgi19-alptsevs-h555.exe_.exe	33
PID 2860 wrote to memory of 2684	2860	cgi19-alptsevs-h555.exe_.exe	33
PID 2860 wrote to memory of 2180	2860	cgi19-alptsevs-h555.exe_.exe	35
PID 2860 wrote to memory of 2180	2860	cgi19-alptsevs-h555.exe_.exe	35
PID 2860 wrote to memory of 2180	2860	cgi19-alptsevs-h555.exe_.exe	35
PID 2860 wrote to memory of 2180	2860	cgi19-alptsevs-h555.exe_.exe	35
PID 2860 wrote to memory of 2180	2860	cgi19-alptsevs-h555.exe_.exe	35
PID 2860 wrote to memory of 2180	2860	cgi19-alptsevs-h555.exe_.exe	35
PID 2860 wrote to memory of 2180	2860	cgi19-alptsevs-h555.exe_.exe	35
PID 2860 wrote to memory of 1692	2860	cgi19-alptsevs-h555.exe_.exe	37
PID 2860 wrote to memory of 1692	2860	cgi19-alptsevs-h555.exe_.exe	37
PID 2860 wrote to memory of 1692	2860	cgi19-alptsevs-h555.exe_.exe	37
PID 2860 wrote to memory of 1692	2860	cgi19-alptsevs-h555.exe_.exe	37
PID 2860 wrote to memory of 1692	2860	cgi19-alptsevs-h555.exe_.exe	37
PID 2860 wrote to memory of 1692	2860	cgi19-alptsevs-h555.exe_.exe	37
PID 2860 wrote to memory of 1692	2860	cgi19-alptsevs-h555.exe_.exe	37
PID 2860 wrote to memory of 2912	2860	cgi19-alptsevs-h555.exe_.exe	39
PID 2860 wrote to memory of 2912	2860	cgi19-alptsevs-h555.exe_.exe	39
PID 2860 wrote to memory of 2912	2860	cgi19-alptsevs-h555.exe_.exe	39
PID 2860 wrote to memory of 2912	2860	cgi19-alptsevs-h555.exe_.exe	39
PID 2860 wrote to memory of 2912	2860	cgi19-alptsevs-h555.exe_.exe	39
PID 2860 wrote to memory of 2912	2860	cgi19-alptsevs-h555.exe_.exe	39
PID 2860 wrote to memory of 2912	2860	cgi19-alptsevs-h555.exe_.exe	39
PID 2860 wrote to memory of 2256	2860	cgi19-alptsevs-h555.exe_.exe	41
PID 2860 wrote to memory of 2256	2860	cgi19-alptsevs-h555.exe_.exe	41
PID 2860 wrote to memory of 2256	2860	cgi19-alptsevs-h555.exe_.exe	41
PID 2860 wrote to memory of 2256	2860	cgi19-alptsevs-h555.exe_.exe	41
PID 2860 wrote to memory of 2256	2860	cgi19-alptsevs-h555.exe_.exe	41
PID 2860 wrote to memory of 2256	2860	cgi19-alptsevs-h555.exe_.exe	41
PID 2860 wrote to memory of 2256	2860	cgi19-alptsevs-h555.exe_.exe	41
PID 2860 wrote to memory of 2312	2860	cgi19-alptsevs-h555.exe_.exe	43
PID 2860 wrote to memory of 2312	2860	cgi19-alptsevs-h555.exe_.exe	43
PID 2860 wrote to memory of 2312	2860	cgi19-alptsevs-h555.exe_.exe	43
PID 2860 wrote to memory of 2312	2860	cgi19-alptsevs-h555.exe_.exe	43
PID 2860 wrote to memory of 2312	2860	cgi19-alptsevs-h555.exe_.exe	43
PID 2860 wrote to memory of 2312	2860	cgi19-alptsevs-h555.exe_.exe	43
PID 2860 wrote to memory of 2312	2860	cgi19-alptsevs-h555.exe_.exe	43
PID 2860 wrote to memory of 868	2860	cgi19-alptsevs-h555.exe_.exe	45
PID 2860 wrote to memory of 868	2860	cgi19-alptsevs-h555.exe_.exe	45
PID 2860 wrote to memory of 868	2860	cgi19-alptsevs-h555.exe_.exe	45
PID 2860 wrote to memory of 868	2860	cgi19-alptsevs-h555.exe_.exe	45
PID 2860 wrote to memory of 868	2860	cgi19-alptsevs-h555.exe_.exe	45
PID 2860 wrote to memory of 868	2860	cgi19-alptsevs-h555.exe_.exe	45
PID 2860 wrote to memory of 868	2860	cgi19-alptsevs-h555.exe_.exe	45
PID 2860 wrote to memory of 1932	2860	cgi19-alptsevs-h555.exe_.exe	47

C:\Users\Admin\AppData\Local\Temp\cgi19-alptsevs-h555.exe_.exe
"C:\Users\Admin\AppData\Local\Temp\cgi19-alptsevs-h555.exe_.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\SysWOW64\svschost.exe
  "C:\Windows\system32\svschost.exe" -i
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\SysWOW64\nsf.exe
  "C:\Windows\system32\nsf.exe" /nobootpass /lock Yrs5S2z1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2848
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2684
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2180
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1692
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2912
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2256
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2312
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:868
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1932
- C:\Windows\SysWOW64\svschost.exe
  "C:\Windows\system32\svschost.exe" -i
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\SysWOW64\nsf.exe
  "C:\Windows\system32\nsf.exe" /nobootpass /lock Yrs5S2z1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:2040
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1976
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1892
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1996
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2092
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3040
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1740
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1544
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2228
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:804
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1276
- C:\Windows\SysWOW64\svschost.exe
  "C:\Windows\system32\svschost.exe" -s
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2500
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2592
- C:\Windows\SysWOW64\svschost.exe
  "C:\Windows\system32\svschost.exe" -i
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\SysWOW64\nsf.exe
  "C:\Windows\system32\nsf.exe" /nobootpass /lock Yrs5S2z1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:2812
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2788
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2616
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1692
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2260
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1308
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2904
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2188
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2964
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1584
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2948
- C:\Windows\SysWOW64\svschost.exe
  "C:\Windows\system32\svschost.exe" -s
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\SysWOW64\svschost.exe
  "C:\Windows\system32\svschost.exe" -s
  2⤵
  - Executes dropped EXE
  PID:2224

