c41899315b2f3dad512ed1f58746e59fdb2f9717badcf7b2c861c1248d945991

Analysis

max time kernel
589s
max time network
367s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cgi19-alptsevs-h555.exe_.exe
Size

569KB
MD5

e9b9c39dd91c7fac1ee0b92e018a21bd
SHA1

1ddcf37b32f90f864b51adba3f4bd3a0f5ea935f
SHA256

388cc8da15d0fbee9bb9fb87715c8f2967b1584a12e30b4ea1ebbc27ff3b557b
SHA512

dee5a5da3fe70e5d15f48ba9e8d9204a2de641b91e22a8e3ddb7dfaa1aafd6d943bb21188985bb8d40836fc6e24ee2df9a9d988f5ea8048d30517cd6bf7e3add
SSDEEP

12288:j3nZMhJ+ubNmz0C4nkspjhPMy7NxkIXGUikyjk0y0xjYfYK4zjibVWidV3BtGN:j3nZqfbkz94h9P1+sbi3j2Bwjifv3BAN

Score

7^/10

bootkit discovery persistence spyware stealer

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral10/files/0x00050000000194b9-55.dat	acprotect

Deletes itself 1 IoCs

pid	Process
2708	svchost.exe

Executes dropped EXE 64 IoCs

pid	Process
2628	svschost.exe
780	nsf.exe
816	svschost.exe
3016	nsf.exe
1340	svschost.exe
1688	svschost.exe
2188	svchost.exe
2784	svschost.exe
2960	nsf.exe
3024	svschost.exe
1160	svchost.exe
2152	svchost.exe
328	svchost.exe
2776	svschost.exe
2016	svchost.exe
848	svchost.exe
2624	svchost.exe
2800	svchost.exe
2944	svchost.exe
2860	svchost.exe
868	svchost.exe
2912	svchost.exe
2092	svchost.exe
2780	svchost.exe
2360	svchost.exe
3040	svchost.exe
1160	svchost.exe
2068	svchost.exe
1548	svchost.exe
800	svchost.exe
1592	svchost.exe
1588	svchost.exe
2480	svchost.exe
892	svchost.exe
2808	svchost.exe
580	svchost.exe
780	svchost.exe
1984	svchost.exe
2520	svchost.exe
2876	svchost.exe
1296	svchost.exe
2780	svchost.exe
1820	svchost.exe
2900	svchost.exe
1224	svchost.exe
2592	svchost.exe
1792	svchost.exe
1944	svchost.exe
2168	svchost.exe
848	svchost.exe
2440	svchost.exe
2056	svchost.exe
576	svchost.exe
2812	svchost.exe
2768	svchost.exe
2680	svchost.exe
840	svchost.exe
1804	svchost.exe
2080	svchost.exe
1292	svchost.exe
2152	svchost.exe
1536	svchost.exe
1524	svchost.exe
1692	svchost.exe

Loads dropped DLL 43 IoCs

pid	Process
2224	cgi19-alptsevs-h555.exe_.exe
2224	cgi19-alptsevs-h555.exe_.exe
2224	cgi19-alptsevs-h555.exe_.exe
2224	cgi19-alptsevs-h555.exe_.exe
2224	cgi19-alptsevs-h555.exe_.exe
2224	cgi19-alptsevs-h555.exe_.exe
2224	cgi19-alptsevs-h555.exe_.exe
2224	cgi19-alptsevs-h555.exe_.exe
2224	cgi19-alptsevs-h555.exe_.exe
780	nsf.exe
2224	cgi19-alptsevs-h555.exe_.exe
2224	cgi19-alptsevs-h555.exe_.exe
2224	cgi19-alptsevs-h555.exe_.exe
2224	cgi19-alptsevs-h555.exe_.exe
2224	cgi19-alptsevs-h555.exe_.exe
2224	cgi19-alptsevs-h555.exe_.exe
2224	cgi19-alptsevs-h555.exe_.exe
2224	cgi19-alptsevs-h555.exe_.exe
2224	cgi19-alptsevs-h555.exe_.exe
3016	nsf.exe
2224	cgi19-alptsevs-h555.exe_.exe
2224	cgi19-alptsevs-h555.exe_.exe
2224	cgi19-alptsevs-h555.exe_.exe
2224	cgi19-alptsevs-h555.exe_.exe
1688	svschost.exe
2224	cgi19-alptsevs-h555.exe_.exe
2224	cgi19-alptsevs-h555.exe_.exe
2224	cgi19-alptsevs-h555.exe_.exe
2224	cgi19-alptsevs-h555.exe_.exe
2224	cgi19-alptsevs-h555.exe_.exe
2224	cgi19-alptsevs-h555.exe_.exe
2224	cgi19-alptsevs-h555.exe_.exe
2224	cgi19-alptsevs-h555.exe_.exe
2224	cgi19-alptsevs-h555.exe_.exe
2960	nsf.exe
2224	cgi19-alptsevs-h555.exe_.exe
2224	cgi19-alptsevs-h555.exe_.exe
2224	cgi19-alptsevs-h555.exe_.exe
2224	cgi19-alptsevs-h555.exe_.exe
2224	cgi19-alptsevs-h555.exe_.exe
2224	cgi19-alptsevs-h555.exe_.exe
2224	cgi19-alptsevs-h555.exe_.exe
2224	cgi19-alptsevs-h555.exe_.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\dvsdlk\\svchost.exe"	REG.exe

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1163522206-1469769407-485553996-1000\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3D87ST3G\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4JFE2I4S\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6SLTOM5C\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IJMS2YBB\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	svchost.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	svschost.exe
File opened (read-only)	\??\E:	svschost.exe
File opened (read-only)	\??\P:	svschost.exe
File opened (read-only)	\??\S:	svschost.exe
File opened (read-only)	\??\M:	svschost.exe
File opened (read-only)	\??\O:	svschost.exe
File opened (read-only)	\??\R:	svschost.exe
File opened (read-only)	\??\G:	svschost.exe
File opened (read-only)	\??\H:	svschost.exe
File opened (read-only)	\??\J:	svschost.exe
File opened (read-only)	\??\L:	svschost.exe
File opened (read-only)	\??\Q:	svschost.exe
File opened (read-only)	\??\T:	svschost.exe
File opened (read-only)	\??\U:	svschost.exe
File opened (read-only)	\??\V:	svschost.exe
File opened (read-only)	\??\A:	svschost.exe
File opened (read-only)	\??\I:	svschost.exe
File opened (read-only)	\??\K:	svschost.exe
File opened (read-only)	\??\X:	svschost.exe
File opened (read-only)	\??\Z:	svschost.exe
File opened (read-only)	\??\B:	svschost.exe
File opened (read-only)	\??\N:	svschost.exe
File opened (read-only)	\??\Y:	svschost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	nsf.exe
File opened for modification	\??\PhysicalDrive0	nsf.exe
File opened for modification	\??\PhysicalDrive0	nsf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl	svchost.exe
File opened for modification	C:\Windows\System32\SystemPropertiesAdvanced.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\SystemPropertiesRemote.exe.mui	svchost.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\SystemPropertiesHardware.exe.mui	svchost.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\SystemPropertiesPerformance.exe.mui	svchost.exe
File opened for modification	C:\Windows\System32\catroot2\edb006C9.log	svchost.exe
File opened for modification	C:\Windows\System32\it-IT\SystemPropertiesPerformance.exe.mui	svchost.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\SystemPropertiesDataExecutionPrevention.exe.mui	svchost.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\SystemPropertiesRemote.exe.mui	svchost.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\SystemPropertiesRemote.exe.mui	svchost.exe
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	svchost.exe
File created	C:\Windows\SysWOW64\cfwin32.dll	cgi19-alptsevs-h555.exe_.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\brio06ab.bcm	svchost.exe
File opened for modification	C:\Windows\System32\SystemPropertiesRemote.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\SystemPropertiesDataExecutionPrevention.exe.mui	svchost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr005.inf_amd64_neutral_9e4cc05e0d4bcb33\Amd64\brio08bk.bcm	svchost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\brio14ag.bcm	svchost.exe
File opened for modification	C:\Windows\System32\en-US\SystemPropertiesDataExecutionPrevention.exe.mui	svchost.exe
File opened for modification	C:\Windows\System32\en-US\SystemPropertiesPerformance.exe.mui	svchost.exe
File opened for modification	C:\Windows\System32\it-IT\SystemPropertiesComputerName.exe.mui	svchost.exe
File opened for modification	C:\Windows\System32\ja-JP\SystemPropertiesAdvanced.exe.mui	svchost.exe
File opened for modification	C:\Windows\System32\ja-JP\SystemPropertiesPerformance.exe.mui	svchost.exe
File opened for modification	C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl	svchost.exe
File created	C:\Windows\SysWOW64\nsf.exe	cgi19-alptsevs-h555.exe_.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\brio06af.bcm	svchost.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\SystemPropertiesHardware.exe.mui	svchost.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesPerformance.exe	svchost.exe
File opened for modification	C:\Windows\System32\fr-FR\SystemPropertiesAdvanced.exe.mui	svchost.exe
File opened for modification	C:\Windows\System32\ja-JP\SystemPropertiesHardware.exe.mui	svchost.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\SystemPropertiesComputerName.exe.mui	svchost.exe
File opened for modification	C:\Windows\System32\de-DE\SystemPropertiesDataExecutionPrevention.exe.mui	svchost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr005.inf_amd64_neutral_9e4cc05e0d4bcb33\Amd64\brio08bc.bcm	svchost.exe
File opened for modification	C:\Windows\System32\it-IT\SystemPropertiesProtection.exe.mui	svchost.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesProtection.exe	svchost.exe
File opened for modification	C:\Windows\System32\catroot2\edb006C8.log	svchost.exe
File opened for modification	C:\Windows\System32\fr-FR\SystemPropertiesPerformance.exe.mui	svchost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\brio08ab.bcm	svchost.exe
File opened for modification	C:\Windows\System32\es-ES\SystemPropertiesPerformance.exe.mui	svchost.exe
File opened for modification	C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl	svchost.exe
File opened for modification	C:\Windows\System32\migwiz\replacementmanifests\vsssystemprovider-replacement.man	svchost.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\SystemPropertiesPerformance.exe.mui	svchost.exe
File opened for modification	C:\Windows\System32\catroot2\edb006C2.log	svchost.exe
File opened for modification	C:\Windows\System32\catroot2\edb006C7.log	svchost.exe
File opened for modification	C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\SystemPropertiesAdvanced.exe.mui	svchost.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\SystemPropertiesComputerName.exe.mui	svchost.exe
File created	C:\Windows\SysWOW64\csrss64.dll	cgi19-alptsevs-h555.exe_.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\brio08af.bcm	svchost.exe
File opened for modification	C:\Windows\System32\es-ES\SystemPropertiesComputerName.exe.mui	svchost.exe
File opened for modification	C:\Windows\System32\fr-FR\SystemPropertiesHardware.exe.mui	svchost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\brio08ae.bcm	svchost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\brio14aa.bcm	svchost.exe
File opened for modification	C:\Windows\System32\it-IT\SystemPropertiesRemote.exe.mui	svchost.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat	svchost.exe
File opened for modification	C:\Windows\System32\de-DE\SystemPropertiesProtection.exe.mui	svchost.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\SystemPropertiesPerformance.exe.mui	svchost.exe
File opened for modification	C:\Windows\SysWOW64\nsf.exe	cgi19-alptsevs-h555.exe_.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\SystemPropertiesProtection.exe.mui	svchost.exe
File opened for modification	C:\Windows\System32\en-US\SystemPropertiesHardware.exe.mui	svchost.exe
File opened for modification	C:\Windows\System32\es-ES\SystemPropertiesHardware.exe.mui	svchost.exe
File opened for modification	C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl	svchost.exe
File opened for modification	C:\Windows\System32\SystemPropertiesHardware.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\en-US\SystemPropertiesPerformance.exe.mui	svchost.exe
File opened for modification	C:\Windows\SysWOW64\en-US\SystemPropertiesProtection.exe.mui	svchost.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\install.log	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\uninstall.log	svchost.exe
File opened for modification	C:\Program Files\UnregisterExit.temp	svchost.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-install.log	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_pitch_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.log	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupicons.jpg	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupiconsmask.bmp	svchost.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_fi-fi_442e570e6aa0d70c_msimsg.dll.mui_72e8994f	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..ck-legacy.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_4a338035a6b605bd.manifest	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7600.16385_de-de_227521a01b1e0f11_perfhost.exe.mui_2046145e	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_et-ee_42b4826dc12f503b.manifest	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-crypt32-dll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2a1bcf35d3f77b46_crypt32.dll.mui_4268f86a	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mprapi.resources_31bf3856ad364e35_6.1.7600.16385_de-de_71891b41ac925104.manifest	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4fbac3e2381c9426_scardsvr.dll.mui_5f6fb64f	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4344f5fd149fa43d_ole32.dll.mui_5035d60a	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-small_31bf3856ad364e35_6.1.7600.16385_none_d7839341959a2de0_jsmalle.fon_4f77c739	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f23d96c52b159c2d.manifest	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0dced78afd81a001.manifest	Process not Found
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_6.1.7600.16385_none_a727eb798dcfb185\swprv.dll	svchost.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_it-it_0129330494b0e3c3.manifest	svchost.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-duser.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5dd0337406abf37e.manifest	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cb31547d0a230c7b_lodctr.exe.mui_4ac7d1a1	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mprmsg.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1160f636f9408069.manifest	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-imagesp1.resources_31bf3856ad364e35_6.1.7600.16385_de-de_fa97652addc65bf0_imagesp1.dll.mui_14e4c892	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7601.17514_es-es_87377835d7709369.manifest	svchost.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_es-es_12a9a5eba4e40ea1_memtest.efi.mui_71e15c22	svchost.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a088a0fcf928c5b8_vdsutil.dll.mui_0caf9b0e	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-msxml60.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3bdcee47d56ca31c.manifest	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_el-gr_eca2efc0ce675eb0_comdlg32.dll.mui_ac8e62f4	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_b35e5a8cb554f3c8_iscsicli.exe.mui_64c0a23c	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-oleacc_31bf3856ad364e35_6.1.7600.16385_none_c679af753c14c22a_oleacchooks.dll_f9282ebb	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_pl-pl_856144d7e24caf0a_mlang.dll.mui_2904864a	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_efdb39f58f7fc483_gpsvc.dll.mui_0c160ac2	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9162dff52c1fa7f0.manifest	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-spp-main.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ef5bd8db7860b785_sxproxy.dll.mui_f9d8f818	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_sk-sk_a6fad1d3f5b2f99e.manifest	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-c..ityclient.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f1407637cb533c29_certcli.dll.mui_1b6822cf	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mssign32-dll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_70fb624d1eb400d4_mssign32.dll.mui_d663578f	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-eventlog.resources_31bf3856ad364e35_6.1.7600.16385_it-it_86a68a63a4aaf841_wevtsvc.dll.mui_f41bf7b7	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-smartcardksp.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_940adae60f7352f1_scksp.dll.mui_05f14191	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-searchfolder.resources_31bf3856ad364e35_6.1.7600.16385_it-it_09d8903c3785e299.manifest	Process not Found
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	svchost.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..owmanager.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5cfd5768e6a365dc_udwm.dll.mui_43c5183a	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-userenv.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4eb77dbefa68f95e_userenv.dll.mui_e516a7e7	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-c..ityclient.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bba4d715124a42df_certcli.dll.mui_1b6822cf	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-winbio.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f7cfb58904f20330_winbio.dll.mui_7a8d17bd	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-setupapi_31bf3856ad364e35_6.1.7601.17514_none_9d700972113e2691_setupapi.dll_8d9de2e7	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..pp-client.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c40f51aeb9049490_slc.dll.mui_dc24f809	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-security-spp.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8fbc5c354f175176.manifest	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d2945884bb037beb_compstui.dll.mui_0724407b	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-keyiso.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0a2cb448d58b3a35_keyiso.dll.mui_4bbf12ff	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-m..ditevtlog.resources_31bf3856ad364e35_6.1.7600.16385_en-us_59dbfa16bb2ffc3e_msaudite.dll.mui_dc90ce41	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..edstorage.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1556bf73a7aa583d_psbase.dll.mui_c28690ab	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-searchfolder.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7d2dc7126d5af514_searchfolder.dll.mui_8c30bdaf	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-imageres.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a93cd3a078fdd9e5_imageres.dll.mui_3e41dee6	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-o..ct-picker.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c2c7f379a97f4b72.manifest	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-vssapi.resources_31bf3856ad364e35_6.1.7600.16385_en-us_41850747ece57d4a_vsstrace.dll.mui_3a1fe238	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..ltinstall.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_df835a4f90338445_infdefaultinstall.exe.mui_ea4c5b8c	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-e..estorageengine-isam_31bf3856ad364e35_6.1.7601.17514_none_500a4c5042ab494a_esent.dll_35f49bdd	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-uxtheme_31bf3856ad364e35_6.1.7600.16385_none_01d98c7b2040a1b9.manifest	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_6.1.7600.16385_none_db04d3f548508fd9_8514fixg.fon_f6656725	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..rvice_mof.resources_31bf3856ad364e35_6.1.7600.16385_en-us_812693c00b3677f4.manifest	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_bg-bg_5ac99802e880497e_msimsg.dll.mui_72e8994f	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-m..ditevtlog.resources_31bf3856ad364e35_6.1.7600.16385_es-es_59a756fabb56ede3_auditpol.exe.mui_df4767d7	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-uxtheme.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_44c69dc0653f7644.manifest	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-cryptui-dll.resources_31bf3856ad364e35_6.1.7601.17514_de-de_b8975dacc61ac776_cryptui.dll.mui_9728c1dd	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-hardware-policy_31bf3856ad364e35_6.1.7601.17514_none_604653a7c0745b40.manifest	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..rvice_mof.resources_31bf3856ad364e35_6.1.7600.16385_it-it_0dd15ce9d5616579.manifest	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-qos_31bf3856ad364e35_6.1.7600.16385_none_14950489a5b66a85.manifest	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..ltinstall.resources_31bf3856ad364e35_6.1.7600.16385_de-de_63e0d7a39c6cea56.manifest	Process not Found
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-oleaccrc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5c190fa510623c37.manifest	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 30 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2452	PING.EXE
2752	PING.EXE
2372	PING.EXE
1156	PING.EXE
1140	PING.EXE
2676	PING.EXE
1156	PING.EXE
1852	PING.EXE
1784	PING.EXE
2860	PING.EXE
612	PING.EXE
2092	PING.EXE
1268	PING.EXE
2560	PING.EXE
2156	PING.EXE
328	PING.EXE
2920	PING.EXE
2888	PING.EXE
1372	PING.EXE
1540	PING.EXE
1416	PING.EXE
844	PING.EXE
2436	PING.EXE
1396	PING.EXE
2076	PING.EXE
2520	PING.EXE
1820	PING.EXE
548	PING.EXE
2836	PING.EXE
692	PING.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	Process not Found

Runs ping.exe 1 TTPs 30 IoCs

Remote System Discovery

T1018

pid	Process
2888	PING.EXE
1372	PING.EXE
328	PING.EXE
1156	PING.EXE
2920	PING.EXE
2560	PING.EXE
2156	PING.EXE
1416	PING.EXE
844	PING.EXE
1268	PING.EXE
2436	PING.EXE
548	PING.EXE
2836	PING.EXE
2092	PING.EXE
2752	PING.EXE
2372	PING.EXE
2076	PING.EXE
2676	PING.EXE
2860	PING.EXE
1540	PING.EXE
1140	PING.EXE
692	PING.EXE
1820	PING.EXE
1396	PING.EXE
1784	PING.EXE
612	PING.EXE
2520	PING.EXE
1156	PING.EXE
2452	PING.EXE
1852	PING.EXE

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
780	nsf.exe
3016	nsf.exe
2960	nsf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2628	2224	cgi19-alptsevs-h555.exe_.exe	30
PID 2224 wrote to memory of 2628	2224	cgi19-alptsevs-h555.exe_.exe	30
PID 2224 wrote to memory of 2628	2224	cgi19-alptsevs-h555.exe_.exe	30
PID 2224 wrote to memory of 2628	2224	cgi19-alptsevs-h555.exe_.exe	30
PID 2224 wrote to memory of 2628	2224	cgi19-alptsevs-h555.exe_.exe	30
PID 2224 wrote to memory of 2628	2224	cgi19-alptsevs-h555.exe_.exe	30
PID 2224 wrote to memory of 2628	2224	cgi19-alptsevs-h555.exe_.exe	30
PID 2224 wrote to memory of 780	2224	cgi19-alptsevs-h555.exe_.exe	31
PID 2224 wrote to memory of 780	2224	cgi19-alptsevs-h555.exe_.exe	31
PID 2224 wrote to memory of 780	2224	cgi19-alptsevs-h555.exe_.exe	31
PID 2224 wrote to memory of 780	2224	cgi19-alptsevs-h555.exe_.exe	31
PID 2224 wrote to memory of 780	2224	cgi19-alptsevs-h555.exe_.exe	31
PID 2224 wrote to memory of 780	2224	cgi19-alptsevs-h555.exe_.exe	31
PID 2224 wrote to memory of 780	2224	cgi19-alptsevs-h555.exe_.exe	31
PID 2224 wrote to memory of 1156	2224	cgi19-alptsevs-h555.exe_.exe	32
PID 2224 wrote to memory of 1156	2224	cgi19-alptsevs-h555.exe_.exe	32
PID 2224 wrote to memory of 1156	2224	cgi19-alptsevs-h555.exe_.exe	32
PID 2224 wrote to memory of 1156	2224	cgi19-alptsevs-h555.exe_.exe	32
PID 2224 wrote to memory of 1156	2224	cgi19-alptsevs-h555.exe_.exe	32
PID 2224 wrote to memory of 1156	2224	cgi19-alptsevs-h555.exe_.exe	32
PID 2224 wrote to memory of 1156	2224	cgi19-alptsevs-h555.exe_.exe	32
PID 2224 wrote to memory of 2888	2224	cgi19-alptsevs-h555.exe_.exe	34
PID 2224 wrote to memory of 2888	2224	cgi19-alptsevs-h555.exe_.exe	34
PID 2224 wrote to memory of 2888	2224	cgi19-alptsevs-h555.exe_.exe	34
PID 2224 wrote to memory of 2888	2224	cgi19-alptsevs-h555.exe_.exe	34
PID 2224 wrote to memory of 2888	2224	cgi19-alptsevs-h555.exe_.exe	34
PID 2224 wrote to memory of 2888	2224	cgi19-alptsevs-h555.exe_.exe	34
PID 2224 wrote to memory of 2888	2224	cgi19-alptsevs-h555.exe_.exe	34
PID 2224 wrote to memory of 1372	2224	cgi19-alptsevs-h555.exe_.exe	36
PID 2224 wrote to memory of 1372	2224	cgi19-alptsevs-h555.exe_.exe	36
PID 2224 wrote to memory of 1372	2224	cgi19-alptsevs-h555.exe_.exe	36
PID 2224 wrote to memory of 1372	2224	cgi19-alptsevs-h555.exe_.exe	36
PID 2224 wrote to memory of 1372	2224	cgi19-alptsevs-h555.exe_.exe	36
PID 2224 wrote to memory of 1372	2224	cgi19-alptsevs-h555.exe_.exe	36
PID 2224 wrote to memory of 1372	2224	cgi19-alptsevs-h555.exe_.exe	36
PID 2224 wrote to memory of 2452	2224	cgi19-alptsevs-h555.exe_.exe	38
PID 2224 wrote to memory of 2452	2224	cgi19-alptsevs-h555.exe_.exe	38
PID 2224 wrote to memory of 2452	2224	cgi19-alptsevs-h555.exe_.exe	38
PID 2224 wrote to memory of 2452	2224	cgi19-alptsevs-h555.exe_.exe	38
PID 2224 wrote to memory of 2452	2224	cgi19-alptsevs-h555.exe_.exe	38
PID 2224 wrote to memory of 2452	2224	cgi19-alptsevs-h555.exe_.exe	38
PID 2224 wrote to memory of 2452	2224	cgi19-alptsevs-h555.exe_.exe	38
PID 2224 wrote to memory of 1268	2224	cgi19-alptsevs-h555.exe_.exe	41
PID 2224 wrote to memory of 1268	2224	cgi19-alptsevs-h555.exe_.exe	41
PID 2224 wrote to memory of 1268	2224	cgi19-alptsevs-h555.exe_.exe	41
PID 2224 wrote to memory of 1268	2224	cgi19-alptsevs-h555.exe_.exe	41
PID 2224 wrote to memory of 1268	2224	cgi19-alptsevs-h555.exe_.exe	41
PID 2224 wrote to memory of 1268	2224	cgi19-alptsevs-h555.exe_.exe	41
PID 2224 wrote to memory of 1268	2224	cgi19-alptsevs-h555.exe_.exe	41
PID 2224 wrote to memory of 2436	2224	cgi19-alptsevs-h555.exe_.exe	43
PID 2224 wrote to memory of 2436	2224	cgi19-alptsevs-h555.exe_.exe	43
PID 2224 wrote to memory of 2436	2224	cgi19-alptsevs-h555.exe_.exe	43
PID 2224 wrote to memory of 2436	2224	cgi19-alptsevs-h555.exe_.exe	43
PID 2224 wrote to memory of 2436	2224	cgi19-alptsevs-h555.exe_.exe	43
PID 2224 wrote to memory of 2436	2224	cgi19-alptsevs-h555.exe_.exe	43
PID 2224 wrote to memory of 2436	2224	cgi19-alptsevs-h555.exe_.exe	43
PID 2224 wrote to memory of 2752	2224	cgi19-alptsevs-h555.exe_.exe	45
PID 2224 wrote to memory of 2752	2224	cgi19-alptsevs-h555.exe_.exe	45
PID 2224 wrote to memory of 2752	2224	cgi19-alptsevs-h555.exe_.exe	45
PID 2224 wrote to memory of 2752	2224	cgi19-alptsevs-h555.exe_.exe	45
PID 2224 wrote to memory of 2752	2224	cgi19-alptsevs-h555.exe_.exe	45
PID 2224 wrote to memory of 2752	2224	cgi19-alptsevs-h555.exe_.exe	45
PID 2224 wrote to memory of 2752	2224	cgi19-alptsevs-h555.exe_.exe	45
PID 2224 wrote to memory of 1396	2224	cgi19-alptsevs-h555.exe_.exe	47

C:\Users\Admin\AppData\Local\Temp\cgi19-alptsevs-h555.exe_.exe
"C:\Users\Admin\AppData\Local\Temp\cgi19-alptsevs-h555.exe_.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\SysWOW64\svschost.exe
  "C:\Windows\system32\svschost.exe" -i
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\SysWOW64\nsf.exe
  "C:\Windows\system32\nsf.exe" /nobootpass /lock Yrs5S2z1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:780
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1156
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2888
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1372
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2452
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1268
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2436
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2752
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1396
- C:\Windows\SysWOW64\svschost.exe
  "C:\Windows\system32\svschost.exe" -i
  2⤵
  - Executes dropped EXE
  PID:816
- C:\Windows\SysWOW64\nsf.exe
  "C:\Windows\system32\nsf.exe" /nobootpass /lock Yrs5S2z1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:3016
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2372
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1540
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2560
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1852
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2076
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2156
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:548
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:328
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1140
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2676
- C:\Windows\SysWOW64\svschost.exe
  "C:\Windows\system32\svschost.exe" -s
  2⤵
  - Executes dropped EXE
  PID:1340
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1416
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2836
- C:\Windows\SysWOW64\svschost.exe
  "C:\Windows\system32\svschost.exe" -i
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\SysWOW64\nsf.exe
  "C:\Windows\system32\nsf.exe" /nobootpass /lock Yrs5S2z1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:2960
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1156
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2920
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1784
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2860
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2520
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:844
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:612
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2092
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1820
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:692
- C:\Windows\SysWOW64\svschost.exe
  "C:\Windows\system32\svschost.exe" -s
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\SysWOW64\svschost.exe
  "C:\Windows\system32\svschost.exe" -s
  2⤵
  - Executes dropped EXE
  PID:2776