C:\Windows\SysWOW64\svschost.exe
C:\Windows\SysWOW64\svschost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
PID:744
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchost" /t REG_SZ /d "C:\dvsdlk\svchost.exe" /f
  2⤵
  - Adds Run key to start application
  PID:2512
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "ClearPageFileAtShutdown" /t REG_DWORD /d 1 /f
  2⤵
  PID:632
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  PID:1396
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Program Files\Mozilla Firefox\install.log" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2392
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Program Files\Mozilla Firefox\uninstall\uninstall.log" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1988
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_pitch_plugin.dll" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  PID:828
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_plugin.dll" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  PID:620
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Program Files\VideoLAN\VLC\uninstall.log" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:976
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupicons.jpg" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2152
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupiconsmask.bmp" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1852
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-install.log" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2832
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log" /accepteula
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:1716
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.001" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.001" /accepteula
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.001" /accepteula
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:2784
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.001" /accepteula
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:2312
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.001" /accepteula
  2⤵
  - Executes dropped EXE
  PID:1340
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.001" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Backup and Restore Center.lnk" /accepteula
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2544
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\ProgramData\Microsoft\Windows Defender\Support\MPLog-07132009-221054.log" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\System Volume Information\tracking.log" /accepteula
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old" /accepteula
  2⤵
  - Executes dropped EXE
  PID:1604
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old" /accepteula
  2⤵
  - Executes dropped EXE
  PID:832
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\000003.log" /accepteula
  2⤵
  - Executes dropped EXE
  PID:296
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000006.log" /accepteula
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:620
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG.old" /accepteula
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1600
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000003.log" /accepteula
  2⤵
  - Executes dropped EXE
  PID:108
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000005.log" /accepteula
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:2500
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old" /accepteula
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2348
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\LOG.old" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000006.log" /accepteula
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2620
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG.old" /accepteula
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2812
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000006.log" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000006.log" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG.old" /accepteula
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2392
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000006.log" /accepteula
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old" /accepteula
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:860
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000006.log" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old" /accepteula
  2⤵
  - Executes dropped EXE
  PID:952
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\container.dat" /accepteula
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1860
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  PID:2408
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HHT5LGG0\favicon[1].ico" /accepteula
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat" /accepteula
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2216
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L2BFB2JG\desktop.ini" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  PID:884
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MYC3PENY\desktop.ini" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  PID:2180
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9C9T5AL\desktop.ini" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  PID:2268
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROVWYKHE\desktop.ini" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  PID:1388
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  PID:1260
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2220
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V0100002.log" /accepteula
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1040
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V0100003.log" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\edb00001.log" /accepteula
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\WindowsMail.MSMessageStore" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\WindowsMail.pat" /accepteula
  2⤵
  PID:2548
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:1988
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb00001.log" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:2364
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\1003777686\payload.dat" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:1692
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\1008fba4-e12e-4fb6-b030-9ef025751633.tmp" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:2912
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\Admin.bmp" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2128
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00000.log" /accepteula
  2⤵
  PID:3068
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001.log" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2148
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\ca6ec46ee9435a4745fd3a03267f051dc64540dd348f127bb33e9675dadd3d52.exe" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2264
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\calc.exe" /accepteula
  2⤵
  PID:2508
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\ccc71c83c8d9895ef0b375273f9f185dfac63ecd01775e2dc705afe4d48c95e2_Dumped_TDS=4F9911B3.exe" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:2100
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\ccc71c83c8d9895ef0b375273f9f185dfac63ecd01775e2dc705afe4d48c95e2_TDS=4FAD9768.exe" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2560
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\cd2d085998a289134ffaf27fbdcbc8cb_api-ms-win-system-dispex-l1-1-0.dll" /accepteula
  2⤵
  PID:868
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\cdffb7e75b20eeae4db75c9962c17b3be980a719f7597e8b11a747d72c975a36_not_packed_maybe_useless.exe" /accepteula
  2⤵
  PID:2948
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe" /accepteula
  2⤵
  PID:2920
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\cgi19-alptsevs-h555.exe_.exe" /accepteula
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  PID:2764
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\chrome_installer.log" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:540
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\chrst.exe" /accepteula
  2⤵
  PID:1848
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\ci05l2a.exe" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:1924
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\cl.exe" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:2000
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\clean.exe" /accepteula
  2⤵
  PID:2660
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\coinvault.exe" /accepteula
  2⤵
  PID:1716
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\com_loader.exe" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:2316
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\csrss.ex_.exe" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:1260
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\d.exe" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1028
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\D02D012970AA164CAD15C757D7E52994.exe" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1544
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\d0a5cfec8e80622b3e194b5ee03e93d78c7ef3478bead6a039d213caaaa58523_Dumped_TDS=4F9911B3.exe" /accepteula
  2⤵
  PID:1040
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\d0a5cfec8e80622b3e194b5ee03e93d78c7ef3478bead6a039d213caaaa58523_TDS=4FA478A6.exe" /accepteula
  2⤵
  PID:2384
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\d2164cdbc9c78db0115f382a139ccd758f8a25ebfc5ab3e0034e7aef0fe0b6b4_Dumped_TDS=4FB252FB.exe" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:2548
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\d2164cdbc9c78db0115f382a139ccd758f8a25ebfc5ab3e0034e7aef0fe0b6b4_TDS=4FB30D08.exe" /accepteula
  2⤵
  PID:1644
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\d4439055d2d63e52ffc23c6d24d89194_86e510605f1ee068bdc1ae306312652a__1.dll" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:828
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\d54d2a216e637bcd36e5217cfba98896.exe" /accepteula
  2⤵
  PID:1932
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\d5f29750a8cb158d9b89a1e02e8addc5e410d1ddc48e660589144ade47f794c5.exe" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2772
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\d6c32b0146f219bdcb5cf524ea9e0047d9b9bd0fd7c395d5b11cbc4c3298824d.exe" /accepteula
  2⤵
  PID:1256
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\d889734783273b7158deeae6cf804a6be99c3a5353d94225a4dbe92caf3a3d48.exe" /accepteula
  2⤵
  PID:1000
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\daaa72f48bea498c5ac7ce9bc315e585ff11dad04d1eeb0d1b0ce33a28bedf2d.exe" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:2512
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\DBm0yQwt.exe.ViR.exe" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1172
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\ddbf1840bf626da19d8f3467fe9e20e2.exe" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:3012
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt" /accepteula
  2⤵
  PID:1628
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility.txt" /accepteula
  2⤵
  PID:2732
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI0F15.txt" /accepteula
  2⤵
  PID:2800
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI0F5D.txt" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:2936
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI0F15.txt" /accepteula
  2⤵
  PID:2096
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI0F5D.txt" /accepteula
  2⤵
  PID:1776
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20240708_153054_896.txt" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2876
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20240708_153055_583.txt" /accepteula
  2⤵
  PID:2132
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\de2794d7-234b-41a8-bb47-48c478696e49.tmp" /accepteula
  2⤵
  PID:2836
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\de882c049be133a950b6917562bb2313_583a76e23c1998307d702709dadbe103__3.dll" /accepteula
  2⤵
  PID:836
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\decrypt.exe" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2928
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\decrypted.ex_.exe" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:1740
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\FXSAPIDebugLogFile.txt" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:448
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log" /accepteula
  2⤵
  PID:1732
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\java_install.log" /accepteula
  2⤵
  PID:2956
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\java_install_reg.log" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:1944
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\jawshtml.html" /accepteula
  2⤵
  PID:2992
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\jusched.log" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:3032
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\Kno6E10.tmp" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:2228
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\KnoAAAF.tmp" /accepteula
  2⤵
  PID:1948
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\lpksetup-20240708-154019-0.log" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:1832
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\lpksetup-20240708-154206-0.log" /accepteula
  2⤵
  PID:1552
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\lpksetup-20240708-154335-0.log" /accepteula
  2⤵
  PID:308
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\lpksetup-20240708-154528-0.log" /accepteula
  2⤵
  PID:3024
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\lpksetup-20240708-154725-0.log" /accepteula
  2⤵
  PID:268
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240708_153041137-MSI_netfx_Full_x64.msi.txt" /accepteula
  2⤵
  PID:2892
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240708_153041137.html" /accepteula
  2⤵
  PID:1676
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\ose00000.exe" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:2160
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\RD48A3.tmp" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:2408
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\RGI5E28.tmp" /accepteula
  2⤵
  PID:880
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\RGI5E28.tmp-tmp" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1860
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\scoped_dir2076_1697866534\1008fba4-e12e-4fb6-b030-9ef025751633.tmp" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:1392
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\scoped_dir2076_762273943\de2794d7-234b-41a8-bb47-48c478696e49.tmp" /accepteula
  2⤵
  PID:2300
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\SetupExe(202407081534405D8).log" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2244
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\wmsetup.log" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1856
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\previous.jsonlz4" /accepteula
  2⤵
  PID:2864
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\upgrade.jsonlz4-20221007134813" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:2744
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Roaming\StartBackup.odt" /accepteula
  2⤵
  PID:2944
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\Documents\BackupConvert.vsx" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:2964
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\Downloads\BackupUpdate.vst" /accepteula
  2⤵
  PID:2016
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\Music\BackupSend.mpe" /accepteula
  2⤵
  PID:2392
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\Music\SuspendLimit.temp" /accepteula
  2⤵
  PID:2852
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Default\NTUSER.DAT.LOG" /accepteula
  2⤵
  PID:2440
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:408
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log" /accepteula
  2⤵
  PID:1852
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1944
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log" /accepteula
  2⤵
  PID:540
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log" /accepteula
  2⤵
  PID:3032
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log" /accepteula
  2⤵
  PID:2088
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log" /accepteula
  2⤵
  PID:2592
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log" /accepteula
  2⤵
  PID:2680
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log" /accepteula
  2⤵
  PID:2984
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log" /accepteula
  2⤵
  PID:3020
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\vcredist2022_x86_001_vcRuntimeMinimum_x86.log" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:940
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\vcredist2022_x86_002_vcRuntimeAdditional_x86.log" /accepteula
  2⤵
  PID:2708
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\CSC\v2.0.6\temp\ea-{367eafa8-3d79-11ef-ac21-ebb743719d9d}" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2604
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\debug\PASSWD.LOG" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2884
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\debug\sammui.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2544
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\debug\WIA\wiatrace.log" /accepteula
  2⤵
  PID:2808
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\DtcInstall.log" /accepteula
  2⤵
  PID:2892
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Fonts\TEMPSITC.TTF" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2472
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\inf\setupapi.app.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:772
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\inf\setupapi.dev.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2764
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\inf\setupapi.offline.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2096
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Logs\CBS\CBS.log" /accepteula
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:536
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Logs\DISM\dism.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:1948
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Logs\DPX\setupact.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2188
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Logs\DPX\setuperr.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:1392
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:1900
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2404
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:1512
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:1492
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2956
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:1684
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log" /accepteula
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1732
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log" /accepteula
  2⤵
  PID:2924
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Panther\cbs.log" /accepteula
  2⤵
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2724
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Panther\cbs_unattend.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:868
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Panther\DDACLSys.log" /accepteula
  2⤵
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2896
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Panther\setupact.log" /accepteula
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2068
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Panther\setuperr.log" /accepteula
  2⤵
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2704
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Panther\UnattendGC\setupact.log" /accepteula
  2⤵
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2308
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Panther\UnattendGC\setuperr.log" /accepteula
  2⤵
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2936
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Performance\WinSAT\winsat.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:1676
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PFRO.log" /accepteula
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:296
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\de-DE\UserDataBackup.adml" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2204
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\de-DE\WindowsBackup.adml" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:1508
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\en-US\UserDataBackup.adml" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:1852
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\en-US\WindowsBackup.adml" /accepteula
  2⤵
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1668
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\es-ES\UserDataBackup.adml" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2184
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\es-ES\WindowsBackup.adml" /accepteula
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1864
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\fr-FR\UserDataBackup.adml" /accepteula
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1728
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\fr-FR\WindowsBackup.adml" /accepteula
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2348
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\it-IT\UserDataBackup.adml" /accepteula
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1000
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\it-IT\WindowsBackup.adml" /accepteula
  2⤵
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1416
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\ja-JP\UserDataBackup.adml" /accepteula
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2600
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\ja-JP\WindowsBackup.adml" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:3052
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\UserDataBackup.admx" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2544
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\WindowsBackup.admx" /accepteula
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1028
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\security\logs\scecomp.old" /accepteula
  2⤵
  PID:1420
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\security\logs\scesetup.log" /accepteula
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2580
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WindowsUpdate.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:828
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG" /accepteula
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2660
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2648
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.cat" /accepteula
  2⤵
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2684
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.mum" /accepteula
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3000
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat" /accepteula
  2⤵
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1920
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.mum" /accepteula
  2⤵
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2696
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat" /accepteula
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1236
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.mum" /accepteula
  2⤵
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:856
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat" /accepteula
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2148
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.mum" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2976
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:320
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.mum" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2220
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.cat" /accepteula
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1348
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.mum" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2868
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat" /accepteula
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2568
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.mum" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:308
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\setupact.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2132
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\setuperr.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:1488
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2036
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SoftwareDistribution\DataStore\Logs\edb00001.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2904
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SoftwareDistribution\ReportingEvents.log" /accepteula
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1832
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.cat" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:1140
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~en-US~6.1.7600.16385.cat" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:1440
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat" /accepteula
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2880
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:1444
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat" /accepteula
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2324
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2664
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.cat" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:1196
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat" /accepteula
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2492
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat" /accepteula
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1512
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb.log" /accepteula
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2696
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006BD.log" /accepteula
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2964
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006BE.log" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:1992
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006BF.log" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2968
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006C0.log" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2148
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006C1.log" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:884
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006C2.log" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2132
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006C3.log" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:1516
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006C4.log" /accepteula
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2036
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006C5.log" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:1576
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006C6.log" /accepteula
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2248
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006C7.log" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:1016
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006C8.log" /accepteula
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:876
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006C9.log" /accepteula
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:980
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006CA.log" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2708
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006CB.log" /accepteula
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:1584
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006CC.log" /accepteula
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:1528
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006CD.log" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:3008
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006CE.log" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:1924
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006CF.log" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:1660
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006D0.log" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:1544
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006D1.log" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:484
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006D2.log" /accepteula
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2800
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006D3.log" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:264
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006D4.log" /accepteula
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2140
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006D5.log" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:1708
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\de-DE\SystemPropertiesAdvanced.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:1832
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\de-DE\SystemPropertiesComputerName.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:632
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\de-DE\SystemPropertiesDataExecutionPrevention.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:1532
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\de-DE\SystemPropertiesHardware.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2540
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\de-DE\SystemPropertiesPerformance.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2840
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\de-DE\SystemPropertiesProtection.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:3020
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\de-DE\SystemPropertiesRemote.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3551809CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC.CCC