C:\Windows\SysWOW64\svschost.exe
C:\Windows\SysWOW64\svschost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
PID:1688
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchost" /t REG_SZ /d "C:\dvsdlk\svchost.exe" /f
  2⤵
  - Adds Run key to start application
  PID:2128
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "ClearPageFileAtShutdown" /t REG_DWORD /d 1 /f
  2⤵
  PID:1080
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\$Recycle.Bin\S-1-5-21-1163522206-1469769407-485553996-1000\desktop.ini" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  PID:2188
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Program Files\Mozilla Firefox\install.log" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1160
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Program Files\Mozilla Firefox\uninstall\uninstall.log" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2152
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Program Files\UnregisterExit.temp" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:328
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_pitch_plugin.dll" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2016
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_plugin.dll" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:848
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Program Files\VideoLAN\VLC\uninstall.log" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2624
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupicons.jpg" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2800
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupiconsmask.bmp" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2944
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-install.log" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2860
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log" /accepteula
  2⤵
  - Executes dropped EXE
  PID:868
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.001" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.001" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2092
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.001" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.001" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.001" /accepteula
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.001" /accepteula
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Backup and Restore Center.lnk" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\ProgramData\Microsoft\Windows Defender\Support\MPLog-07132009-221054.log" /accepteula
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\System Volume Information\tracking.log" /accepteula
  2⤵
  - Executes dropped EXE
  PID:800
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOG.old" /accepteula
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old" /accepteula
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\000003.log" /accepteula
  2⤵
  - Executes dropped EXE
  PID:892
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000006.log" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG.old" /accepteula
  2⤵
  - Executes dropped EXE
  PID:580
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000005.log" /accepteula
  2⤵
  - Executes dropped EXE
  PID:780
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG.old" /accepteula
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000005.log" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store\LOG.old" /accepteula
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store\LOG.old" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000006.log" /accepteula
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG.old" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000006.log" /accepteula
  2⤵
  - Executes dropped EXE
  PID:1224
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000006.log" /accepteula
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG.old" /accepteula
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000006.log" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old" /accepteula
  2⤵
  - Executes dropped EXE
  PID:848
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000006.log" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak" /accepteula
  2⤵
  - Executes dropped EXE
  PID:576
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3D87ST3G\desktop.ini" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  PID:2812
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4JFE2I4S\desktop.ini" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  PID:2768
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6SLTOM5C\desktop.ini" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  PID:2680
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BQ20K5D\favicon[1].ico" /accepteula
  2⤵
  - Executes dropped EXE
  PID:840
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\container.dat" /accepteula
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  PID:2080
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IJMS2YBB\desktop.ini" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  PID:1292
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat" /accepteula
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  PID:1524
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log" /accepteula
  2⤵
  - Executes dropped EXE
  PID:1692
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V0100002.log" /accepteula
  2⤵
  PID:288
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V0100003.log" /accepteula
  2⤵
  PID:2648
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\edb00001.log" /accepteula
  2⤵
  PID:1940
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\WindowsMail.MSMessageStore" /accepteula
  2⤵
  PID:1956
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\WindowsMail.pat" /accepteula
  2⤵
  PID:1504
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log" /accepteula
  2⤵
  PID:2840
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb00001.log" /accepteula
  2⤵
  PID:2808
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\1403751101\payload.dat" /accepteula
  2⤵
  PID:2240
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\1c7fb101-56e6-4115-994d-31ab6d14ea87.tmp" /accepteula
  2⤵
  PID:1192
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\9a2eeb7a-f1f6-42ba-8915-12c0f99b74eb.tmp" /accepteula
  2⤵
  PID:2492
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\Admin.bmp" /accepteula
  2⤵
  PID:1224
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00000.log" /accepteula
  2⤵
  PID:1096
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001.log" /accepteula
  2⤵
  PID:2304
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\ca6ec46ee9435a4745fd3a03267f051dc64540dd348f127bb33e9675dadd3d52.exe" /accepteula
  2⤵
  PID:1800
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\calc.exe" /accepteula
  2⤵
  PID:2084
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\ccc71c83c8d9895ef0b375273f9f185dfac63ecd01775e2dc705afe4d48c95e2_Dumped_TDS=4F9911B3.exe" /accepteula
  2⤵
  PID:2080
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\ccc71c83c8d9895ef0b375273f9f185dfac63ecd01775e2dc705afe4d48c95e2_TDS=4FAD9768.exe" /accepteula
  2⤵
  PID:448
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\cd2d085998a289134ffaf27fbdcbc8cb_api-ms-win-system-dispex-l1-1-0.dll" /accepteula
  2⤵
  PID:1648
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\cdffb7e75b20eeae4db75c9962c17b3be980a719f7597e8b11a747d72c975a36_not_packed_maybe_useless.exe" /accepteula
  2⤵
  PID:1712
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe" /accepteula
  2⤵
  PID:2412
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\cgi19-alptsevs-h555.exe_.exe" /accepteula
  2⤵
  - Deletes itself
  - Suspicious behavior: RenamesItself
  PID:2708
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\chrome_installer.log" /accepteula
  2⤵
  PID:2620
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\chrst.exe" /accepteula
  2⤵
  PID:2776
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\ci05l2a.exe" /accepteula
  2⤵
  PID:1160
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\cl.exe" /accepteula
  2⤵
  PID:328
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\clean.exe" /accepteula
  2⤵
  PID:2868
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\coinvault.exe" /accepteula
  2⤵
  PID:1080
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\com_loader.exe" /accepteula
  2⤵
  PID:1692
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\csrss.ex_.exe" /accepteula
  2⤵
  PID:848
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\d.exe" /accepteula
  2⤵
  PID:2336
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\D02D012970AA164CAD15C757D7E52994.exe" /accepteula
  2⤵
  PID:2644
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\d0a5cfec8e80622b3e194b5ee03e93d78c7ef3478bead6a039d213caaaa58523_Dumped_TDS=4F9911B3.exe" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:1344
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\d0a5cfec8e80622b3e194b5ee03e93d78c7ef3478bead6a039d213caaaa58523_TDS=4FA478A6.exe" /accepteula
  2⤵
  PID:1592
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\d2164cdbc9c78db0115f382a139ccd758f8a25ebfc5ab3e0034e7aef0fe0b6b4_Dumped_TDS=4FB252FB.exe" /accepteula
  2⤵
  PID:1980
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\d2164cdbc9c78db0115f382a139ccd758f8a25ebfc5ab3e0034e7aef0fe0b6b4_TDS=4FB30D08.exe" /accepteula
  2⤵
  PID:1500
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\d4439055d2d63e52ffc23c6d24d89194_86e510605f1ee068bdc1ae306312652a__1.dll" /accepteula
  2⤵
  PID:2112
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\d54d2a216e637bcd36e5217cfba98896.exe" /accepteula
  2⤵
  PID:2316
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\d5f29750a8cb158d9b89a1e02e8addc5e410d1ddc48e660589144ade47f794c5.exe" /accepteula
  2⤵
  PID:1568
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\d6c32b0146f219bdcb5cf524ea9e0047d9b9bd0fd7c395d5b11cbc4c3298824d.exe" /accepteula
  2⤵
  PID:1420
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\d889734783273b7158deeae6cf804a6be99c3a5353d94225a4dbe92caf3a3d48.exe" /accepteula
  2⤵
  PID:2852
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\daaa72f48bea498c5ac7ce9bc315e585ff11dad04d1eeb0d1b0ce33a28bedf2d.exe" /accepteula
  2⤵
  PID:2700
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\DBm0yQwt.exe.ViR.exe" /accepteula
  2⤵
  PID:2964
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\ddbf1840bf626da19d8f3467fe9e20e2.exe" /accepteula
  2⤵
  PID:2932
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt" /accepteula
  2⤵
  PID:2920
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility.txt" /accepteula
  2⤵
  PID:1268
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI7E5A.txt" /accepteula
  2⤵
  PID:2876
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI7E91.txt" /accepteula
  2⤵
  PID:3048
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI7E5A.txt" /accepteula
  2⤵
  PID:1544
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI7E91.txt" /accepteula
  2⤵
  PID:2436
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20241023_170318_849.txt" /accepteula
  2⤵
  PID:612
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20241023_170319_223.txt" /accepteula
  2⤵
  PID:2392
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\de882c049be133a950b6917562bb2313_583a76e23c1998307d702709dadbe103__3.dll" /accepteula
  2⤵
  PID:3060
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\decrypt.exe" /accepteula
  2⤵
  PID:316
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\decrypted.ex_.exe" /accepteula
  2⤵
  PID:2424
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\FXSAPIDebugLogFile.txt" /accepteula
  2⤵
  PID:840
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log" /accepteula
  2⤵
  PID:2056
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\java_install.log" /accepteula
  2⤵
  PID:1716
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\java_install_reg.log" /accepteula
  2⤵
  PID:2612
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\jawshtml.html" /accepteula
  2⤵
  PID:2784
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\jusched.log" /accepteula
  2⤵
  PID:2232
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\Kno5302.tmp" /accepteula
  2⤵
  PID:996
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\Kno8371.tmp" /accepteula
  2⤵
  PID:1284
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\lpksetup-20241023-171125-0.log" /accepteula
  2⤵
  PID:1752
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\lpksetup-20241023-171255-0.log" /accepteula
  2⤵
  PID:1944
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\lpksetup-20241023-171422-0.log" /accepteula
  2⤵
  PID:1788
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\lpksetup-20241023-171552-0.log" /accepteula
  2⤵
  PID:1156
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\lpksetup-20241023-171716-0.log" /accepteula
  2⤵
  PID:1588
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20241023_170306930-MSI_netfx_Full_x64.msi.txt" /accepteula
  2⤵
  PID:2800
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20241023_170306930.html" /accepteula
  2⤵
  PID:1504
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\ose00000.exe" /accepteula
  2⤵
  PID:2960
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\RD2D18.tmp" /accepteula
  2⤵
  PID:1800
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\RGI117F.tmp" /accepteula
  2⤵
  PID:2972
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\RGI117F.tmp-tmp" /accepteula
  2⤵
  PID:2840
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\scoped_dir2656_1390704475\1c7fb101-56e6-4115-994d-31ab6d14ea87.tmp" /accepteula
  2⤵
  PID:1248
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\SetupExe(20241023170646928).log" /accepteula
  2⤵
  PID:2688
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\wmsetup.log" /accepteula
  2⤵
  PID:3056
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\sessionstore-backups\previous.jsonlz4" /accepteula
  2⤵
  PID:2976
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\sessionstore-backups\upgrade.jsonlz4-20221007134813" /accepteula
  2⤵
  PID:2832
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\Desktop\RenameInstall.temp" /accepteula
  2⤵
  PID:1520
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\Downloads\BlockConnect.temp" /accepteula
  2⤵
  PID:1852
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\Pictures\ImportBackup.wmf" /accepteula
  2⤵
  PID:1600
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Default\NTUSER.DAT.LOG" /accepteula
  2⤵
  PID:2512
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log" /accepteula
  2⤵
  PID:2392
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log" /accepteula
  2⤵
  PID:2124
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\vcredist2012_x86.log" /accepteula
  2⤵
  PID:1516
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log" /accepteula
  2⤵
  PID:2020
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log" /accepteula
  2⤵
  PID:1636
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log" /accepteula
  2⤵
  PID:1240
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log" /accepteula
  2⤵
  PID:2624
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log" /accepteula
  2⤵
  PID:2224
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log" /accepteula
  2⤵
  PID:2700
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log" /accepteula
  2⤵
  PID:2956
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log" /accepteula
  2⤵
  PID:3024
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\vcredist2022_x86_001_vcRuntimeMinimum_x86.log" /accepteula
  2⤵
  PID:2232
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\vcredist2022_x86_002_vcRuntimeAdditional_x86.log" /accepteula
  2⤵
  PID:2280
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\CSC\v2.0.6\temp\ea-{f1097a68-919a-11ef-a817-a45e4b9fe89c}" /accepteula
  2⤵
  PID:2384
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\debug\PASSWD.LOG" /accepteula
  2⤵
  PID:2736
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\debug\sammui.log" /accepteula
  2⤵
  PID:2488
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\debug\WIA\wiatrace.log" /accepteula
  2⤵
  PID:2208
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\DtcInstall.log" /accepteula
  2⤵
  PID:1592
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Fonts\TEMPSITC.TTF" /accepteula
  2⤵
  PID:2920
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\inf\setupapi.app.log" /accepteula
  2⤵
  PID:620
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\inf\setupapi.dev.log" /accepteula
  2⤵
  PID:2588
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\inf\setupapi.offline.log" /accepteula
  2⤵
  PID:1376
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Logs\CBS\CBS.log" /accepteula
  2⤵
  PID:2672
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Logs\DISM\dism.log" /accepteula
  2⤵
  PID:2712
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Logs\DPX\setupact.log" /accepteula
  2⤵
  PID:1292
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Logs\DPX\setuperr.log" /accepteula
  2⤵
  PID:764
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log" /accepteula
  2⤵
  PID:1588
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2492
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log" /accepteula
  2⤵
  PID:2368
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log" /accepteula
  2⤵
  PID:2960
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.log" /accepteula
  2⤵
  PID:1908
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log" /accepteula
  2⤵
  PID:1240
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log" /accepteula
  2⤵
  PID:2532
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log" /accepteula
  2⤵
  PID:2172
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Panther\cbs.log" /accepteula
  2⤵
  PID:940
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Panther\cbs_unattend.log" /accepteula
  2⤵
  PID:2100
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Panther\DDACLSys.log" /accepteula
  2⤵
  PID:1548
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Panther\setupact.log" /accepteula
  2⤵
  PID:2676
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Panther\setuperr.log" /accepteula
  2⤵
  PID:1696
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Panther\UnattendGC\setupact.log" /accepteula
  2⤵
  PID:2624
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Panther\UnattendGC\setuperr.log" /accepteula
  2⤵
  PID:2500
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Performance\WinSAT\winsat.log" /accepteula
  2⤵
  PID:1384
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PFRO.log" /accepteula
  2⤵
  PID:1532
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\de-DE\UserDataBackup.adml" /accepteula
  2⤵
  PID:3000
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\de-DE\WindowsBackup.adml" /accepteula
  2⤵
  PID:2708
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\en-US\UserDataBackup.adml" /accepteula
  2⤵
  PID:2316
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\en-US\WindowsBackup.adml" /accepteula
  2⤵
  PID:2260
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\es-ES\UserDataBackup.adml" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1480
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\es-ES\WindowsBackup.adml" /accepteula
  2⤵
  PID:1032
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\fr-FR\UserDataBackup.adml" /accepteula
  2⤵
  PID:3040
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\fr-FR\WindowsBackup.adml" /accepteula
  2⤵
  PID:2016
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\it-IT\UserDataBackup.adml" /accepteula
  2⤵
  PID:1476
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\it-IT\WindowsBackup.adml" /accepteula
  2⤵
  PID:2916
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\ja-JP\UserDataBackup.adml" /accepteula
  2⤵
  PID:2620
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\ja-JP\WindowsBackup.adml" /accepteula
  2⤵
  PID:2108
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\UserDataBackup.admx" /accepteula
  2⤵
  PID:2652
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\WindowsBackup.admx" /accepteula
  2⤵
  PID:2024
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\security\logs\scecomp.old" /accepteula
  2⤵
  PID:1500
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\security\logs\scesetup.log" /accepteula
  2⤵
  PID:2304