Filesize
129B

MD5
148b363c94a1493dacf73bdddc7ae7fc

SHA1
e03e8f372d234dc5e90fd04aa53dcfac9f14adc6

SHA256
b7737a4b214d9e8b8eb312ae2827522b4991ae20415e79befe8e999ae6d52925

SHA512
1f3d3545f3dd261a8cedfa64c7fe3f9aae5fa0005dbc1dc0edabdadb9e9c8498abc4cd23502b5f3fdbe110c2510bbb8f52b172ab839c3bb99f191be28ec1b05e

Download Submit
C:\Program FileDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
21KB

MD5
3e50225bb18c7500beb2d339f97e343e

SHA1
358de43c872db264d5f218b340f31b1e6174a2b0

SHA256
8054a0b84a42b002b53f98a17a146963ab44230a26bd73a02bb01d1c18cd7c5f

SHA512
63fa5b844aabb114a86640663317ddee97acc5e0112754b94a6a20b9aab8c2da21743eb9eeaeac96d167cd6767c88d6c0264826a81e0f8706b6f643ec90597ae

Download Submit
C:\Program Files (x86)\Microsoft DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
3KB

MD5
4f40b94c5037e823aa5c7aef6c328f49

SHA1
eb14db72d311ca0294bfd2ba475ccb187b500b44

SHA256
f56a5219fe85e19b7d53a660be2788c35624832d6d71e940d2660f922e4980fd

SHA512
87116c47cd45f6500338e65a64ba1e67e5668e7adb3b45d93ebe50008ca7f29847d9bfddec41afe43ac5b02778c503b3ee47c201214a1cb09560582a277fb1e0

Download Submit
C:\Program Files (x86)\Microsoft EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE.EEE

Filesize
1KB

MD5
0fb9f61c9372fbbe7d3c9d34df6968a6

SHA1
6e3f9761c4eab165cda44ea68ac532db3ef70f95

SHA256
a8affdbf3471a1cc618e62a6f08acfe2ece72849aed78f87765b3e040f30248b

SHA512
77f3220a2e6ad90f2b657afe13cf4ba7d5b7eafc079857d7c0b674070f7b0b1fcb2ba798798a6dc00c9d77f035019f51f42882e4f4da0ac8edcb3c1935dfefab

Download Submit
C:\Program Files (x86)\MozilDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
164B

MD5
c472e206a6e94b18421c7a0ca010fe16

SHA1
e9bef62be64def4782fad2de5158dc9327c83fcc

SHA256
a35bdc69817fa2eac2cf98d86d9869dd8e7a5dd2d8c17118afbb3ef192e7fe62

SHA512
43f062f9cffef61632ed4b802f78a3becd6079f31011532ccba0fd49e2cd277e277fde481f98da93e487d9d393236ab0661786ae1d106bfe32345fbbe982b632

Download Submit
C:\Program Files\DDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
25KB

MD5
a098dd951b9849f8f899a523b096d5b2

SHA1
a4bce455709feb0f108b82aad23ebfb10fa6d507

SHA256
41bda6eb0914da441778c0c3de99f3f6e1ca7724ccc1e0843d3e626f54380fbb

SHA512
5d8e080c7e2280c79fd6fdd641fc82ec015b4ae63526b9c3ec31a4ca91f2a3e07621643c4b64b9a5e57f1ccdbca31eb6b8dd34e0390d4fb674154dc285abf9ae

Download Submit
C:\Program Files\MozilCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC.CCC

Filesize
2KB

MD5
138016f3695f94da48b63e992330983d

SHA1
978dedf6b28adee19df6b46544a4168395257475

SHA256
265c5da40610b3874422de76fe26c5e519a4f4c4e29d59e1ecf3b587bcba0348

SHA512
e17fedd7a2e2183e356da55044ab4985c08de7b9fb5779b8063fbea3aa25ef8eb864ee801d202a3e9a605607a9ad8de36c3f57085e3835a0c2d5f449acc85d4a

Download Submit
C:\Program Files\VideoLAN\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
54KB

MD5
3abeb6274f540ab6521f90146c853b4e

SHA1
363427b8c4453fb461f9a31b54c2581f4804a660

SHA256
4da9165fa11b7b8acf770e6e56fac1fd17f59228707a49cfcda5b4fe6cb5a288

SHA512
5e7811e8ff83f2354ee7f503889a9a3afabd216d3ac3a2d90a20f51f2be7c24b5a65c40f0b59ea082985a73863eb3e8c07ed6e75af786128642efe0eabe26525

Download Submit
C:\ProgramData\Microsoft\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
7KB

MD5
275b883d1861c97c192625dd39bb1cc0

SHA1
432bb43822dd56acaf358d413bc920577bc0f68b

SHA256
4513773061d8be3c827bbdc64ef2b8d9c992816d6f9606b5283e3763e7773991

SHA512
198a53df6bbac181b0b0718d7a5d4d987a1e0b7474eb862551cdde3e85f16a29a29435600bf44c7d6c99c81199b709a08eb884de24d0f58a321a69e14faabbf1

Download Submit
C:\ProgramData\Microsoft\Search\Data\ApplicationDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
64KB

MD5
ca29eec70fc5534a1e8a5a61f9d29667

SHA1
5ca766b646299348b99bef307274882e1b66b4f6

SHA256
0fec96ab5e7ac96cdc3b5ab13f5c681ee06c62d77f552a0cb9afe1c7b23846fa

SHA512
db7e2eae5807048b887b890efa2dbc51c8fe9c756e0055619273f889989a38156cc68e296c43cf191b35bca884e444ea11273b5a9cef3f659906454d838fc0ce

Download Submit
C:\ProgramData\Microsoft\Windows\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
1KB

MD5
954f73a123b99e15f632330cbf312a4e

SHA1
be465b388547d37a150cd43e44ef3280f877d352

SHA256
24e155b0444687ce0a3908042f4bfc29a030cea853b3799b9fa719bfdbfdabc7

SHA512
96cc53b6f2651bbe6ca428d7f3cb9827156abeb9d6da5ee69df8672fcf1ea5ecc50297385ffbc384b0f0317f46ece8ecbeb2a571e36c4c1ac59c740529cde760

Download Submit
C:\ProgramData\rbnedwdels\svchost.exe

Filesize
152KB

MD5
bc60849f0105976d8afc33731ae50c68

SHA1
90010c2da0343756ce9a37671e69436f478c83b6

SHA256
6e7ca1cc6fd03a1487d876ccd05c411c57ef1687a5c7e6ca007f00e2cb973fe8

SHA512
6555aafa9854c0c42161ec5b938e386d9e6a5fee8d9d63f5134cdf9db59b8630b17a8260ab2b0f921ec343fbbb918481f00c641553ebbf53fe983feaeb1bf380

Download Submit
C:\System VolumDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
20KB

MD5
9b7d2a96e5f378297d98199b42956227

SHA1
50d08cf955d957603c9610fccae4a5287d61fd0f

SHA256
193797be388209276822b581f196bf707622c3ad828d84c42e34d4e2ae450280

SHA512
bc4fbd5bdd6f67d85e41b71b265a26ce91101f6c6d306c90d3f95176996a4e5e2ede51a93ef4f18c4ac54ac63cba7025f2b0ab8d37b6358f7badd7ca778814c6

Download Submit
C:\Users\AdmiDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
830KB

MD5
31e13b3d059ce864e6b04fe0ca1855c6

SHA1
23775f3d0edc17169ec2e8f27a46b321b4f0a9a4

SHA256
15ab345a31cd55f5977309a5dd9909b62a7af813b95b69aba9c5218f90046200

SHA512
15f2135ff2d588a74d5043f6ff140421c4317f45fd0c95865929aab933a858b9e37d79e2217784a642791bc95c598c8748115bd3611ef744cb99bfc471c2b48c

Download Submit
C:\Users\Admin\ADDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
287KB

MD5
ed01b8fdf39bee1038c29ed5b6fcd1d2

SHA1
c8d8d5ccfa890867d5921fe0272428f2b8c7d190

SHA256
14a338c994c63e4a6ef78655201b674b86bd822dc427e10f91aea717a2fe0a5c

SHA512
84fc773f1a2101393de1b7a608d9922b052cfe10861c430a58f33a4d4c0d4c99345203fb284c620cc8403c53579615486d6952fbf7aa4e9d98235b76694bd0e6

Download Submit
C:\Users\Admin\ApCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC.CCC

Filesize
2KB

MD5
86409e9cebeb96b32623aa44128eea05

SHA1
c79bec22a87905f5e1788c962c86548fae052cb7

SHA256
131cf7180257946ea7d30be7fe28d7f142bcdb191277a07a9e3efa9a4854cfde

SHA512
afde6bbc17aa23b86cf15897de14ffbc91cd689834f36a9c080d26bfed8421c0bf20a81ac4b53f9193e7de8508d33380678dbe8f81c0cb1c30c7f2bfb50fd535

Download Submit
C:\Users\Admin\ApDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
843B

MD5
1299b80f9743245162090fc32d5f1492

SHA1
205f848a79bf1c355e6a6061d4a2d197ac274a15

SHA256
e9eee0075a9fce70f0ef152d27818284453ba5f206dcf28608a56fbe71b7aed8

SHA512
42cdbe236fe071408f40320dbd8f1b530774fe82c953407549dead983f0e40d03f6f2460aad15eed1094a755314515bb4fe043b56141a4173e301d8fdcfb6eaa