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WindowsUpdate.log" /accepteula
  2⤵
  PID:2776
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG" /accepteula
  2⤵
  PID:1308
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG" /accepteula
  2⤵
  PID:288
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.cat" /accepteula
  2⤵
  PID:1292
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.mum" /accepteula
  2⤵
  PID:1764
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat" /accepteula
  2⤵
  PID:2168
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.mum" /accepteula
  2⤵
  PID:2444
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat" /accepteula
  2⤵
  PID:2612
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.mum" /accepteula
  2⤵
  PID:2504
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat" /accepteula
  2⤵
  PID:2440
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.mum" /accepteula
  2⤵
  PID:1256
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat" /accepteula
  2⤵
  PID:1648
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.mum" /accepteula
  2⤵
  PID:2372
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.cat" /accepteula
  2⤵
  PID:2524
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.mum" /accepteula
  2⤵
  PID:568
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat" /accepteula
  2⤵
  PID:940
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.mum" /accepteula
  2⤵
  PID:2160
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\setupact.log" /accepteula
  2⤵
  PID:2248
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\setuperr.log" /accepteula
  2⤵
  PID:1564
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log" /accepteula
  2⤵
  PID:1696
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SoftwareDistribution\DataStore\Logs\edb00001.log" /accepteula
  2⤵
  PID:1768
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SoftwareDistribution\ReportingEvents.log" /accepteula
  2⤵
  PID:812
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.cat" /accepteula
  2⤵
  PID:2908
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~en-US~6.1.7600.16385.cat" /accepteula
  2⤵
  PID:1192
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat" /accepteula
  2⤵
  PID:2876
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat" /accepteula
  2⤵
  PID:1280
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat" /accepteula
  2⤵
  PID:1584
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat" /accepteula
  2⤵
  PID:2868
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.cat" /accepteula
  2⤵
  PID:2260
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:1416
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat" /accepteula
  2⤵
  PID:2988
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb.log" /accepteula
  2⤵
  PID:1684
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006BC.log" /accepteula
  2⤵
  PID:2440
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006BD.log" /accepteula
  2⤵
  PID:3008
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006BE.log" /accepteula
  2⤵
  PID:1944
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006BF.log" /accepteula
  2⤵
  PID:2804
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006C0.log" /accepteula
  2⤵
  PID:1952
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006C1.log" /accepteula
  2⤵
  PID:2244
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006C2.log" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:1608
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006C3.log" /accepteula
  2⤵
  PID:2248
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006C4.log" /accepteula
  2⤵
  PID:2388
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006C5.log" /accepteula
  2⤵
  PID:2188
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006C6.log" /accepteula
  2⤵
  PID:944
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006C7.log" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2624
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006C8.log" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2796
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006C9.log" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:1340
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006CA.log" /accepteula
  2⤵
  PID:2156
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006CB.log" /accepteula
  2⤵
  PID:2000
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006CC.log" /accepteula
  2⤵
  PID:1604
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006CD.log" /accepteula
  2⤵
  PID:1804
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006CE.log" /accepteula
  2⤵
  PID:2092
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006CF.log" /accepteula
  2⤵
  PID:1320
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006D0.log" /accepteula
  2⤵
  PID:1516
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006D1.log" /accepteula
  2⤵
  PID:1716
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006D2.log" /accepteula
  2⤵
  PID:3032
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006D3.log" /accepteula
  2⤵
  PID:2432
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006D4.log" /accepteula
  2⤵
  PID:2856
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006D5.log" /accepteula
  2⤵
  PID:1784
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\de-DE\SystemPropertiesAdvanced.exe.mui" /accepteula
  2⤵
  PID:2344
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\de-DE\SystemPropertiesComputerName.exe.mui" /accepteula
  2⤵
  PID:2124
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\de-DE\SystemPropertiesDataExecutionPrevention.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2580
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\de-DE\SystemPropertiesHardware.exe.mui" /accepteula
  2⤵
  PID:2320
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\de-DE\SystemPropertiesPerformance.exe.mui" /accepteula
  2⤵
  PID:324
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\de-DE\SystemPropertiesProtection.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2400
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\de-DE\SystemPropertiesRemote.exe.mui" /accepteula
  2⤵
  PID:852
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\brio06aa.bcm" /accepteula
  2⤵
  PID:2076
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\brio06ab.bcm" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2836
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\brio06ac.bcm" /accepteula
  2⤵
  PID:2588
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\brio06af.bcm" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2548
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\brio06ag.bcm" /accepteula
  2⤵
  PID:2436
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\brio08aa.bcm" /accepteula
  2⤵
  PID:1532
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\brio08ab.bcm" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2908
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\brio08ac.bcm" /accepteula
  2⤵
  PID:3060
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\brio08ae.bcm" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:3040
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\brio08af.bcm" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2464
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\brio08ag.bcm" /accepteula
  2⤵
  PID:2916
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\brio08ah.bcm" /accepteula
  2⤵
  PID:2892
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\brio08ak.bcm" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1736
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr005.inf_amd64_neutral_9e4cc05e0d4bcb33\Amd64\brio08ba.bcm" /accepteula
  2⤵
  PID:2864
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr005.inf_amd64_neutral_9e4cc05e0d4bcb33\Amd64\brio08bb.bcm" /accepteula
  2⤵
  PID:1856
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr005.inf_amd64_neutral_9e4cc05e0d4bcb33\Amd64\brio08bc.bcm" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2708
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr005.inf_amd64_neutral_9e4cc05e0d4bcb33\Amd64\brio08be.bcm" /accepteula
  2⤵
  PID:1096
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr005.inf_amd64_neutral_9e4cc05e0d4bcb33\Amd64\brio08bf.bcm" /accepteula
  2⤵
  PID:1032
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr005.inf_amd64_neutral_9e4cc05e0d4bcb33\Amd64\brio08bg.bcm" /accepteula
  2⤵
  PID:2920
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr005.inf_amd64_neutral_9e4cc05e0d4bcb33\Amd64\brio08bk.bcm" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:1908
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\brio14aa.bcm" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2756
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\brio14ab.bcm" /accepteula
  2⤵
  PID:1604
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\brio14ac.bcm" /accepteula
  2⤵
  PID:1088
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\brio14ad.bcm" /accepteula
  2⤵
  PID:2936
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\brio14af.bcm" /accepteula
  2⤵
  PID:2080
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\brio14ag.bcm" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:1996
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\brio14ah.bcm" /accepteula
  2⤵
  PID:2788
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\brio14ai.bcm" /accepteula
  2⤵
  PID:2736
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\brio14ak.bcm" /accepteula
  2⤵
  PID:1028
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\brio14al.bcm" /accepteula
  2⤵
  PID:336
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\brio14am.bcm" /accepteula
  2⤵
  PID:2436
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\brio14an.bcm" /accepteula
  2⤵
  PID:1768
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\Temp\{522f6bf6-ae20-0f66-d982-a746d010852a}\prnms001.cat" /accepteula
  2⤵
  PID:2532
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\en-US\SystemPropertiesAdvanced.exe.mui" /accepteula
  2⤵
  PID:2356
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\en-US\SystemPropertiesComputerName.exe.mui" /accepteula
  2⤵
  PID:1904
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\en-US\SystemPropertiesDataExecutionPrevention.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:1616
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\en-US\SystemPropertiesHardware.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2848
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\en-US\SystemPropertiesPerformance.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:816
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\en-US\SystemPropertiesProtection.exe.mui" /accepteula
  2⤵
  PID:1764
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\en-US\SystemPropertiesRemote.exe.mui" /accepteula
  2⤵
  PID:1820
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\es-ES\SystemPropertiesAdvanced.exe.mui" /accepteula
  2⤵
  PID:2504
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\es-ES\SystemPropertiesComputerName.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2612
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\es-ES\SystemPropertiesDataExecutionPrevention.exe.mui" /accepteula
  2⤵
  PID:772
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\es-ES\SystemPropertiesHardware.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:1796
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\es-ES\SystemPropertiesPerformance.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:1508
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\es-ES\SystemPropertiesProtection.exe.mui" /accepteula
  2⤵
  PID:1648
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\es-ES\SystemPropertiesRemote.exe.mui" /accepteula
  2⤵
  PID:548
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\fr-FR\SystemPropertiesAdvanced.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2448
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\fr-FR\SystemPropertiesComputerName.exe.mui" /accepteula
  2⤵
  PID:820
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\fr-FR\SystemPropertiesDataExecutionPrevention.exe.mui" /accepteula
  2⤵
  PID:2136
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\fr-FR\SystemPropertiesHardware.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2536
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\fr-FR\SystemPropertiesPerformance.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2524
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\fr-FR\SystemPropertiesProtection.exe.mui" /accepteula
  2⤵
  PID:908
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\fr-FR\SystemPropertiesRemote.exe.mui" /accepteula
  2⤵
  PID:3064
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\it-IT\SystemPropertiesAdvanced.exe.mui" /accepteula
  2⤵
  PID:812
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\it-IT\SystemPropertiesComputerName.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2700
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\it-IT\SystemPropertiesDataExecutionPrevention.exe.mui" /accepteula
  2⤵
  PID:2316
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\it-IT\SystemPropertiesHardware.exe.mui" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:2244
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\it-IT\SystemPropertiesPerformance.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:1636
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\it-IT\SystemPropertiesProtection.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:1572
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\it-IT\SystemPropertiesRemote.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:1620
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\ja-JP\SystemPropertiesAdvanced.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2476
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\ja-JP\SystemPropertiesComputerName.exe.mui" /accepteula
  2⤵
  PID:2460
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\ja-JP\SystemPropertiesDataExecutionPrevention.exe.mui" /accepteula
  2⤵
  PID:2176
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\ja-JP\SystemPropertiesHardware.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2884
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\ja-JP\SystemPropertiesPerformance.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:896
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\ja-JP\SystemPropertiesProtection.exe.mui" /accepteula
  2⤵
  PID:2552
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\ja-JP\SystemPropertiesRemote.exe.mui" /accepteula
  2⤵
  PID:2588
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\LogFiles\AIT\AitEventLog.etl.001" /accepteula
  2⤵
  PID:2664
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\LogFiles\SQM\SQMLogger.etl.001" /accepteula
  2⤵
  PID:1996
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:1596
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:768
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:1532
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:1608
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM.etl" /accepteula
  2⤵
  PID:2228
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\migwiz\replacementmanifests\vsssystemprovider-replacement.man" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2748
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\PerfStringBackup.INI" /accepteula
  2⤵
  PID:2108
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\SystemPropertiesAdvanced.exe" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:612
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\SystemPropertiesComputerName.exe" /accepteula
  2⤵
  PID:3028
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:1716
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\SystemPropertiesHardware.exe" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:1524
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\SystemPropertiesPerformance.exe" /accepteula
  2⤵
  PID:1520
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\SystemPropertiesProtection.exe" /accepteula
  2⤵
  PID:1908
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\SystemPropertiesRemote.exe" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:1804
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\de-DE\SystemPropertiesAdvanced.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2112
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\de-DE\SystemPropertiesComputerName.exe.mui" /accepteula
  2⤵
  PID:2104
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\de-DE\SystemPropertiesDataExecutionPrevention.exe.mui" /accepteula
  2⤵
  PID:2852
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\de-DE\SystemPropertiesHardware.exe.mui" /accepteula
  2⤵
  PID:2948
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\de-DE\SystemPropertiesPerformance.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2028
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\de-DE\SystemPropertiesProtection.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2888
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\de-DE\SystemPropertiesRemote.exe.mui" /accepteula
  2⤵
  PID:2624
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\en-US\SystemPropertiesAdvanced.exe.mui" /accepteula
  2⤵
  PID:1728
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\en-US\SystemPropertiesComputerName.exe.mui" /accepteula
  2⤵
  PID:1700
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\en-US\SystemPropertiesDataExecutionPrevention.exe.mui" /accepteula
  2⤵
  PID:576
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\en-US\SystemPropertiesHardware.exe.mui" /accepteula
  2⤵
  PID:2260
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\en-US\SystemPropertiesPerformance.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:3036
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\en-US\SystemPropertiesProtection.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2900
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\en-US\SystemPropertiesRemote.exe.mui" /accepteula
  2⤵
  PID:1048
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\es-ES\SystemPropertiesAdvanced.exe.mui" /accepteula
  2⤵
  PID:2600
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\es-ES\SystemPropertiesComputerName.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2604
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\es-ES\SystemPropertiesDataExecutionPrevention.exe.mui" /accepteula
  2⤵
  PID:2704
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\es-ES\SystemPropertiesHardware.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:3000
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\es-ES\SystemPropertiesPerformance.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2944
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\es-ES\SystemPropertiesProtection.exe.mui" /accepteula
  2⤵
  PID:2840
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\es-ES\SystemPropertiesRemote.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2916
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\fr-FR\SystemPropertiesAdvanced.exe.mui" /accepteula
  2⤵
  PID:2768
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\fr-FR\SystemPropertiesComputerName.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2740
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\fr-FR\SystemPropertiesDataExecutionPrevention.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:1848
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\fr-FR\SystemPropertiesHardware.exe.mui" /accepteula
  2⤵
  PID:696
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\fr-FR\SystemPropertiesPerformance.exe.mui" /accepteula
  2⤵
  PID:2568
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\fr-FR\SystemPropertiesProtection.exe.mui" /accepteula
  2⤵
  PID:3024
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\fr-FR\SystemPropertiesRemote.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2608
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\it-IT\SystemPropertiesAdvanced.exe.mui" /accepteula
  2⤵
  PID:684
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\it-IT\SystemPropertiesComputerName.exe.mui" /accepteula
  2⤵
  PID:2976
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\it-IT\SystemPropertiesDataExecutionPrevention.exe.mui" /accepteula
  2⤵
  PID:2908
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\it-IT\SystemPropertiesHardware.exe.mui" /accepteula
  2⤵