Download Submit
C:\Users\Admin\ApDDDDDDDDDDDDDDDDDDDDDDDDD.DDDD

Filesize
13B

MD5
62ce0d171d5226aa508e57ff11b81128

SHA1
9476c4de96f6cca3acfb5320be3119684103fd19

SHA256
315422e17e2f4bb17d6a650ba167298c52ac01ef709cc3718dcd0c9530d7d5c8

SHA512
4a2aa5b4e3a37d1da1f5a46ca4e9cdcb8683a1798fecf7f022b85aab3a30630009c57a2eea12c797b32d9dd716691135271a08c43813bc8f75870a70bcac1de9

Download Submit
C:\Users\Admin\ApDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
2KB

MD5
d3e565a1a6f78ebd296223f62c42d76c

SHA1
0aa7e01b94512e4bd80a555fd4d48a1032789d61

SHA256
0b819d7015875abdb43a9cdd40c2c4959a6aa4cd9b6a6f159396f67ab6dabc39

SHA512
bb1868de225bf8ac8aaf6d07ec4d89a840f478d03cbefe35820730a0bbedcb2051a56417a149b49e838270e8259da400a312561e921d745f5afbde0b81ab93d8

Download Submit
C:\Users\Admin\ApDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
2KB

MD5
f34caf6f9af83a0617ae275e611bd4bd

SHA1
eb35381765e167f224d3690e24e8960baed86eb6

SHA256
1a3bc13bd15be41a0dd5caa96ba9bf9b144f7d1fa0b7fcbaf030a6f95a622fec

SHA512
493971b7e3662ccee1f703ecbb00388222480d1067636bfcffb8eb27da9eb96288674335438af987cfa0f50cd9fdafb59f8e15174a21a169eebac5c705e5cd3f

Download Submit
C:\Users\Admin\ApDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
53KB

MD5
b455d526c70463f9a7479c53560f34fb

SHA1
7c82bbb5686ea07b0d390dfa71109501420f2506

SHA256
3aae8d0e824cc5f4160149d427ed2c228f7b8be85f80500a4351ea6773d29edc

SHA512
2187679b2d3af70998ce06dba0c8c484c6387d86505a37c50f4d3338d1568c1559e462c045d4f133a5963c8bff04115770f2dd27ad5c41eba3f3e5b34bab53f4

Download Submit
C:\Users\Admin\ApKKKKKKKKKKKKKKKKKKKKKKKK.KKK

Filesize
347B

MD5
845edbb6e05752343e7d734dd0bf4856

SHA1
50ed3c7427bff3f40816f659db31a167ff1f2b66

SHA256
9c258cf80c6e5167a1d76647aa9fd927e60a0ac97eb0ab5c8ef5bfb40136f279

SHA512
a21c71699c550ffb6ddcc87d3a7d160fc9864dec3756500dc6752a535d09f7dc3687a8aa829d813d71d0e1d244d5139f24626368847064c1d47868a1e76e702c

Download Submit
C:\Users\Admin\ApNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN.NNN

Filesize
1KB

MD5
98e963c770d799e6296766608be13025

SHA1
ede83841d991654ae3546a4528ca54b591d97944

SHA256
0f3dcde0ee174927dd697d63ec08b069e8fa9dfbb0c20a410b3e7efd3c45a6ba

SHA512
e021fac8c38c1f13a5ed2af60e377cac943f907aec3eb6d892af1e736024a7ebb4f79e533fe59eeb212e24e643912576648ae9c21cba0c8a885ad56a255c47aa

Download Submit
C:\Users\Admin\AppData\LocalDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
512KB

MD5
29c6cc6efbdd7e824ec44e8c91c2dcb0

SHA1
afc63a1aaa44f28672549b2a42744552eb8c5088

SHA256
e37a56bac84efabede9da7aaa73bba59c1330c5cd41d8405dfbc8c729468361c

SHA512
abb920b108aee1121b00e6627a1be82870c79e1c507bcbcb6b2636087cf1d119200d903a17cfb518a30986964ff05afea412ccc36a3595e8b7eecec936a03900

Download Submit
C:\Users\Admin\AppData\Local\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
11KB

MD5
106280acf361d3e4e04a673ffcf10672

SHA1
bcfc21df137c5e4ffe261d663a99b80080707e31

SHA256
d26b52ebc4431e6f2d3f73ea3ca22f12e15a6c4c9f07af21a6c478d67420aafa

SHA512
22990da66c5c108c02ee6739e22a79e84e1b5e24e679f0767ec60fad67e36214a44ff77c1dea996d39461db1dd5516981d81e7c3e5e28daf61d2b570b9eaf14b

Download Submit
C:\Users\Admin\AppData\Local\Google\ChrDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
184B

MD5
650b10c848e71cd478806ca0449d7cdf

SHA1
d412a39c4085842a8e0e64a8e46558be45b9e741

SHA256
6c3439460723773cafa4787222d8f6596a99125dbb53d70292e9809cc58c32b3

SHA512
2bec6bf8457974981d6be4ab7f6591fb6ee6acd45ee3a4791db58c6afb30f3dc3bbd1233b53df80829ffd5b295f74834526d47b08a296640cacd70116e630034

Download Submit
C:\Users\Admin\AppData\Local\Google\ChrMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM.MMM

Filesize
656B

MD5
7fd55001469268c972244791278bfb15

SHA1
bf08f51a496d2c306c9bcf40b0e287bea5394042

SHA256
583b5c841c9b39ae964c7fd56baeb4e2f5ab5c17df55003edfb48be942d03772

SHA512
8f5f7443e51261ecc10b88e30f547d976a3dc5893401f58e7e1ce00e72548ad2f5b7e9c02a8da750450deab30bdb495b4bd67fde35fb82a8d61bebb8a3c4da1d

Download Submit
C:\Users\Admin\AppData\Local\Google\ChrPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP.PPP

Filesize
38B

MD5
0b68d05037a7ba52c03cb31c386f2ab9

SHA1
5a81a2109c90abfd65044afc35f6dc7264502b5d

SHA256
a20d4c7314bfffe437128d9b730cf68d3b91486cf3686f2f2aaac1f7d0582551

SHA512
198d5301d8541c652ea4db476bf4abe9b8bb48910a965dbcda0d6ea01e51d2e812c88fa7e1c1fff4e0de67b0de6e33a9bc4f03f75347a2ecbeb95bd7fbe031a4

Download Submit
C:\Users\Admin\AppData\Local\Google\ChroDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
186B

MD5
e1da634679227e2dff4cd62bc779d635

SHA1
e48d431095f707e578d1eb943925d3f673390049

SHA256
6c07fc8184d088766a2f7cfcd68b0c559aa87a6d18d3e9edcacb3c642c542450

SHA512
ce45b4b95a31958ecd377f8178572ad50164fd104296e6367d863572320f9a96221347ea6ed4bb6007302e8a17a9526f014d5044f27c860b6129da7a2adb34ab

Download Submit
C:\Users\Admin\AppData\Local\Google\ChroDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
76B

MD5
64ac70156c017791f73fe753b5f05d76

SHA1
a83863f8510fe5ce365d625da00dcdfe5195836d

SHA256
b85c71aff9a374290d978e66d217ba11f3df02b9cd1a221843546b702ff42113

SHA512
37f3b0bebb24890ec1441803989cbb7cf90c0fbd46e2899e4c1bb952929e50c0db808760171ec874a422e1a506f832db449ac6050095eb68ea92cf0c5c75f22e

Download Submit
C:\Users\Admin\AppData\Local\Google\ChromeDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
190B

MD5
02cb5b2674dfe93a7ef8b92e3a635967

SHA1
8817dbc99fdbbec13da320839927d46ead9bc10c

SHA256
6e2494f07f5f87535a115e35fe9f6bc30ff87cb6aeb9b2c45f116c4137eec830

SHA512
c4940fd132c3b135ccff948c3829841b7b2a3df674709a8f16f90190dd3a8c23630b2bc668947c8b0e65ab21c82af5c90417995cd240709b3f57db6728657bfc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
193B

MD5
2dc2bf5997fd18251d31822667590183

SHA1
04511a1b5323a79c7e357374ac5874aa6239e1ec

SHA256
83a019ec18c90b9bb35e8846b363639465f287975b6ccca453303478f4fc8e9a

SHA512
a667b2fa19ce1348eb9730f8e84cb7d93a5886172f86a3e2f3240660b96d9c79b553f4b9fb878b1ce868bb93df3d73428718504f7bc36d00279710c908ba6feb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
666B

MD5
21a3a234819d368c1d1a39cbf9d04e47

SHA1
b9e103539295594921a169e5370bc225210476e6

SHA256
24545a410d7534f320f757ce95ce13776735923e204a2e31333885ba7d8f8b5b

SHA512
8a2964b4db7a75523a66408d1ccb5dbcea71ee1fc56b8996fe8fdf474956169d5cd6f4a0bb38df4ad51f151384df355d3a391372dca0a1befb2afedf30deddac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\UseDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
198B

MD5
476bf70d8de279145c72dda8468d09d3

SHA1
c435b7c4a8d0c5d2c3fbbeeb89754b9aad4d3f55

SHA256
3710ef6de4a90464c17a898bef6287268044314493c527f09b80a57c4964cccb

SHA512
9ab983cca989dc1583cebb2a0cacf2a5545c7dbb877b54fb86bc0d835e4e69d27002ff654b4ed299e2eb61376e7aa6265bc49efb3fdf3d931ceb5113b35aa8d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\WinDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDDDDDDDDDD.DDD

Filesize
67B

MD5
ba501cc45709d42a16025d12470c556f

SHA1
ee6de5cd94c5e38f2b1f6b812c8f114bbe3096a5

SHA256
d793dc56922b960b9811bd65c27da3f747ed0952849a05ce2e85ce65c369b70a

SHA512
9d434c2b6ac01999253e87e559f6b82096485ea55e6a338af18a3a4073e8c07c1e850efd39154b68aa9eaa54a26fda7de57b940cbd14c22a3e67a9b53c5c6fff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROVWYKHE\desktop.ini

Filesize
67B

MD5
6428c37a52237e36caa714dd82d81e62

SHA1
18f1ab6da7713e8dfa8d127829a31200526c789e

SHA256
1cce3c3c5667d01a6bfce5ef725a8cf198d66eb55304d7c3afb50257d63dacc2

SHA512
9a2b5e59c8d02e00c89afdf17c5ad1b664c16996a558e7886e185df0a30de6271db19f41e3c47d24f884d29dff9992ae5beeed43da41c9d98d41d74cd8432513

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\ProfDDDDDDDDDDDDD.DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDDDDDDDDDDDDDDDDDDDDD

Filesize
835B

MD5
9b304888c8c2f916243756e54370814d

SHA1
b0a07c5940209b0cd9739c1b1a75b2501fc0d712

SHA256
165d41441c1b02842d085fbe8f667aa529578493161570a3b2f8d337c440c56b

SHA512
e2ca0b3d9c59012d777af3021a6965359cd8d623223dd8652d6d1b4879e713bc26f88be5026ce7de26db73af6d255b8b46e4ce4bbc6f6f898ba9fa1bd59fe009

Download Submit
C:\Users\DDDDDDDDDDDDDD.DDD.DDD

Filesize
1024B

MD5
2f7f75ed0fd5b08e5c76de29c9c81273

SHA1
b9c424f97b34b83f4ae0327e3a6b805ce3c4371a

SHA256
b49ead5c5f293be74263e771b78012f8cd3d5b1286d9f6a61675f01d07d9c5cc

SHA512
0595829f0b30cfd5c26e9c38acba6cf63f85bab8f159ea9120aebe4de82562d3bb64ddf8b1084677468c0654876efa47cd8a3518158093bc6c9c868a3f047fee

Download Submit
C:\WinDDDDDDDDDDDDD.DDD

Filesize
21KB

MD5
27f7f8fcf1301ce8f7e7c752d3e5e36e

SHA1
17c6b630679c236d1424fd1ad231871ae64e33fa

SHA256
4923cb2a508b885fada7fa44465448c84f9fd94bfbec5e3f33a4b1b53b180e7e

SHA512
2d8071de347dd1beaa1798e66423875922966e2a4253b376ff0bbf05d4c1383961bb1f89a6045cdbb7187aa2ef5c77d6e9c224cd4aa03a618010afbc5c5a60a8

Download Submit
C:\WinDDDDDDDDDDDDDDD.DDD

Filesize
2KB

MD5
04bcdd775de738375bb4ffde75eba509

SHA1
0261724aa602e1f97b803ee209c2a6d0072c86a5

SHA256
e82307b4a9376327a54aff9c98b4ca17a99aa76473e3a687ed881baa60960371

SHA512
20a1d8c814a9026c0278a3fbb8501bad8310625aff096dca9826b8e4437677d90669529cfbaa575493fb66a32368bc14a9e6747bcd69ce7b23a791fa0e775adb

Download Submit
C:\WindoDDDDDDDDDDDDDDD.DDD.DDD

Filesize
40KB

MD5
27340d55af5a898c28b43450935c0c8c

SHA1
a257e7b0de4a0538ad960604872691897ba5f2cd

SHA256
f33074bf655bf3ce7bb42f4ab32beb34a9e89ab1616bc8b64a98c3ac15a68771

SHA512
b4190fec47b9dc8eafaa0f68f3b014b3593d06162b331b05a101be1a82a32ae390b6cafc7e294dda328ce8234af1ea102aa092cd7fdb71a4847f8d9de6a8454b

Download Submit
C:\WindowDDDDDDDDDDDDDDDD.DDD

Filesize
74KB

MD5
7aa648aef4131965c9e72a908b464124

SHA1
6106d09b2e831dd564a37ee5e7c68dca744c99a7

SHA256
1ec330fa508048506f489cc19dba90b951ca99aeb999348af0c5c0aa4747865d

SHA512
3fc60d9128be93680a5ac9044a852f9bc6cfdcbb4953cfbb7d9ba26a8be86fb764016020dc4b3d8e6202aee94ac6d8c6ea976ba032da22ce6843e28cddbc00b8

Download Submit
C:\WindowEEEEEEEEEEEEEE.EEE

Filesize
131B

MD5
d06c707f19efb7387c70a176b7bfb767

SHA1
05284e66162e3d36eaa0a3ee5b0f03c4db6addc7

SHA256
90feec63fe2cc2b1904154b1f53788f46959bd08e4624dd57d11b3c65c3af3d1

SHA512
c679b643cce937a0387eb19edd6c0268216e43623f312d3ff4cb3d56ee3852ae7a5e5b455e244b75a8812b6265583e0c867df3af1f009f5d52643709fd0697f9

Download Submit
C:\WindowsDDDDDDDDDDDD.DDD

Filesize
37KB

MD5
9f15b44f44f550f39d643479e2acfc95

SHA1
be0c0f3d6286ea6ccb5b195949ed362651cff5ec

SHA256
65a5515fb2f0e262f7c915ffc263f66d8980a13eb80973a6ca32a59577e1b368

SHA512
0b3f0fc9b6536e8ecd856c212b654479fbbbbd2ed0643750bf9af5c419c251851fb420104c3167f6179369b585060fc85e6a9ec124216e1975f10f9e9e4cb527

Download Submit
C:\WindowsDDDDDDDDDDDDDDDDD.DDD

Filesize
920B

MD5
d94db35e4bae51c5b18854bfb74980a5

SHA1
f48ab820d9308c6b83fe0c6a63477e950657e978

SHA256
56859646cf21e924e628bab2165ca981daf280c9416aa11efde38c98eb0982d6

SHA512
05ea9f702cb5300bbaab772a4b7160f28b770e2eb1b0024178b297be16c6b7a67f823b43ef15b11e2cc584ba42d193615532a45964bba437192f0da96f1c3280