  PID:1956
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\it-IT\SystemPropertiesPerformance.exe.mui" /accepteula
  2⤵
  PID:568
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\it-IT\SystemPropertiesProtection.exe.mui" /accepteula
  2⤵
  PID:3056
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\it-IT\SystemPropertiesRemote.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:1280
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\ja-JP\SystemPropertiesAdvanced.exe.mui" /accepteula
  2⤵
  PID:2420
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\ja-JP\SystemPropertiesComputerName.exe.mui" /accepteula
  2⤵
  PID:2280
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\ja-JP\SystemPropertiesDataExecutionPrevention.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2424
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\ja-JP\SystemPropertiesHardware.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2320
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\ja-JP\SystemPropertiesPerformance.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2084
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\ja-JP\SystemPropertiesProtection.exe.mui" /accepteula
  2⤵
  PID:2352
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\ja-JP\SystemPropertiesRemote.exe.mui" /accepteula
  2⤵
  PID:1904
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\migwiz\replacementmanifests\vsssystemprovider-replacement.man" /accepteula
  2⤵
  PID:816
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\PerfStringBackup.INI" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2196
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe" /accepteula
  2⤵
  PID:1656
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\SystemPropertiesComputerName.exe" /accepteula
  2⤵
  PID:3044
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe" /accepteula
  2⤵
  PID:820
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\SystemPropertiesHardware.exe" /accepteula
  2⤵
  PID:2628
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\SystemPropertiesPerformance.exe" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2536
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\SystemPropertiesProtection.exe" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2128
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\SystemPropertiesRemote.exe" /accepteula
  2⤵
  PID:908
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Temp\Crashpad\metadata" /accepteula
  2⤵
  PID:320
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Temp\Crashpad\settings.dat" /accepteula
  2⤵
  PID:2660
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Temp\DMI3523.tmp" /accepteula
  2⤵
  PID:2096
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Temp\TS_1FFE.tmp" /accepteula
  2⤵
  PID:1096
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Temp\TS_204D.tmp" /accepteula
  2⤵
  PID:2244
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Temp\TS_70DC.tmp" /accepteula
  2⤵
  PID:1836
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Temp\TS_7179.tmp" /accepteula
  2⤵
  PID:2476
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Temp\TS_71D7.tmp" /accepteula
  2⤵
  PID:2348
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Temp\TS_7284.tmp" /accepteula
  2⤵
  PID:2176
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Temp\TS_7321.tmp" /accepteula
  2⤵
  PID:1536
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Temp\TS_7380.tmp" /accepteula
  2⤵
  PID:1328
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Temp\TS_73DE.tmp" /accepteula
  2⤵
  PID:1472
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Temp\TS_7584.tmp" /accepteula
  2⤵
  PID:2552
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Temp\TS_7612.tmp" /accepteula
  2⤵
  PID:2248
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\TSSysprep.log" /accepteula
  2⤵
  PID:1912
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\WindowsUpdate.log" /accepteula
  2⤵
  PID:2372
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-b..ouppolicy.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f373b0f039fdf6c5\WindowsBackup.adml" /accepteula
  2⤵
  PID:1564
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-b..ouppolicy.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9c6486e928dc028a\WindowsBackup.adml" /accepteula
  2⤵
  PID:2396
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-b..ouppolicy.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9c2fe3cd2902f42f\WindowsBackup.adml" /accepteula
  2⤵
  PID:2920
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-b..ouppolicy.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_3ee759cc1bd50a91\WindowsBackup.adml" /accepteula
  2⤵
  PID:2244
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-b..ouppolicy.resources_31bf3856ad364e35_6.1.7600.16385_it-it_290f5012f306f00f\WindowsBackup.adml" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:2500
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-b..ouppolicy.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_cb34cf1fe62201ea\WindowsBackup.adml" /accepteula
  2⤵
  PID:2168
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-backup-cpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_814336c72da5a487\sdcpl.dll.mui" /accepteula
  2⤵
  PID:2040
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-backup-cpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2a340cc01c83b04c\sdcpl.dll.mui" /accepteula
  2⤵
  PID:2664
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-backup-cpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_29ff69a41caaa1f1\sdcpl.dll.mui" /accepteula
  2⤵
  PID:700
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-backup-cpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ccb6dfa30f7cb853\sdcpl.dll.mui" /accepteula
  2⤵
  PID:2736
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-backup-cpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b6ded5e9e6ae9dd1\sdcpl.dll.mui" /accepteula
  2⤵
  PID:1516
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-backup-cpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_590454f6d9c9afac\sdcpl.dll.mui" /accepteula
  2⤵
  PID:932
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-backup-cpl_31bf3856ad364e35_6.1.7601.17514_none_0fa9f57005bdc2e1\sdcpl.dll" /accepteula
  2⤵
  PID:1080
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-blb-grouppolicy_31bf3856ad364e35_6.1.7600.16385_none_489a9cfa1badc4c5\WindowsBackup.admx" /accepteula
  2⤵
  PID:2728
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-com-dtc-runtime_31bf3856ad364e35_6.1.7600.16385_none_7547f48c79b40229\MSDTC.LOG" /accepteula
  2⤵
  PID:1768
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-iebrowsewebdiagnostic_31bf3856ad364e35_6.1.7601.17514_none_829f3aa88408cea0\TS_tempfilecachesize.ps1" /accepteula
  2⤵
  PID:2952
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-iis-odbclogging_31bf3856ad364e35_6.1.7600.16385_none_304059e2ef7d19be\logtemp.sql" /accepteula
  2⤵
  PID:2384
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-m..eplacementmanifests_31bf3856ad364e35_6.1.7601.17514_none_5a1a617d021715d4\vsssystemprovider-replacement.man" /accepteula
  2⤵
  PID:2692
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-performance.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f9b78bc742954cc7\SystemPropertiesPerformance.exe.mui" /accepteula
  2⤵
  PID:1192
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-performance.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a2a861c03173588c\SystemPropertiesPerformance.exe.mui" /accepteula
  2⤵
  PID:1908
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-performance.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a273bea4319a4a31\SystemPropertiesPerformance.exe.mui" /accepteula
  2⤵
  PID:1900
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-performance.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_452b34a3246c6093\SystemPropertiesPerformance.exe.mui" /accepteula
  2⤵
  PID:2516
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-performance.resources_31bf3856ad364e35_6.1.7600.16385_it-it_2f532ae9fb9e4611\SystemPropertiesPerformance.exe.mui" /accepteula
  2⤵
  PID:2924
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-performance.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d178a9f6eeb957ec\SystemPropertiesPerformance.exe.mui" /accepteula
  2⤵
  PID:936
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-s..executionprevention_31bf3856ad364e35_6.1.7600.16385_none_25d85b4a3e4a7709\SystemPropertiesDataExecutionPrevention.exe" /accepteula
  2⤵
  PID:2948
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-s..madvanced.resources_31bf3856ad364e35_6.1.7600.16385_de-de_62497c70b6d3816f\SystemPropertiesAdvanced.exe.mui" /accepteula
  2⤵
  PID:2888
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-s..madvanced.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0b3a5269a5b18d34\SystemPropertiesAdvanced.exe.mui" /accepteula
  2⤵
  PID:2336
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-s..madvanced.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0b05af4da5d87ed9\SystemPropertiesAdvanced.exe.mui" /accepteula
  2⤵
  PID:844
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-s..madvanced.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_adbd254c98aa953b\SystemPropertiesAdvanced.exe.mui" /accepteula
  2⤵
  PID:2624
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-s..madvanced.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3a0a9aa062f78c94\SystemPropertiesAdvanced.exe.mui" /accepteula
  2⤵
  PID:868
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-s..madvanced.resources_31bf3856ad364e35_6.1.7601.17514_it-it_9a162f5b6ccafe53\SystemPropertiesAdvanced.exe.mui" /accepteula
  2⤵
  PID:620
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-s..mcomputer.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0e2b27525d382184\SystemPropertiesComputerName.exe.mui" /accepteula
  2⤵
  PID:2644
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-s..mcomputer.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b71bfd4b4c162d49\SystemPropertiesComputerName.exe.mui" /accepteula
  2⤵
  PID:2408
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-s..mcomputer.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b6e75a2f4c3d1eee\SystemPropertiesComputerName.exe.mui" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:3004
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-s..mcomputer.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_599ed02e3f0f3550\SystemPropertiesComputerName.exe.mui" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:1548
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-s..mcomputer.resources_31bf3856ad364e35_6.1.7600.16385_it-it_43c6c67516411ace\SystemPropertiesComputerName.exe.mui" /accepteula
  2⤵
  PID:2496
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-s..mcomputer.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e5ec4582095c2ca9\SystemPropertiesComputerName.exe.mui" /accepteula
  2⤵
  PID:2240
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-s..mhardware.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9dbfd6a020b53b95\SystemPropertiesHardware.exe.mui" /accepteula
  2⤵
  PID:2376
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-s..mhardware.resources_31bf3856ad364e35_6.1.7600.16385_en-us_46b0ac990f93475a\SystemPropertiesHardware.exe.mui" /accepteula
  2⤵
  PID:1308
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-s..mhardware.resources_31bf3856ad364e35_6.1.7600.16385_es-es_467c097d0fba38ff\SystemPropertiesHardware.exe.mui" /accepteula
  2⤵
  PID:3036
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-s..mhardware.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_e9337f7c028c4f61\SystemPropertiesHardware.exe.mui" /accepteula
  2⤵
  PID:2172
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-s..mhardware.resources_31bf3856ad364e35_6.1.7600.16385_it-it_d35b75c2d9be34df\SystemPropertiesHardware.exe.mui" /accepteula
  2⤵
  PID:2232
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-s..mhardware.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_7580f4cfccd946ba\SystemPropertiesHardware.exe.mui" /accepteula
  2⤵
  PID:576
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-s..mpropertiesadvanced_31bf3856ad364e35_6.1.7600.16385_none_533d797efdf7728b\SystemPropertiesAdvanced.exe" /accepteula
  2⤵
  PID:1376
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-s..mpropertieshardware_31bf3856ad364e35_6.1.7600.16385_none_9cef76e6ecab612f\SystemPropertiesHardware.exe" /accepteula
  2⤵
  PID:1500
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-s..opertiesperformance_31bf3856ad364e35_6.1.7600.16385_none_b6cb9ed71c8b43d5\SystemPropertiesPerformance.exe" /accepteula
  2⤵
  PID:956
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-s..pertiescomputername_31bf3856ad364e35_6.1.7600.16385_none_8c6823f855ef04a5\SystemPropertiesComputerName.exe" /accepteula
  2⤵
  PID:1160
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-s..revention.resources_31bf3856ad364e35_6.1.7600.16385_de-de_926fd42921d36c37\SystemPropertiesDataExecutionPrevention.exe.mui" /accepteula
  2⤵
  PID:1028
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-s..revention.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3b60aa2210b177fc\SystemPropertiesDataExecutionPrevention.exe.mui" /accepteula
  2⤵
  PID:1848
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-s..revention.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3b2c070610d869a1\SystemPropertiesDataExecutionPrevention.exe.mui" /accepteula
  2⤵
  PID:1540
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-s..revention.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_dde37d0503aa8003\SystemPropertiesDataExecutionPrevention.exe.mui" /accepteula
  2⤵
  PID:2568
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-s..revention.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c80b734bdadc6581\SystemPropertiesDataExecutionPrevention.exe.mui" /accepteula
  2⤵
  PID:2556
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-s..revention.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6a30f258cdf7775c\SystemPropertiesDataExecutionPrevention.exe.mui" /accepteula
  2⤵
  PID:3024
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-s..ropertiesprotection_31bf3856ad364e35_6.1.7600.16385_none_bfa748753634ba48\SystemPropertiesProtection.exe" /accepteula
  2⤵
  PID:1060
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-s..rotection.resources_31bf3856ad364e35_6.1.7600.16385_de-de_72a20dbfbad4e7ec\SystemPropertiesProtection.exe.mui" /accepteula
  2⤵
  PID:2560
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-s..rotection.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1b92e3b8a9b2f3b1\SystemPropertiesProtection.exe.mui" /accepteula
  2⤵
  PID:1140
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-s..rotection.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1b5e409ca9d9e556\SystemPropertiesProtection.exe.mui" /accepteula
  2⤵
  PID:2348
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-s..rotection.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_be15b69b9cabfbb8\SystemPropertiesProtection.exe.mui" /accepteula
  2⤵
  PID:1784
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-s..rotection.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a83dace273dde136\SystemPropertiesProtection.exe.mui" /accepteula
  2⤵
  PID:1732
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-s..rotection.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4a632bef66f8f311\SystemPropertiesProtection.exe.mui" /accepteula
  2⤵
  PID:1956
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-sysdmremote.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6362827e1363159b\SystemPropertiesRemote.exe.mui" /accepteula
  2⤵
  PID:1280
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-sysdmremote.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0c53587702412160\SystemPropertiesRemote.exe.mui" /accepteula
  2⤵
  PID:2532
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-sysdmremote.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0c1eb55b02681305\SystemPropertiesRemote.exe.mui" /accepteula
  2⤵
  PID:764
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-sysdmremote.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_aed62b59f53a2967\SystemPropertiesRemote.exe.mui" /accepteula
  2⤵
  PID:324
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-sysdmremote.resources_31bf3856ad364e35_6.1.7600.16385_it-it_98fe21a0cc6c0ee5\SystemPropertiesRemote.exe.mui" /accepteula
  2⤵
  PID:1756
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-sysdmremote.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3b23a0adbf8720c0\SystemPropertiesRemote.exe.mui" /accepteula
  2⤵
  PID:1740
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\SystemPropertiesRemote.exe" /accepteula
  2⤵
  PID:2564
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-u..ackup-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b0797a6e18a62167\UserDataBackup.adml" /accepteula
  2⤵
  PID:1472
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-u..ackup-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_596a506707842d2c\UserDataBackup.adml" /accepteula
  2⤵
  PID:772
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-u..ackup-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5935ad4b07ab1ed1\UserDataBackup.adml" /accepteula
  2⤵
  PID:1632
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-u..ackup-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_fbed2349fa7d3533\UserDataBackup.adml" /accepteula
  2⤵
  PID:2440
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-u..ackup-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e6151990d1af1ab1\UserDataBackup.adml" /accepteula
  2⤵
  PID:2216
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-u..ackup-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_883a989dc4ca2c8c\UserDataBackup.adml" /accepteula
  2⤵
  PID:2744
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-userdatabackup-adm_31bf3856ad364e35_6.1.7600.16385_none_2dc05a8484480773\UserDataBackup.admx" /accepteula
  2⤵
  PID:1856
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_6.1.7600.16385_none_a727eb798dcfb185\swprv.dll" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:820
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_prnbr002.inf_31bf3856ad364e35_6.1.7600.16385_none_49c93aa2c4304e9e\Amd64\brio06aa.bcm" /accepteula
  2⤵
  PID:2096
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_prnbr002.inf_31bf3856ad364e35_6.1.7600.16385_none_49c93aa2c4304e9e\Amd64\brio06ab.bcm" /accepteula
  2⤵
  PID:2388
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_prnbr002.inf_31bf3856ad364e35_6.1.7600.16385_none_49c93aa2c4304e9e\Amd64\brio06ac.bcm" /accepteula
  2⤵
  PID:2836
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_prnbr002.inf_31bf3856ad364e35_6.1.7600.16385_none_49c93aa2c4304e9e\Amd64\brio06af.bcm" /accepteula
  2⤵
  PID:2460
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_prnbr002.inf_31bf3856ad364e35_6.1.7600.16385_none_49c93aa2c4304e9e\Amd64\brio06ag.bcm" /accepteula
  2⤵
  PID:1104
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_prnbr004.inf_31bf3856ad364e35_6.1.7600.16385_none_4adb5f0cf66cc770\Amd64\brio08aa.bcm" /accepteula
  2⤵
  PID:304
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_prnbr004.inf_31bf3856ad364e35_6.1.7600.16385_none_4adb5f0cf66cc770\Amd64\brio08ab.bcm" /accepteula
  2⤵
  PID:2508
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_prnbr004.inf_31bf3856ad364e35_6.1.7600.16385_none_4adb5f0cf66cc770\Amd64\brio08ac.bcm" /accepteula
  2⤵
  PID:996
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_prnbr004.inf_31bf3856ad364e35_6.1.7600.16385_none_4adb5f0cf66cc770\Amd64\brio08ae.bcm" /accepteula
  2⤵
  PID:2268
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_prnbr004.inf_31bf3856ad364e35_6.1.7600.16385_none_4adb5f0cf66cc770\Amd64\brio08af.bcm" /accepteula
  2⤵
  PID:2936
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_prnbr004.inf_31bf3856ad364e35_6.1.7600.16385_none_4adb5f0cf66cc770\Amd64\brio08ag.bcm" /accepteula
  2⤵
  PID:2696
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_prnbr004.inf_31bf3856ad364e35_6.1.7600.16385_none_4adb5f0cf66cc770\Amd64\brio08ah.bcm" /accepteula
  2⤵
  PID:1604
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_prnbr004.inf_31bf3856ad364e35_6.1.7600.16385_none_4adb5f0cf66cc770\Amd64\brio08ak.bcm" /accepteula
  2⤵
  PID:1480
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_prnbr005.inf_31bf3856ad364e35_6.1.7600.16385_none_4b6471420f8b03d9\Amd64\brio08ba.bcm" /accepteula
  2⤵
  PID:2844
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_prnbr005.inf_31bf3856ad364e35_6.1.7600.16385_none_4b6471420f8b03d9\Amd64\brio08bb.bcm" /accepteula
  2⤵
  PID:1592
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_prnbr005.inf_31bf3856ad364e35_6.1.7600.16385_none_4b6471420f8b03d9\Amd64\brio08bc.bcm" /accepteula
  2⤵
  PID:1596
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_prnbr005.inf_31bf3856ad364e35_6.1.7600.16385_none_4b6471420f8b03d9\Amd64\brio08be.bcm" /accepteula
  2⤵
  PID:768
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_prnbr005.inf_31bf3856ad364e35_6.1.7600.16385_none_4b6471420f8b03d9\Amd64\brio08bf.bcm" /accepteula
  2⤵
  PID:1396
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_prnbr005.inf_31bf3856ad364e35_6.1.7600.16385_none_4b6471420f8b03d9\Amd64\brio08bg.bcm" /accepteula
  2⤵
  PID:1608
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_prnbr005.inf_31bf3856ad364e35_6.1.7600.16385_none_4b6471420f8b03d9\Amd64\brio08bk.bcm" /accepteula
  2⤵
  PID:1720
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_prnbr009.inf_31bf3856ad364e35_6.1.7600.16385_none_4d88ba167403f57d\Amd64\brio14aa.bcm" /accepteula
  2⤵
  PID:2980
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_prnbr009.inf_31bf3856ad364e35_6.1.7600.16385_none_4d88ba167403f57d\Amd64\brio14ab.bcm" /accepteula
  2⤵
  PID:2808
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_prnbr009.inf_31bf3856ad364e35_6.1.7600.16385_none_4d88ba167403f57d\Amd64\brio14ac.bcm" /accepteula
  2⤵
  PID:876
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_prnbr009.inf_31bf3856ad364e35_6.1.7600.16385_none_4d88ba167403f57d\Amd64\brio14ad.bcm" /accepteula
  2⤵
  PID:1340
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_prnbr009.inf_31bf3856ad364e35_6.1.7600.16385_none_4d88ba167403f57d\Amd64\brio14af.bcm" /accepteula
  2⤵
  PID:1344
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_prnbr009.inf_31bf3856ad364e35_6.1.7600.16385_none_4d88ba167403f57d\Amd64\brio14ag.bcm" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:1264
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_prnbr009.inf_31bf3856ad364e35_6.1.7600.16385_none_4d88ba167403f57d\Amd64\brio14ah.bcm" /accepteula
  2⤵
  PID:892
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_prnbr009.inf_31bf3856ad364e35_6.1.7600.16385_none_4d88ba167403f57d\Amd64\brio14ai.bcm" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1716
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_prnbr009.inf_31bf3856ad364e35_6.1.7600.16385_none_4d88ba167403f57d\Amd64\brio14ak.bcm" /accepteula
  2⤵
  PID:1696
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_prnbr009.inf_31bf3856ad364e35_6.1.7600.16385_none_4d88ba167403f57d\Amd64\brio14al.bcm" /accepteula
  2⤵
  PID:2856
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_prnbr009.inf_31bf3856ad364e35_6.1.7600.16385_none_4d88ba167403f57d\Amd64\brio14am.bcm" /accepteula
  2⤵
  PID:408
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_prnbr009.inf_31bf3856ad364e35_6.1.7600.16385_none_4d88ba167403f57d\Amd64\brio14an.bcm" /accepteula
  2⤵
  PID:2188
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_de-de_18a6abaa160568df.manifest" /accepteula
  2⤵
  PID:2600
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_de-de_18a6abaa160568df_hid.dll.mui_cccd5ae0" /accepteula
  2⤵
  PID:1548
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_de-de_18a6abaa160568df_hidserv.dll.mui_561adfc8" /accepteula
  2⤵
  PID:2604
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c19781a304e374a4.manifest" /accepteula
  2⤵
  PID:2240
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c19781a304e374a4_hid.dll.mui_cccd5ae0" /accepteula
  2⤵
  PID:2912
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c19781a304e374a4_hidserv.dll.mui_561adfc8" /accepteula
  2⤵
  PID:1308
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c162de87050a6649.manifest" /accepteula
  2⤵
  PID:780
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c162de87050a6649_hid.dll.mui_cccd5ae0" /accepteula
  2⤵
  PID:2172
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c162de87050a6649_hidserv.dll.mui_561adfc8" /accepteula
  2⤵
  PID:1700
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_641a5485f7dc7cab.manifest" /accepteula
  2⤵
  PID:1736
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_641a5485f7dc7cab_hid.dll.mui_cccd5ae0" /accepteula
  2⤵
  PID:1988
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_641a5485f7dc7cab_hidserv.dll.mui_561adfc8" /accepteula
  2⤵
  PID:2056
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4e424acccf0e6229.manifest" /accepteula
  2⤵
  PID:2720
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4e424acccf0e6229_hid.dll.mui_cccd5ae0" /accepteula
  2⤵
  PID:956
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4e424acccf0e6229_hidserv.dll.mui_561adfc8" /accepteula
  2⤵
  PID:1788
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f067c9d9c2297404.manifest" /accepteula
  2⤵
  PID:2768
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f067c9d9c2297404_hid.dll.mui_cccd5ae0" /accepteula
  2⤵
  PID:2732
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f067c9d9c2297404_hidserv.dll.mui_561adfc8" /accepteula
  2⤵
  PID:1372
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7b478cfdf5bb71e8.manifest" /accepteula
  2⤵
  PID:2568
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7b478cfdf5bb71e8_activeds.dll.mui_67414db4" /accepteula
  2⤵
  PID:696
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_en-us_243862f6e4997dad.manifest" /accepteula
  2⤵
  PID:3024
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_en-us_243862f6e4997dad_activeds.dll.mui_67414db4" /accepteula
  2⤵
  PID:2780
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2403bfdae4c06f52.manifest" /accepteula
  2⤵
  PID:2068
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2403bfdae4c06f52_activeds.dll.mui_67414db4" /accepteula
  2⤵
  PID:2976
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c6bb35d9d79285b4.manifest" /accepteula
  2⤵
  PID:2348
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c6bb35d9d79285b4_activeds.dll.mui_67414db4" /accepteula
  2⤵
  PID:896
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b0e32c20aec46b32.manifest" /accepteula
  2⤵
  PID:1732
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b0e32c20aec46b32_activeds.dll.mui_67414db4" /accepteula
  2⤵
  PID:3048
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5308ab2da1df7d0d.manifest" /accepteula
  2⤵
  PID:2016
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5308ab2da1df7d0d_activeds.dll.mui_67414db4" /accepteula
  2⤵
  PID:288
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1d2f90411ea5c48a.manifest" /accepteula
  2⤵
  PID:2124
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1d2f90411ea5c48a_winmm.dll.mui_224f6445" /accepteula
  2⤵
  PID:1280
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c620663a0d83d04f.manifest" /accepteula
  2⤵
  PID:2532
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c620663a0d83d04f_winmm.dll.mui_224f6445" /accepteula
  2⤵
  PID:852
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c5ebc31e0daac1f4.manifest" /accepteula
  2⤵
  PID:324
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c5ebc31e0daac1f4_winmm.dll.mui_224f6445" /accepteula
  2⤵
  PID:1756
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_68a3391d007cd856.manifest" /accepteula
  2⤵
  PID:1740
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_68a3391d007cd856_winmm.dll.mui_224f6445" /accepteula
  2⤵
  PID:2356
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_it-it_52cb2f63d7aebdd4.manifest" /accepteula
  2⤵
  PID:2400
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_it-it_52cb2f63d7aebdd4_winmm.dll.mui_224f6445" /accepteula
  2⤵
  PID:1552
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f4f0ae70cac9cfaf.manifest" /accepteula
  2⤵
  PID:184
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f4f0ae70cac9cfaf_winmm.dll.mui_224f6445" /accepteula
  2⤵
  PID:2208
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.1.7601.17514_none_3337092d63596104.manifest" /accepteula
  2⤵
  PID:1796
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.1.7601.17514_none_3337092d63596104_aelupsvc.dll_f420497b" /accepteula
  2⤵
  PID:1648
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.1.7601.17514_none_3337092d63596104_apphelp.dll_7ce69c4a" /accepteula
  2⤵
  PID:1508
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.1.7601.17514_none_3337092d63596104_sdbinst.exe_8725e339" /accepteula
  2⤵
  PID:548
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.1.7601.17514_none_3337092d63596104_shimeng.dll_2036b947" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2236
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..es-interface-router_31bf3856ad364e35_6.1.7600.16385_none_b3eaf84f983a33ee.manifest" /accepteula
  2⤵
  PID:2588
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..es-interface-router_31bf3856ad364e35_6.1.7600.16385_none_b3eaf84f983a33ee_activeds.dll_662643d7" /accepteula
  2⤵
  PID:1656
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..es-interface-router_31bf3856ad364e35_6.1.7600.16385_none_b3eaf84f983a33ee_activeds.tlb_662648dd" /accepteula
  2⤵
  PID:2628
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_10d22dcfce04430a.manifest" /accepteula
  2⤵
  PID:1944
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_10d22dcfce04430a_axinstsv.dll.mui_be092a2d" /accepteula
  2⤵
  PID:2592
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_10d22dcfce04430a_axinstui.exe.mui_aea34130" /accepteula
  2⤵
  PID:2512
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b9c303c8bce24ecf.manifest" /accepteula
  2⤵
  PID:3064
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b9c303c8bce24ecf_axinstsv.dll.mui_be092a2d" /accepteula
  2⤵
  PID:2404
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b9c303c8bce24ecf_axinstui.exe.mui_aea34130" /accepteula
  2⤵
  PID:2984
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b98e60acbd094074.manifest" /accepteula
  2⤵
  PID:2700
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b98e60acbd094074_axinstsv.dll.mui_be092a2d" /accepteula
  2⤵
  PID:888
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b98e60acbd094074_axinstui.exe.mui_aea34130" /accepteula
  2⤵
  PID:2884
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5c45d6abafdb56d6.manifest" /accepteula
  2⤵
  PID:2096
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5c45d6abafdb56d6_axinstsv.dll.mui_be092a2d" /accepteula
  2⤵
  PID:704
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5c45d6abafdb56d6_axinstui.exe.mui_aea34130" /accepteula
  2⤵
  PID:2796
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_it-it_466dccf2870d3c54.manifest" /accepteula
  2⤵
  PID:1564
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_it-it_466dccf2870d3c54_axinstsv.dll.mui_be092a2d" /accepteula
  2⤵
  PID:2804
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_it-it_466dccf2870d3c54_axinstui.exe.mui_aea34130" /accepteula
  2⤵
  PID:2836
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e8934bff7a284e2f.manifest" /accepteula
  2⤵
  PID:1672
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e8934bff7a284e2f_axinstsv.dll.mui_be092a2d" /accepteula
  2⤵
  PID:2164
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e8934bff7a284e2f_axinstui.exe.mui_aea34130" /accepteula
  2⤵
  PID:2576
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_3e80b31cc7dc75d0.manifest" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:2664
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_3e80b31cc7dc75d0_authui.dll.mui_19b92789" /accepteula
  2⤵
  PID:2936
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e7718915b6ba8195.manifest" /accepteula
  2⤵
  PID:700
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e7718915b6ba8195_authui.dll.mui_19b92789" /accepteula
  2⤵
  PID:2736
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e73ce5f9b6e1733a.manifest" /accepteula
  2⤵
  PID:932
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e73ce5f9b6e1733a_authui.dll.mui_19b92789" /accepteula
  2⤵
  PID:880
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_741c523f80e56f1a.manifest" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2052
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_741c523f80e56f1a_authui.dll.mui_19b92789" /accepteula
  2⤵
  PID:2960
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1641d14c740080f5.manifest" /accepteula
  2⤵
  PID:1604
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1641d14c740080f5_authui.dll.mui_19b92789" /accepteula
  2⤵
  PID:1768
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_8c256fc0a6a20d36.manifest" /accepteula
  2⤵
  PID:1088
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_8c256fc0a6a20d36_authui.dll.mui_19b92789" /accepteula
  2⤵
  PID:1996
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_en-us_541d3a4db051d913.manifest" /accepteula
  2⤵
  PID:2676
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_en-us_541d3a4db051d913_aelupsvc.dll.mui_5d6cb110" /accepteula
  2⤵
  PID:2340
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_en-us_541d3a4db051d913_apphelp.dll.mui_59096153" /accepteula
  2⤵
  PID:2696
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_en-us_541d3a4db051d913_sdbinst.exe.mui_258ad624" /accepteula
  2⤵
  PID:2464
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_es-es_53e89731b078cab8.manifest" /accepteula
  2⤵
  PID:2844
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_es-es_53e89731b078cab8_aelupsvc.dll.mui_5d6cb110" /accepteula
  2⤵
  PID:2748
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_es-es_53e89731b078cab8_apphelp.dll.mui_59096153" /accepteula
  2⤵
  PID:1980
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_es-es_53e89731b078cab8_sdbinst.exe.mui_258ad624" /accepteula
  2⤵
  PID:1776
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f6a00d30a34ae11a.manifest" /accepteula
  2⤵
  PID:2620
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f6a00d30a34ae11a_aelupsvc.dll.mui_5d6cb110" /accepteula
  2⤵
  PID:3008
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f6a00d30a34ae11a_apphelp.dll.mui_59096153" /accepteula
  2⤵
  PID:1720
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f6a00d30a34ae11a_sdbinst.exe.mui_258ad624" /accepteula
  2⤵
  PID:2228
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e0c803777a7cc698.manifest" /accepteula
  2⤵
  PID:2212
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e0c803777a7cc698_aelupsvc.dll.mui_5d6cb110" /accepteula
  2⤵
  PID:1320
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e0c803777a7cc698_apphelp.dll.mui_59096153" /accepteula
  2⤵
  PID:2876
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e0c803777a7cc698_sdbinst.exe.mui_258ad624" /accepteula
  2⤵
  PID:1532
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_82ed82846d97d873.manifest" /accepteula
  2⤵
  PID:1608
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_82ed82846d97d873_aelupsvc.dll.mui_5d6cb110" /accepteula
  2⤵
  PID:2820
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_82ed82846d97d873_apphelp.dll.mui_59096153" /accepteula
  2⤵
  PID:2928
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_82ed82846d97d873_sdbinst.exe.mui_258ad624" /accepteula
  2⤵
  PID:2808
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7601.17514_de-de_ad5d781cbe6250e8.manifest" /accepteula
  2⤵
  PID:1340
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7601.17514_de-de_ad5d781cbe6250e8_aelupsvc.dll.mui_5d6cb110" /accepteula
  2⤵
  PID:612
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7601.17514_de-de_ad5d781cbe6250e8_apphelp.dll.mui_59096153" /accepteula
  2⤵
  PID:1524
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7601.17514_de-de_ad5d781cbe6250e8_sdbinst.exe.mui_258ad624" /accepteula
  2⤵
  PID:2000
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7600.16385_de-de_dc4a3190eb7d1265.manifest" /accepteula
  2⤵
  PID:680
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7600.16385_de-de_dc4a3190eb7d1265_acledit.dll.mui_5f932ccb" /accepteula
  2⤵
  PID:2584
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7600.16385_en-us_853b0789da5b1e2a.manifest" /accepteula
  2⤵
  PID:2924
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7600.16385_en-us_853b0789da5b1e2a_acledit.dll.mui_5f932ccb" /accepteula
  2⤵
  PID:1568
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_27bdda6ccd542631.manifest" /accepteula
  2⤵
  PID:3060
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_27bdda6ccd542631_acledit.dll.mui_5f932ccb" /accepteula
  2⤵
  PID:1716
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7600.16385_it-it_11e5d0b3a4860baf.manifest" /accepteula
  2⤵
  PID:2080
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7600.16385_it-it_11e5d0b3a4860baf_acledit.dll.mui_5f932ccb" /accepteula
  2⤵
  PID:2112
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b40b4fc097a11d8a.manifest" /accepteula
  2⤵
  PID:2104
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b40b4fc097a11d8a_acledit.dll.mui_5f932ccb" /accepteula
  2⤵
  PID:2756
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7601.17514_es-es_87377835d7709369.manifest" /accepteula
  2⤵
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2188
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7601.17514_es-es_87377835d7709369_acledit.dll.mui_5f932ccb" /accepteula
  2⤵
  PID:2852
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit_31bf3856ad364e35_6.1.7600.16385_none_c3d671ef7642fced.manifest" /accepteula
  2⤵
  PID:1268
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit_31bf3856ad364e35_6.1.7600.16385_none_c3d671ef7642fced_acledit.dll_89da72d2" /accepteula
  2⤵
  PID:2256
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-aclui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f4d5efdcdbbeb063.manifest" /accepteula
  2⤵
  PID:2948
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-aclui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f4d5efdcdbbeb063_aclui.dll.mui_adadbfb7" /accepteula
  2⤵
  PID:2540
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-aclui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9dc6c5d5ca9cbc28.manifest" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1696
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-aclui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9dc6c5d5ca9cbc28_aclui.dll.mui_adadbfb7" /accepteula
  2⤵
  PID:1188
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-aclui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9d9222b9cac3adcd.manifest" /accepteula
  2⤵
  PID:2028
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-aclui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9d9222b9cac3adcd_aclui.dll.mui_adadbfb7" /accepteula
  2⤵
  PID:2992
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-aclui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_404998b8bd95c42f.manifest" /accepteula
  2⤵
  PID:3012
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-aclui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_404998b8bd95c42f_aclui.dll.mui_adadbfb7" /accepteula
  2⤵
  PID:692
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-aclui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_2a718eff94c7a9ad.manifest" /accepteula
  2⤵
  PID:2832
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-aclui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_2a718eff94c7a9ad_aclui.dll.mui_adadbfb7" /accepteula
  2⤵
  PID:2480
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-aclui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_cc970e0c87e2bb88.manifest" /accepteula
  2⤵
  PID:448
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-aclui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_cc970e0c87e2bb88_aclui.dll.mui_adadbfb7" /accepteula
  2⤵
  PID:1844
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-aclui_31bf3856ad364e35_6.1.7600.16385_none_b0ff4fc4cd57c163.manifest" /accepteula
  2⤵
  PID:2600
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-aclui_31bf3856ad364e35_6.1.7600.16385_none_b0ff4fc4cd57c163_aclui.dll_ebee9df6" /accepteula
  2⤵
  PID:2704
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-acproxy_31bf3856ad364e35_6.1.7600.16385_none_520444733f7b8add.manifest" /accepteula
  2⤵
  PID:2604
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-acproxy_31bf3856ad364e35_6.1.7600.16385_none_520444733f7b8add_acproxy.dll_5d65b262" /accepteula
  2⤵
  PID:1940
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-activexcompat_31bf3856ad364e35_8.0.7601.17514_none_6f29eb5391300db2.manifest" /accepteula
  2⤵
  PID:2912
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-activexproxy_31bf3856ad364e35_6.1.7601.17514_none_703438df00e9e0d7.manifest" /accepteula
  2⤵
  PID:2260
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-activexproxy_31bf3856ad364e35_6.1.7601.17514_none_703438df00e9e0d7_actxprxy.dll_82133921" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:780
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cb8d93e1dba7ea79.manifest" /accepteula
  2⤵
  PID:1584
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cb8d93e1dba7ea79_advapi32.dll.mui_28c7718f" /accepteula
  2⤵
  PID:1700
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_en-us_747e69daca85f63e.manifest" /accepteula
  2⤵
  PID:1736
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_en-us_747e69daca85f63e_advapi32.dll.mui_28c7718f" /accepteula
  2⤵
  PID:1988
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7449c6becaace7e3.manifest" /accepteula
  2⤵
  PID:1500
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7449c6becaace7e3_advapi32.dll.mui_28c7718f" /accepteula
  2⤵
  PID:2720
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_17013cbdbd7efe45.manifest" /accepteula
  2⤵
  PID:2868
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_17013cbdbd7efe45_advapi32.dll.mui_28c7718f" /accepteula
  2⤵
  PID:1788
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_it-it_0129330494b0e3c3.manifest" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2412
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_it-it_0129330494b0e3c3_advapi32.dll.mui_28c7718f" /accepteula
  2⤵
  PID:2732
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a34eb21187cbf59e.manifest" /accepteula
  2⤵
  PID:1372
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a34eb21187cbf59e_advapi32.dll.mui_28c7718f" /accepteula
  2⤵
  PID:2568
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-advapi32_31bf3856ad364e35_6.1.7600.16385_none_3f3d4351a032bf57.manifest" /accepteula
  2⤵
  PID:316
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-advapi32_31bf3856ad364e35_6.1.7600.16385_none_3f3d4351a032bf57_advapi32.dll_9512793c" /accepteula
  2⤵
  PID:3024
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-agpsettings_31bf3856ad364e35_6.1.7600.16385_none_cb02d84df678436e.manifest" /accepteula
  2⤵
  PID:1960
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e92ea4b1d7adbfab.manifest" /accepteula
  2⤵
  PID:2068
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e92ea4b1d7adbfab_appidapi.dll.mui_b6af37bb" /accepteula
  2⤵
  PID:1536
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e92ea4b1d7adbfab_appidsvc.dll.mui_6717e231" /accepteula
  2⤵
  PID:2348
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_en-us_921f7aaac68bcb70.manifest" /accepteula
  2⤵
  PID:2816
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_en-us_921f7aaac68bcb70_appidapi.dll.mui_b6af37bb" /accepteula
  2⤵
  PID:1956
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_en-us_921f7aaac68bcb70_appidsvc.dll.mui_6717e231" /accepteula
  2⤵
  PID:1928
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_es-es_91ead78ec6b2bd15.manifest" /accepteula
  2⤵
  PID:352
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_es-es_91ead78ec6b2bd15_appidapi.dll.mui_b6af37bb" /accepteula
  2⤵
  PID:2020
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_es-es_91ead78ec6b2bd15_appidsvc.dll.mui_6717e231" /accepteula
  2⤵
  PID:2116
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_34a24d8db984d377.manifest" /accepteula
  2⤵
  PID:2280
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_34a24d8db984d377_appidapi.dll.mui_b6af37bb" /accepteula
  2⤵
  PID:852
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_34a24d8db984d377_appidsvc.dll.mui_6717e231" /accepteula
  2⤵
  PID:2632
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c0efc2e183d1cad0.manifest" /accepteula
  2⤵
  PID:1756
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c0efc2e183d1cad0_appidapi.dll.mui_b6af37bb" /accepteula
  2⤵
  PID:2100
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c0efc2e183d1cad0_appidsvc.dll.mui_6717e231" /accepteula
  2⤵
  PID:1740
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7601.17514_it-it_20fb579c8da53c8f.manifest" /accepteula
  2⤵
  PID:2564
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7601.17514_it-it_20fb579c8da53c8f_appidapi.dll.mui_b6af37bb" /accepteula
  2⤵
  PID:2400
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7601.17514_it-it_20fb579c8da53c8f_appidsvc.dll.mui_6717e231" /accepteula
  2⤵
  PID:156
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid_31bf3856ad364e35_6.1.7601.17514_none_b57215bac8c6d647.manifest" /accepteula
  2⤵
  PID:184
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid_31bf3856ad364e35_6.1.7601.17514_none_b57215bac8c6d647_appid-ppdlic.xrm-ms_67ebc09b" /accepteula
  2⤵
  PID:1472
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid_31bf3856ad364e35_6.1.7601.17514_none_b57215bac8c6d647_appid.sys_fe1d01e3" /accepteula
  2⤵
  PID:1796
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid_31bf3856ad364e35_6.1.7601.17514_none_b57215bac8c6d647_appidapi.dll_affa6810" /accepteula
  2⤵
  PID:1648
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid_31bf3856ad364e35_6.1.7601.17514_none_b57215bac8c6d647_appidcertstorecheck.exe_03352f5f" /accepteula
  2⤵
  PID:1508
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid_31bf3856ad364e35_6.1.7601.17514_none_b57215bac8c6d647_appidpolicyconverter.exe_83972af0" /accepteula
  2⤵
  PID:548
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid_31bf3856ad364e35_6.1.7601.17514_none_b57215bac8c6d647_appidsvc.dll_b571c01a" /accepteula
  2⤵
  PID:2236
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-atl_31bf3856ad364e35_6.1.7600.16385_none_0715316d7363738e.manifest" /accepteula
  2⤵
  PID:2136
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-atl_31bf3856ad364e35_6.1.7600.16385_none_0715316d7363738e_atl.dll_0c7220db" /accepteula
  2⤵
  PID:1656
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-audio-mmecore-base_31bf3856ad364e35_6.1.7600.16385_none_11d4ade16b61222e.manifest" /accepteula
  2⤵
  PID:820
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-audio-mmecore-base_31bf3856ad364e35_6.1.7600.16385_none_11d4ade16b61222e_winmm.dll_08d4f5e8" /accepteula
  2⤵
  PID:1944
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-authentication-authui_31bf3856ad364e35_6.1.7601.17514_none_6a1982860c076c38.manifest" /accepteula
  2⤵
  PID:1708
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-authentication-authui_31bf3856ad364e35_6.1.7601.17514_none_6a1982860c076c38_authui.dll_05ff9fd2" /accepteula
  2⤵
  PID:3016
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-authentication-authui_31bf3856ad364e35_6.1.7601.17514_none_6a1982860c076c38_authui.ptxml_399d39fd" /accepteula
  2⤵
  PID:3064
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-axinstallservice_31bf3856ad364e35_6.1.7601.17514_none_352b5454878cd498.manifest" /accepteula
  2⤵
  PID:1800
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-axinstallservice_31bf3856ad364e35_6.1.7601.17514_none_352b5454878cd498_axinstsv.dll_ebc2b91e" /accepteula
  2⤵
  PID:2984
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-axinstallservice_31bf3856ad364e35_6.1.7601.17514_none_352b5454878cd498_axinstui.exe_eba3b15b" /accepteula
  2⤵
  PID:2700
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..endencies.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5dc34e0e1a4582e1.manifest" /accepteula
  2⤵
  PID:888
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..endencies.resources_31bf3856ad364e35_6.1.7600.16385_en-us_06b4240709238ea6.manifest" /accepteula
  2⤵
  PID:2884
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..endencies.resources_31bf3856ad364e35_6.1.7600.16385_es-es_067f80eb094a804b.manifest" /accepteula
  2⤵
  PID:2120
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..endencies.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a936f6e9fc1c96ad.manifest" /accepteula
  2⤵
  PID:704
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..endencies.resources_31bf3856ad364e35_6.1.7600.16385_it-it_935eed30d34e7c2b.manifest" /accepteula
  2⤵
  PID:1748
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..endencies.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_35846c3dc6698e06.manifest" /accepteula
  2⤵
  PID:1564
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_6.1.7601.17514_none_c75e9c99a36a285a.manifest" /accepteula
  2⤵
  PID:1660
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_6.1.7601.17514_none_c75e9c99a36a285a_setbcdlocale.dll_77bec53b" /accepteula
  2⤵
  PID:2836
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_6.1.7601.17514_none_c75e9c99a36a285a_winload.efi_75834aa0" /accepteula
  2⤵
  PID:1672
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_6.1.7601.17514_none_c75e9c99a36a285a_winload.exe_75835076" /accepteula
  2⤵
  PID:2164
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_6.1.7601.17514_none_c75e9c99a36a285a_winresume.efi_85cd069f" /accepteula
  2⤵
  PID:2168
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_6.1.7601.17514_none_c75e9c99a36a285a_winresume.exe_85cd1215" /accepteula
  2⤵
  PID:2664
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..gertransport-serial_31bf3856ad364e35_6.1.7600.16385_none_6daa7ec5c65bf5bc.manifest" /accepteula
  2⤵
  PID:2508
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..gertransport-serial_31bf3856ad364e35_6.1.7600.16385_none_6daa7ec5c65bf5bc_kdcom.dll_db5e7744" /accepteula
  2⤵
  PID:700
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_de-de_69ed730eb5df1137.manifest" /accepteula
  2⤵
  PID:2040
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_de-de_69ed730eb5df1137_memtest.efi.mui_71e15c22" /accepteula
  2⤵
  PID:932
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_en-us_12de4907a4bd1cfc.manifest" /accepteula
  2⤵
  PID:2360
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_en-us_12de4907a4bd1cfc_memtest.efi.mui_71e15c22" /accepteula
  2⤵
  PID:2052
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_es-es_12a9a5eba4e40ea1.manifest" /accepteula
  2⤵
  PID:1984
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_es-es_12a9a5eba4e40ea1_memtest.efi.mui_71e15c22" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:1604
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b5611bea97b62503.manifest" /accepteula
  2⤵
  PID:1768
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b5611bea97b62503_memtest.efi.mui_71e15c22" /accepteula
  2⤵
  PID:1088
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9f8912316ee80a81.manifest" /accepteula
  2⤵
  PID:2880
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9f8912316ee80a81_memtest.efi.mui_71e15c22" /accepteula
  2⤵
  PID:2676
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_41ae913e62031c5c.manifest" /accepteula
  2⤵
  PID:1964
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_41ae913e62031c5c_memtest.efi.mui_71e15c22" /accepteula
  2⤵
  PID:2696
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..ironment-dvd-efisys_31bf3856ad364e35_6.1.7601.17514_none_c0c6eceaf97c4827.manifest" /accepteula
  2⤵
  PID:2012
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..ironment-dvd-efisys_31bf3856ad364e35_6.1.7601.17514_none_c0c6eceaf97c4827_efisys.bin_0bfd8f26" /accepteula
  2⤵
  PID:2844
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_de-de_964af31d4c0ac434.manifest" /accepteula
  2⤵
  PID:2024
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_de-de_964af31d4c0ac434_expand.exe.mui_3f54e013" /accepteula
  2⤵
  PID:1980
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_de-de_964af31d4c0ac434_netmsg.dll.mui_ab0f7c73" /accepteula
  2⤵
  PID:2968
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3f3bc9163ae8cff9.manifest" /accepteula
  2⤵
  PID:1396
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3f3bc9163ae8cff9_expand.exe.mui_3f54e013" /accepteula
  2⤵
  PID:848
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3f3bc9163ae8cff9_netmsg.dll.mui_ab0f7c73" /accepteula
  2⤵
  PID:1720
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3f0725fa3b0fc19e.manifest" /accepteula
  2⤵
  PID:2228
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3f0725fa3b0fc19e_expand.exe.mui_3f54e013" /accepteula
  2⤵
  PID:2212
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3f0725fa3b0fc19e_netmsg.dll.mui_ab0f7c73" /accepteula
  2⤵
  PID:768
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_e1be9bf92de1d800.manifest" /accepteula
  2⤵
  PID:2384
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_e1be9bf92de1d800_expand.exe.mui_3f54e013" /accepteula
  2⤵
  PID:1532
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_e1be9bf92de1d800_netmsg.dll.mui_ab0f7c73" /accepteula
  2⤵
  PID:1608
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_it-it_cbe692400513bd7e.manifest" /accepteula
  2⤵
  PID:2964
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_it-it_cbe692400513bd7e_expand.exe.mui_3f54e013" /accepteula
  2⤵
  PID:2928
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_it-it_cbe692400513bd7e_netmsg.dll.mui_ab0f7c73" /accepteula
  2⤵
  PID:2692
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6e0c114cf82ecf59.manifest" /accepteula
  2⤵
  PID:1340
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6e0c114cf82ecf59_expand.exe.mui_3f54e013" /accepteula
  2⤵
  PID:3028
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6e0c114cf82ecf59_netmsg.dll.mui_ab0f7c73" /accepteula
  2⤵
  PID:1524
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_cs-cz_97769b281ba398b8.manifest" /accepteula
  2⤵
  PID:1804
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_cs-cz_97769b281ba398b8_bootmgfw.efi.mui_a6e78cfa" /accepteula
  2⤵
  PID:680
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_cs-cz_97769b281ba398b8_bootmgr.efi.mui_be5d0075" /accepteula
  2⤵
  PID:2856
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_da-dk_34b07b4f11e994b7.manifest" /accepteula
  2⤵
  PID:2848
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_da-dk_34b07b4f11e994b7_bootmgfw.efi.mui_a6e78cfa" /accepteula
  2⤵
  PID:2924
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_da-dk_34b07b4f11e994b7_bootmgr.efi.mui_be5d0075" /accepteula
  2⤵
  PID:3060
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_de-de_31dc108b13bfe951.manifest" /accepteula
  2⤵
  PID:1264
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_de-de_31dc108b13bfe951_bootmgfw.efi.mui_a6e78cfa" /accepteula
  2⤵
  PID:2080
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_de-de_31dc108b13bfe951_bootmgr.efi.mui_be5d0075" /accepteula
  2⤵
  PID:1348
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_el-gr_da723e1e02d551df.manifest" /accepteula
  2⤵
  PID:2104
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_el-gr_da723e1e02d551df_bootmgfw.efi.mui_a6e78cfa" /accepteula
  2⤵
  PID:2516
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_el-gr_da723e1e02d551df_bootmgr.efi.mui_be5d0075" /accepteula
  2⤵
  PID:2188
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_en-us_dacce684029df516.manifest" /accepteula
  2⤵
  PID:2308
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_en-us_dacce684029df516_bootmgfw.efi.mui_a6e78cfa" /accepteula
  2⤵
  PID:1268
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_en-us_dacce684029df516_bootmgr.efi.mui_be5d0075" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:2660
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_da98436802c4e6bb.manifest" /accepteula
  2⤵
  PID:2948
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_da98436802c4e6bb_bootmgfw.efi.mui_a6e78cfa" /accepteula
  2⤵
  PID:1520
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_da98436802c4e6bb_bootmgr.efi.mui_be5d0075" /accepteula
  2⤵
  PID:1696
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_fi-fi_79b34814f7ded8e5.manifest" /accepteula
  2⤵
  PID:2336
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_fi-fi_79b34814f7ded8e5_bootmgfw.efi.mui_a6e78cfa" /accepteula
  2⤵
  PID:1284
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_fi-fi_79b34814f7ded8e5_bootmgr.efi.mui_be5d0075" /accepteula
  2⤵
  PID:1692
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7d4fb966f596fd1d.manifest" /accepteula
  2⤵
  PID:3012
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7d4fb966f596fd1d_bootmgfw.efi.mui_a6e78cfa" /accepteula
  2⤵
  PID:2972
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7d4fb966f596fd1d_bootmgr.efi.mui_be5d0075" /accepteula
  2⤵
  PID:620
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_hu-hu_c4c039aed9f6cc39.manifest" /accepteula
  2⤵
  PID:1420
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_hu-hu_c4c039aed9f6cc39_bootmgfw.efi.mui_a6e78cfa" /accepteula
  2⤵
  PID:2776
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_hu-hu_c4c039aed9f6cc39_bootmgr.efi.mui_be5d0075" /accepteula
  2⤵
  PID:3004
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_it-it_6777afadccc8e29b.manifest" /accepteula
  2⤵
  PID:2600
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_it-it_6777afadccc8e29b_bootmgfw.efi.mui_a6e78cfa" /accepteula
  2⤵
  PID:2496
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_it-it_6777afadccc8e29b_bootmgr.efi.mui_be5d0075" /accepteula
  2⤵
  PID:2944
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_099d2ebabfe3f476.manifest" /accepteula
  2⤵
  PID:2240
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_099d2ebabfe3f476_bootmgfw.efi.mui_a6e78cfa" /accepteula
  2⤵
  PID:2912
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_099d2ebabfe3f476_bootmgr.efi.mui_be5d0075" /accepteula
  2⤵
  PID:3036
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_ad070b6fb254bb8c.manifest" /accepteula
  2⤵
  PID:780
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_ad070b6fb254bb8c_bootmgfw.efi.mui_a6e78cfa" /accepteula
  2⤵
  PID:2232
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_ad070b6fb254bb8c_bootmgr.efi.mui_be5d0075" /accepteula
  2⤵
  PID:1700
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_nb-no_95998ca48a79e748.manifest" /accepteula
  2⤵
  PID:2840
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_nb-no_95998ca48a79e748_bootmgfw.efi.mui_a6e78cfa" /accepteula
  2⤵
  PID:1988
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_nb-no_95998ca48a79e748_bootmgr.efi.mui_be5d0075" /accepteula
  2⤵
  PID:2248
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_nl-nl_93d8d7e28ba5f11d.manifest" /accepteula
  2⤵
  PID:2720
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_nl-nl_93d8d7e28ba5f11d_bootmgfw.efi.mui_a6e78cfa" /accepteula
  2⤵
  PID:2868
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_nl-nl_93d8d7e28ba5f11d_bootmgr.efi.mui_be5d0075" /accepteula
  2⤵
  PID:1028
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_pl-pl_da15326470c85ed1.manifest" /accepteula
  2⤵
  PID:2412
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_pl-pl_da15326470c85ed1_bootmgfw.efi.mui_a6e78cfa" /accepteula
  2⤵
  PID:2732
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_pl-pl_da15326470c85ed1_bootmgr.efi.mui_be5d0075" /accepteula
  2⤵
  PID:2764
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_pt-br_dc691d086f51f2b5.manifest" /accepteula
  2⤵
  PID:2568
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_pt-br_dc691d086f51f2b5_bootmgfw.efi.mui_a6e78cfa" /accepteula
  2⤵
  PID:2608
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_pt-br_dc691d086f51f2b5_bootmgr.efi.mui_be5d0075" /accepteula
  2⤵
  PID:2780
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_pt-pt_dd4aec746ec16291.manifest" /accepteula
  2⤵
  PID:1960
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_pt-pt_dd4aec746ec16291_bootmgfw.efi.mui_a6e78cfa" /accepteula
  2⤵
  PID:2976
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_pt-pt_dd4aec746ec16291_bootmgr.efi.mui_be5d0075" /accepteula
  2⤵
  PID:1536
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_ru-ru_23edfe3853a2f0bd.manifest" /accepteula
  2⤵
  PID:2348
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_ru-ru_23edfe3853a2f0bd_bootmgfw.efi.mui_a6e78cfa" /accepteula
  2⤵
  PID:2392
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_ru-ru_23edfe3853a2f0bd_bootmgr.efi.mui_be5d0075" /accepteula
  2⤵
  PID:1956
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_sv-se_bfe8e8ad4acbfb18.manifest" /accepteula
  2⤵
  PID:1928
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_sv-se_bfe8e8ad4acbfb18_bootmgfw.efi.mui_a6e78cfa" /accepteula
  2⤵
  PID:352
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_sv-se_bfe8e8ad4acbfb18_bootmgr.efi.mui_be5d0075" /accepteula
  2⤵
  PID:2124
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_tr-tr_68f632f43987fd09.manifest" /accepteula
  2⤵
  PID:2116
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_tr-tr_68f632f43987fd09_bootmgfw.efi.mui_a6e78cfa" /accepteula
  2⤵
  PID:2424
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_tr-tr_68f632f43987fd09_bootmgr.efi.mui_be5d0075" /accepteula
  2⤵
  PID:852
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_zh-cn_3a5350f1e9bfcf28.manifest" /accepteula
  2⤵
  PID:1616
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_zh-cn_3a5350f1e9bfcf28_bootmgfw.efi.mui_a6e78cfa" /accepteula
  2⤵
  PID:2352
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_zh-cn_3a5350f1e9bfcf28_bootmgr.efi.mui_be5d0075" /accepteula
  2⤵
  PID:2904
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_zh-hk_38fe497fea9b41b8.manifest" /accepteula
  2⤵
  PID:1904
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_zh-hk_38fe497fea9b41b8_bootmgfw.efi.mui_a6e78cfa" /accepteula
  2⤵
  PID:1552
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_zh-hk_38fe497fea9b41b8_bootmgr.efi.mui_be5d0075" /accepteula
  2⤵
  PID:156
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_zh-tw_3e4f8e47e730ab98.manifest" /accepteula
  2⤵
  PID:2208
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_zh-tw_3e4f8e47e730ab98_bootmgfw.efi.mui_a6e78cfa" /accepteula
  2⤵
  PID:920
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_zh-tw_3e4f8e47e730ab98_bootmgr.efi.mui_be5d0075" /accepteula
  2⤵
  PID:2648
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nt-core-bootmanager_31bf3856ad364e35_6.1.7600.16385_none_47c7bd6588bcb9f8.manifest" /accepteula
  2⤵
  PID:2440
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..ore-bootmanager-efi_31bf3856ad364e35_6.1.7601.17514_none_e5a6ee46b2ff6559.manifest" /accepteula
  2⤵
  PID:1684
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..ore-bootmanager-efi_31bf3856ad364e35_6.1.7601.17514_none_e5a6ee46b2ff6559_bootmgfw.efi_139dd311" /accepteula
  2⤵
  PID:1508
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..ore-bootmanager-efi_31bf3856ad364e35_6.1.7601.17514_none_e5a6ee46b2ff6559_bootmgr.efi_da0f14a8" /accepteula
  2⤵
  PID:2744
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_de-de_299cd5b40ed6d155.manifest" /accepteula
  2⤵
  PID:2236
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_de-de_299cd5b40ed6d155_winload.efi.mui_35ee487d" /accepteula
  2⤵
  PID:2136
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_de-de_299cd5b40ed6d155_winload.exe.mui_3bc5b827" /accepteula
  2⤵
  PID:2628
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_de-de_299cd5b40ed6d155_winresume.efi.mui_f412814e" /accepteula
  2⤵
  PID:820
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_de-de_299cd5b40ed6d155_winresume.exe.mui_ff8b5358" /accepteula
  2⤵
  PID:908
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d28dabacfdb4dd1a.manifest" /accepteula
  2⤵
  PID:2592
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d28dabacfdb4dd1a_winload.efi.mui_35ee487d" /accepteula
  2⤵
  PID:3016
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d28dabacfdb4dd1a_winload.exe.mui_3bc5b827" /accepteula
  2⤵
  PID:2404
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d28dabacfdb4dd1a_winresume.efi.mui_f412814e" /accepteula
  2⤵
  PID:2984
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d28dabacfdb4dd1a_winresume.exe.mui_ff8b5358" /accepteula
  2⤵
  PID:1800
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d2590890fddbcebf.manifest" /accepteula
  2⤵
  PID:2700
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d2590890fddbcebf_winload.efi.mui_35ee487d" /accepteula
  2⤵
  PID:2460
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d2590890fddbcebf_winload.exe.mui_3bc5b827" /accepteula
  2⤵
  PID:2884
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d2590890fddbcebf_winresume.efi.mui_f412814e" /accepteula
  2⤵
  PID:2300
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d2590890fddbcebf_winresume.exe.mui_ff8b5358" /accepteula
  2⤵
  PID:704
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_75107e8ff0ade521.manifest" /accepteula
  2⤵
  PID:1572
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_75107e8ff0ade521_winload.efi.mui_35ee487d" /accepteula
  2⤵
  PID:2920
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_75107e8ff0ade521_winload.exe.mui_3bc5b827" /accepteula
  2⤵
  PID:1912
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_75107e8ff0ade521_winresume.efi.mui_f412814e" /accepteula
  2⤵
  PID:2836
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_75107e8ff0ade521_winresume.exe.mui_ff8b5358" /accepteula
  2⤵
  PID:1672
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5f3874d6c7dfca9f.manifest" /accepteula
  2⤵
  PID:2164
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5f3874d6c7dfca9f_winload.efi.mui_35ee487d" /accepteula
  2⤵
  PID:1516
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5f3874d6c7dfca9f_winload.exe.mui_3bc5b827" /accepteula
  2⤵
  PID:2664
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5f3874d6c7dfca9f_winresume.efi.mui_f412814e" /accepteula
  2⤵
  PID:2616
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5f3874d6c7dfca9f_winresume.exe.mui_ff8b5358" /accepteula
  2⤵
  PID:700
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_015df3e3bafadc7a.manifest" /accepteula
  2⤵
  PID:1080
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_015df3e3bafadc7a_winload.efi.mui_35ee487d" /accepteula
  2⤵
  PID:932
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_015df3e3bafadc7a_winload.exe.mui_3bc5b827" /accepteula
  2⤵
  PID:1488
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_015df3e3bafadc7a_winresume.efi.mui_f412814e" /accepteula
  2⤵
  PID:1984
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_015df3e3bafadc7a_winresume.exe.mui_ff8b5358" /accepteula
  2⤵
  PID:2268
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..re-memorydiagnostic_31bf3856ad364e35_6.1.7601.17514_none_365b53d91b3ce4ff.manifest" /accepteula
  2⤵
  PID:1992
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..re-memorydiagnostic_31bf3856ad364e35_6.1.7601.17514_none_365b53d91b3ce4ff_memtest.efi_01d7fdbb" /accepteula
  2⤵
  PID:1480
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cf8114625afc4538.manifest" /accepteula
  2⤵
  PID:2276
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cf8114625afc4538_winload.efi.mui_35ee487d" /accepteula
  2⤵
  PID:1544
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cf8114625afc4538_winload.exe.mui_3bc5b827" /accepteula
  2⤵
  PID:2676
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cf8114625afc4538_winresume.efi.mui_f412814e" /accepteula
  2⤵
  PID:2640
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cf8114625afc4538_winresume.exe.mui_ff8b5358" /accepteula
  2⤵
  PID:2652
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7871ea5b49da50fd.manifest" /accepteula
  2⤵
  PID:2464
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7871ea5b49da50fd_winload.efi.mui_35ee487d" /accepteula
  2⤵
  PID:1712
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7871ea5b49da50fd_winload.exe.mui_3bc5b827" /accepteula
  2⤵
  PID:2748
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7871ea5b49da50fd_winresume.efi.mui_f412814e" /accepteula
  2⤵
  PID:1980
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7871ea5b49da50fd_winresume.exe.mui_ff8b5358" /accepteula
  2⤵
  PID:2620
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_es-es_783d473f4a0142a2.manifest" /accepteula
  2⤵
  PID:2680
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_es-es_783d473f4a0142a2_winload.efi.mui_35ee487d" /accepteula
  2⤵
  PID:1396
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_es-es_783d473f4a0142a2_winload.exe.mui_3bc5b827" /accepteula
  2⤵
  PID:1720
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_es-es_783d473f4a0142a2_winresume.efi.mui_f412814e" /accepteula
  2⤵
  PID:2228
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_es-es_783d473f4a0142a2_winresume.exe.mui_ff8b5358" /accepteula
  2⤵
  PID:2212
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1af4bd3e3cd35904.manifest" /accepteula
  2⤵
  PID:1288
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1af4bd3e3cd35904_winload.efi.mui_35ee487d" /accepteula
  2⤵
  PID:2752
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1af4bd3e3cd35904_winload.exe.mui_3bc5b827" /accepteula
  2⤵
  PID:2384
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1af4bd3e3cd35904_winresume.efi.mui_f412814e" /accepteula
  2⤵
  PID:1156
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1af4bd3e3cd35904_winresume.exe.mui_ff8b5358" /accepteula
  2⤵
  PID:2980
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_it-it_051cb38514053e82.manifest" /accepteula
  2⤵
  PID:2928
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_it-it_051cb38514053e82_winload.efi.mui_35ee487d" /accepteula
  2⤵
  PID:2492
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_it-it_051cb38514053e82_winload.exe.mui_3bc5b827" /accepteula
  2⤵
  PID:1340
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_it-it_051cb38514053e82_winresume.efi.mui_f412814e" /accepteula
  2⤵
  PID:964
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_it-it_051cb38514053e82_winresume.exe.mui_ff8b5358" /accepteula
  2⤵
  PID:1524
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a74232920720505d.manifest" /accepteula
  2⤵
  PID:1908
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a74232920720505d_winload.efi.mui_35ee487d" /accepteula
  2⤵
  PID:680
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a74232920720505d_winload.exe.mui_3bc5b827" /accepteula
  2⤵
  PID:2828
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a74232920720505d_winresume.efi.mui_f412814e" /accepteula
  2⤵
  PID:2760
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a74232920720505d_winresume.exe.mui_ff8b5358" /accepteula
  2⤵
  PID:2860
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.1.7601.17514_none_b94cbfa183466a89.manifest" /accepteula
  2⤵
  PID:1328
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.1.7601.17514_none_b94cbfa183466a89_winload.efi_75834aa0" /accepteula
  2⤵
  PID:1264
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.1.7601.17514_none_b94cbfa183466a89_winload.exe_75835076" /accepteula
  2⤵
  PID:2112
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.1.7601.17514_none_b94cbfa183466a89_winresume.efi_85cd069f" /accepteula
  2⤵
  PID:2688
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.1.7601.17514_none_b94cbfa183466a89_winresume.exe_85cd1215" /accepteula
  2⤵
  PID:2104
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-basedependencies_31bf3856ad364e35_6.1.7600.16385_none_5e96e36b42806ee7.manifest" /accepteula
  2⤵
  PID:2864
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-basedependencies_31bf3856ad364e35_6.1.7600.16385_none_5e96e36b42806ee7_psapi.dll_e8b5b4d1" /accepteula
  2⤵
  PID:408
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-basesrv_31bf3856ad364e35_6.1.7600.16385_none_68bfdc7cfd6bd477.manifest" /accepteula
  2⤵
  PID:2852
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-basesrv_31bf3856ad364e35_6.1.7600.16385_none_68bfdc7cfd6bd477_basesrv.dll_8c1ad808" /accepteula
  2⤵
  PID:1268
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-basic-misc-tools_31bf3856ad364e35_6.1.7600.16385_none_7351a917d91c961e.manifest" /accepteula
  2⤵
  PID:2788
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-basic-misc-tools_31bf3856ad364e35_6.1.7600.16385_none_7351a917d91c961e_expand.exe_f43b24c8" /accepteula
  2⤵
  PID:2948
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-basic-misc-tools_31bf3856ad364e35_6.1.7600.16385_none_7351a917d91c961e_netmsg.dll_52337068" /accepteula
  2⤵
  PID:912
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-bcrypt-dll_31bf3856ad364e35_6.1.7600.16385_none_4a8185140916af36.manifest" /accepteula
  2⤵
  PID:1696
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-bcrypt-dll_31bf3856ad364e35_6.1.7600.16385_none_4a8185140916af36_bcrypt.dll_e2f091ac" /accepteula
  2⤵
  PID:2812
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-bcrypt-primitives-dll_31bf3856ad364e35_6.1.7601.17514_none_70577ed42da9d71d.manifest" /accepteula
  2⤵
  PID:1284
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-bcrypt-primitives-dll_31bf3856ad364e35_6.1.7601.17514_none_70577ed42da9d71d_bcryptprimitives.dll_5dcb347c" /accepteula
  2⤵
  PID:2624
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-bootvid_31bf3856ad364e35_6.1.7600.16385_none_946e6d209fe56342.manifest" /accepteula
  2⤵
  PID:3012
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-bootvid_31bf3856ad364e35_6.1.7600.16385_none_946e6d209fe56342_bootvid.dll_c188118d" /accepteula
  2⤵
  PID:2480
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-branding-engine_31bf3856ad364e35_6.1.7600.16385_none_455eca447f151391.manifest" /accepteula
  2⤵
  PID:620
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-branding-engine_31bf3856ad364e35_6.1.7600.16385_none_455eca447f151391_winbrand.dll_9cd6a3cf" /accepteula
  2⤵
  PID:448
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-browseui_31bf3856ad364e35_6.1.7601.17514_none_8f08e721fcf5575d.manifest" /accepteula
  2⤵
  PID:2552
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-browseui_31bf3856ad364e35_6.1.7601.17514_none_8f08e721fcf5575d_browseui.dll_7a6f3790" /accepteula
  2⤵
  PID:840
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9e8c88ba3cdfd040.manifest" /accepteula
  2⤵
  PID:1844
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9e8c88ba3cdfd040_drvinst.exe.mui_e88f4c73" /accepteula
  2⤵
  PID:2604
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9e8c88ba3cdfd040_umpnpmgr.dll.mui_d66aed17" /accepteula
  2⤵
  PID:2944
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_477d5eb32bbddc05.manifest" /accepteula
  2⤵
  PID:2240
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_477d5eb32bbddc05_drvinst.exe.mui_e88f4c73" /accepteula
  2⤵
  PID:2912
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_477d5eb32bbddc05_umpnpmgr.dll.mui_d66aed17" /accepteula
  2⤵
  PID:2476
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_4748bb972be4cdaa.manifest" /accepteula
  2⤵
  PID:780
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_4748bb972be4cdaa_drvinst.exe.mui_e88f4c73" /accepteula
  2⤵
  PID:2232
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_4748bb972be4cdaa_umpnpmgr.dll.mui_d66aed17" /accepteula
  2⤵
  PID:1700
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ea0031961eb6e40c.manifest" /accepteula
  2⤵
  PID:2840
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ea0031961eb6e40c_drvinst.exe.mui_e88f4c73" /accepteula
  2⤵
  PID:1860
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ea0031961eb6e40c_umpnpmgr.dll.mui_d66aed17" /accepteula
  2⤵
  PID:2248
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_it-it_d42827dcf5e8c98a.manifest" /accepteula
  2⤵
  PID:1160
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_it-it_d42827dcf5e8c98a_drvinst.exe.mui_e88f4c73" /accepteula
  2⤵
  PID:2868
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_it-it_d42827dcf5e8c98a_umpnpmgr.dll.mui_d66aed17" /accepteula
  2⤵
  PID:1540
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_764da6e9e903db65.manifest" /accepteula
  2⤵
  PID:2556
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_764da6e9e903db65_drvinst.exe.mui_e88f4c73" /accepteula
  2⤵
  PID:2764
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_764da6e9e903db65_umpnpmgr.dll.mui_d66aed17" /accepteula
  2⤵
  PID:1060
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..graphy-cryptoconfig_31bf3856ad364e35_6.1.7600.16385_none_02465417b61ba76d.manifest" /accepteula
  2⤵
  PID:2568
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..integrity.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ac389c4f782d818f.manifest" /accepteula
  2⤵
  PID:2560
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..integrity.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ac389c4f782d818f_ci.dll.mui_76757f43" /accepteula
  2⤵
  PID:3024
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..integrity.resources_31bf3856ad364e35_6.1.7600.16385_en-us_55297248670b8d54.manifest" /accepteula
  2⤵
  PID:1784
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..integrity.resources_31bf3856ad364e35_6.1.7600.16385_en-us_55297248670b8d54_ci.dll.mui_76757f43" /accepteula
  2⤵
  PID:1536
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..integrity.resources_31bf3856ad364e35_6.1.7600.16385_es-es_54f4cf2c67327ef9.manifest" /accepteula
  2⤵
  PID:684
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..integrity.resources_31bf3856ad364e35_6.1.7600.16385_es-es_54f4cf2c67327ef9_ci.dll.mui_76757f43" /accepteula
  2⤵
  PID:2392
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..integrity.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f7ac452b5a04955b.manifest" /accepteula
  2⤵
  PID:2816
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..integrity.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f7ac452b5a04955b_ci.dll.mui_76757f43" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:1956
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..integrity.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e1d43b7231367ad9.manifest" /accepteula
  2⤵
  PID:2988
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..integrity.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e1d43b7231367ad9_ci.dll.mui_76757f43" /accepteula
  2⤵
  PID:2580
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..integrity.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_83f9ba7f24518cb4.manifest" /accepteula
  2⤵
  PID:2124
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..integrity.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_83f9ba7f24518cb4_ci.dll.mui_76757f43" /accepteula
  2⤵
  PID:2116
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ityclient.resources_31bf3856ad364e35_6.1.7600.16385_de-de_17c37298caa7b415.manifest" /accepteula
  2⤵
  PID:2452
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ityclient.resources_31bf3856ad364e35_6.1.7600.16385_de-de_17c37298caa7b415_certcli.dll.mui_1b6822cf" /accepteula
  2⤵
  PID:852
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ityclient.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c0b44891b985bfda.manifest" /accepteula
  2⤵
  PID:1616
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ityclient.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c0b44891b985bfda_certcli.dll.mui_1b6822cf" /accepteula
  2⤵
  PID:2352
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ityclient.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c07fa575b9acb17f.manifest" /accepteula
  2⤵
  PID:1740
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ityclient.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c07fa575b9acb17f_certcli.dll.mui_1b6822cf" /accepteula
  2⤵
  PID:1904
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ityclient.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_63371b74ac7ec7e1.manifest" /accepteula
  2⤵
  PID:2444
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ityclient.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_63371b74ac7ec7e1_certcli.dll.mui_1b6822cf" /accepteula
  2⤵
  PID:2708
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ityclient.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4d5f11bb83b0ad5f.manifest" /accepteula
  2⤵
  PID:184
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ityclient.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4d5f11bb83b0ad5f_certcli.dll.mui_1b6822cf" /accepteula
  2⤵
  PID:2648
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ityclient.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ef8490c876cbbf3a.manifest" /accepteula
  2⤵
  PID:2216
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ityclient.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ef8490c876cbbf3a_certcli.dll.mui_1b6822cf" /accepteula
  2⤵
  PID:2448
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..tionauthorityclient_31bf3856ad364e35_6.1.7601.17514_none_35a3baeb53471267.manifest" /accepteula
  2⤵
  PID:1852
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..tionauthorityclient_31bf3856ad364e35_6.1.7601.17514_none_35a3baeb53471267_certcli.dll_f553bbce" /accepteula
  2⤵
  PID:920
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..vider-dll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5deef3a761f839a1.manifest" /accepteula
  2⤵
  PID:1856
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..vider-dll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5deef3a761f839a1_certcredprovider.dll.mui_b5ad161e" /accepteula
  2⤵
  