Download Submit
C:\WindowsDDDDDDDDDDDDDDDDDD.DDD

Filesize
5KB

MD5
237024579c57dcf5f80ef8bd30c7a0a1

SHA1
04cc87d6d865e0524bca65cd8bd5fc49d86373e1

SHA256
ecce20cb8eac5502b11196b752a4bb244dba27265ad52cc263f6f793ec56a728

SHA512
d54bee336ca42cfa59fb5c45b3d56c0831df48cddf74e5855d860ae145305a703159b6e397ee174c8a98d1881ec9b3d8617437ac5be356588d3b0faf438f0eb3

Download Submit
C:\Windows\DDDDDDDDDDDDDDDDDD.DDD

Filesize
230B

MD5
95723d899a5897c9dd0b2b56de2c371c

SHA1
b29517c02682a985fa1b3bfcdfac4103d8daddc8

SHA256
99f8284719b07cc93c874d1d3fa582413d89fb2a50b9be844e83d73c7d4ac42d

SHA512
6961bfe5e2ddc7bd703381dea406e0bec92f0451e7e3657ff1201f6b8bdc2c8eb9fb0cbddc6970937e2a93abb45b572a0a3a99bd031d09fb0f7ccdab4534226c

Download Submit
C:\Windows\Microsoft.NEDDDDDDDDDDDDDD.D.DDDDDDDDDD.DDD

Filesize
256KB

MD5
561092b54766546f52991e8759a0c28c

SHA1
3158814c456ac7d5e5b26f338f4b0f0783ab88a1

SHA256
263345e3cca828cf5810a4d4ad6d1caa9f9334a2b67aad78e9ebb9effe4e7ace

SHA512
5f93623f05feddb13caf2200b93facca93705f52c83625206de84bbce1655de5df85f83e725b6bde785dc7943d72f47b2b0d5cb6699de736f8009efd9c192239

Download Submit
C:\Windows\Microsoft.NEDDDDDDDDDDDDDD.D.DDDDDDDDDD.DDD

Filesize
117KB

MD5
aa82d6ccdc5e7a4bf316ba8f03a43305

SHA1
ebeafe5eca37a39383bf26f70f496895264ef8c7

SHA256
bc7f0d0fad593150cd9849808b328b59391d8bf91138f8faeb2d02ced4e310d9

SHA512
e5bd28a612c4f0ac7067d0f442420ed4a3678459a9263d74d5b81e4e3d3ee2f3f07020c559e0a883a1015b70d4e695cb3dcd0752ea57237c0b2df00fdff1b257

Download Submit
C:\Windows\Microsoft.NEDDDDDDDDDDDDDD.D.DDDDDDDDDDDDDDDDDD.DDD

Filesize
304B

MD5
1aa43bf9520a5665bf0afd71260a11aa

SHA1
00a8859ca14e0d5b142dc4f007dd77ed4d31341f

SHA256
5751475d049ffe3ae08a97063dc7c43b9c0cf92c5da88a0d076c66ed54baf410

SHA512
7a753ebbfe9e9963fc1a971e544f0590d370e584233ec62d7ddc0a6d0dfb963cf1f3776316cbce6558d25fbe8d1d24ee050b15aa887db8963029fab1868a6782

Download Submit
C:\Windows\Microsoft.NETCCCCCCCCCCCCCCC.C.CCCCCCCCCC.CCC

Filesize
107KB

MD5
1a49496eae64f0c0522836c10b8b9e92

SHA1
ad89678c054b4684ffa16f29b9363a502fe21586

SHA256
d2c5466d4f6ebdc2335e08a48a9f789203fae860d5b0ab0b0ea61128b3ab4dcb

SHA512
5515dedaa86d05a3e08878080fb0a13f424ec1d3e4b3504a9fc9b3e7e0330626e6dbfe5625cb82330b3e0018a15f31b00629bc9fb4b8232326d83a8341900219

Download Submit
C:\Windows\Microsoft.NETCCCCCCCCCCCCCCC.C.CCCCCCCCCCCCCCCCCC.CCC

Filesize
871KB

MD5
5143aeaedea3c1a9a72f0aee66948782

SHA1
c70477105492cef777ee65ecf9b1e55592900d25

SHA256
11049aceb221a86c836b6f8380c0b718de986fb4731d0bca7eaf99c024289a1f

SHA512
1d4f333bae0338917a638286611f13cec02462d5b230ec53a46e4e1ab1cfb103dc9214fe04749bec6abcc9a9b4a140fb1bb09eeb5add80bb3df15c8c853146b0

Download Submit
C:\Windows\Microsoft.NETDDDDDDDDDDDDDDD.D.DDDDDDDDDDDDDDDDDD.DDD

Filesize
304B

MD5
7b667ac5a058c814e210fc35954a5e74

SHA1
adb6842e51fa42eb14ee27345e312403cbef416d

SHA256
9e0422ffff904114a99ea6c192d3a251b391d2ceb05253b17de72f6ed36b3da1

SHA512
92b55da8da4c9a7790e733d11fffe4c30f2d9a22603755598ce2cfca40e776511918eb831da74c93ca740378f70412f400c2e12ed8d224c1a2304e5883ad53ae

Download Submit
C:\Windows\ServicePrDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD.DDD

Filesize
1024B

MD5
f62f976690a345591877962b7889fbb3

SHA1
7987aec0137078aee35e1084524fe883f4870819

SHA256
da40c7ab6f839be1e2c5fd43d45a9e21818d4b2c275e6703cc4ac29e1ad32464

SHA512
db52abb583a232f26a50ec56119804d298bab36aeb67927784a8abc01231fa3cd9e971547a02f2a0279f94867c5dd1d553761767f164533f0b7a3dac0cf816b8

Download Submit
C:\Windows\ServiceProDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD.DDD

Filesize
1024B

MD5
a0d1e88692847e00f3cf5153ab531d65

SHA1
4100797ece90acb726aea1f45a9e35150a01cff1

SHA256
5b70f9205de0d5bec05488e96a8ff2152b22657d17a686c7f80456690affbb86

SHA512
4e8b660192f962116806869b5dd4ccb0d5125e3118aef23737086b687d5f6b01acab2b587af951223e808564774266db05722aaac8cba05e67f1587289cf5a9a

Download Submit
C:\Windows\SoftwDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
526B

MD5
bc880b9923ecf2d7e40d9f247713bca0

SHA1
0aeeb0ae372c04e033e803524ce28b1cdbd41b1b

SHA256
89e2cff4e1d746ccd3eeb88206d83815530e691bf1d3a045ef9cc8063a40982a

SHA512
307374270dee795770881875020f5fece290ce89da8e56fe010a26cb8faedad90b2649460718bfc68ab39d6e0f2092f613569627a8df5e87b4ffb5c136f51433

Download Submit
C:\Windows\SoftwareDistrVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV.VVV

Filesize
1.2MB

MD5
7ffe789d0522a8a0f503496b544ae329

SHA1
c26f0e72fd605181b02c6fb83b227da9eebfe595

SHA256
5a2f7e08a6f10eaa8df3dd63e9c3a44c71ad634b18c5739af2f768373651f670

SHA512
6436c50ef56511a9b7856bfbf16369b15cd8a15140cfabd64f33d7bcc079c6a9587cea2e6a8483b4d79b0fa160e71c263641e86088b2a74af477bbd842377c57

Download Submit
C:\Windows\SysWOW64\cfwin32.dll

Filesize
394KB

MD5
53894890dc01bbcace449f6590a1597b

SHA1
b27c93ef650d79a49150e61cd668b01bee543a30

SHA256
2f3f037b07737101076f50664ea3af10f76970febdcba4bd0e38d5a0eca4f6dd

SHA512
2ab1d894688ba8ee4129c575a116e7d01840d553a3956c3c158921e0794207ae9d0396c4c848c9e6592f40466e893ed19165e5eb34c53e02fe19fb65265c3a5a

Download Submit
C:\Windows\SysWOW64\csrss32.dll

Filesize
172KB

MD5
492e8e81ef6ecd3998c2215d9db3a6da

SHA1
55a457f585172196c2ccc530cd834d421a83276f

SHA256
769371d3a4195187b9fa8b3ee56aa8ff6eb52c6c0d819420ed2ce5d732faae25

SHA512
21b62e018f889cc12e643cd6e1da922e1920f10219cf36e07e439acee62706d1589b337207a6a0566e2dbbd6e266aaa4cf8b95d1f88f60b15349bb20e7901bf5

Download Submit
C:\Windows\SysWOW64\csrss64.dll

Filesize
180KB

MD5
ac281938245639d5298a6c5c395cb7d0

SHA1
7b5db71ea5913cc8056eecb336fdb9f9ad23309c

SHA256
a80e55673477e4bfae1ad75fc00e8ce28fa1af8f78fe51778fb78acf965a3283

SHA512
5f1893a661d323f4932c96467f86621be4a3a3b58a41d00758a300b2075187fd4e31f0d903cbb9418d3dda9809f3143774e7b46bdb34ae63460b24d4c8b55452

Download Submit
C:\Windows\SysWOW64\svschost.exe

Filesize
38KB

MD5
4fc8de89c54224746fbdcb486ed92514

SHA1
1ca774ffbb0eead4b4e06a5f13059933af530754

SHA256
ea32a0b440e81208eb10a500ea90855eb413bd2f756a581a1644bdec4453d96b

SHA512
b7479e94ff2183c23df99407b54282d97d1b0aeb32b2c52fbb30ae5ac626ab0641521d03d1f4f2e0b6fcb0c98cc04b61d897f9b450a456e988157cd038823fc1

Download Submit
C:\Windows\SystDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
64KB

MD5
0cd9393ec117f0512a647b50559b2cc9

SHA1
21cfc685389b7592038707c119e3c1dbbb2a402f

SHA256
17e5de424bc6555de0db7bb197cc3f5c6ad4af29723dc0d39c11f7a80b186f7d

SHA512
a0cfdfc43eac807688591de39e6506b24c0e664fcb54ff8113b22c5dbdf2cf3590447278b6350a8f72a8d59c61358cb6691913531b7ffd67dd67dbc9dad97fe5

Download Submit
C:\Windows\System32\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
121KB

MD5
3552405af93a6815fef9e0e247e998a8

SHA1
a4d1b21014b9172d174ae5ee49ef195777078bb2

SHA256
6d6f1d7359cc7b06995fdb98202e9f0345f8b16f61086474504cae9437179a54

SHA512
2abae38eae7e73921392efcebf07edaab425441df407bb360ec7b38d1dd735d4d906d8e61f98eab2783140019a47a9fc5f11f076bd6013a9c4ee824d586b1100

Download Submit
C:\Windows\System32\EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE.EEE

Filesize
193KB

MD5
fe5853b81c4b9158dbaad0c2eba4a41b

SHA1
89e680760117b88768b49cb4b2bcb3123a369f29

SHA256
c57d93fadede8b806ac5027f55924253cac47149f535ed8d4020db73ee53ffa2

SHA512
4ec83a16128e15c3eb20898f561e3f87dfe03e672df95c6319fbd04856f180ae6e871f600168d41fdbf354ed067aec355127b51d12f3ba4c5b184fbf1aba0df0

Download Submit
C:\Windows\System32\catroot\{F750EDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.D.DDDD.DDDDD.DDD

Filesize
12KB

MD5
ec70f3353398926621eb272edd02806f

SHA1
b4edcfd5f742bbe1b0245013fece1505096bb439

SHA256
e3ec83e090fb4bc315f1f5c51f8a7fdd36c472564116e9bcad1181fecf375700

SHA512
069ea92abba56d55eda1ec5c73273f00f802fc7152fb680c8e329289320cf7da5eca372923edb3c9dfd574658b550b4c5bfe76d64c4ffced38ab1de867113af2

Download Submit
C:\Windows\seDDDDDDDDDDDDDDDDDDD.DDD

Filesize
9KB

MD5
d910c3c61a7785d044a6f54721d1904f

SHA1
c9ddb6a57f3b7d49a97887d914e618307ff60ef6

SHA256
db8244a2d879d75608f19572c8eb1ca7d3431fbe106a384101708c94c1c24dc4

SHA512
ebc065b606a684a62aa8d31732d720a5eac7612f5955adb8c42396e7489022203f1dcb1943794e89cb1a4ad9f12384b4e82801151fe2e59bd6c1ccff2e2ec7d3

Download Submit
\Windows\SysWOW64\NoSafeMode.dll

Filesize
12KB

MD5
6bb3bca23fdff5b013863d8423267251

SHA1
2e6b80241d1a9269cc30e13663e6f910a0893450

SHA256
bdb1a0b687ced575e71702b7b4554063e697791bc2b2a286a0e4dfd528739670

SHA512
de6230dfe87df4840314983573c94ce332f5bfe9996de852c6e47844e785a4e7a8e4084a6d9ed1fd4aac78b896d2158a201ff202635c205bf50e2507c1165478

Download Submit
\Windows\SysWOW64\nsf.exe

Filesize
47KB

MD5
e6d58e0a4511695312f13d1b9f154187

SHA1
a23d75e1a3462e66db08f7664683e186c9e8e5fb

SHA256
ff16042183c0ed025c523ea1ae3edd679fd929dfbda0089756186f5bcba5b35b

SHA512
09b154123d8e21a7c93f8d99009e0e322a2ede7f4c8f12bcdebd0078787efb0f9d3b5e43a7b3936b933bd974777fccefbc3af24b834e8cd7137d2931cfeff833

Download Submit
memory/2040-94-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2040-89-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2812-214-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2812-212-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download
memory/2848-48-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2848-53-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download
memory/2848-55-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2860-56-0x0000000002050000-0x0000000002070000-memory.dmp

Filesize
128KB

Download
memory/2860-96-0x0000000002060000-0x0000000002080000-memory.dmp

Filesize
128KB

Download
memory/2860-217-0x0000000002060000-0x0000000002080000-memory.dmp

Filesize
128KB

Download
memory/2860-87-0x0000000002060000-0x0000000002080000-memory.dmp

Filesize
128KB

Download
memory/2860-95-0x0000000002060000-0x0000000002080000-memory.dmp

Filesize
128KB

Download
memory/2860-97-0x0000000002060000-0x0000000002080000-memory.dmp

Filesize
128KB

Download
memory/2860-209-0x0000000002060000-0x0000000002080000-memory.dmp

Filesize
128KB

Download
memory/2860-86-0x0000000002060000-0x0000000002080000-memory.dmp

Filesize
128KB

Download
memory/2860-203-0x0000000002060000-0x0000000002080000-memory.dmp

Filesize
128KB

Download
memory/2860-46-0x0000000002050000-0x0000000002070000-memory.dmp

Filesize
128KB

Download
memory/2860-204-0x0000000002060000-0x0000000002080000-memory.dmp

Filesize
128KB

Download
memory/2860-45-0x0000000002050000-0x0000000002070000-memory.dmp

Filesize
128KB

Download
memory/2860-215-0x0000000002060000-0x0000000002080000-memory.dmp

Filesize
128KB

Download
memory/2860-216-0x0000000002060000-0x0000000002080000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads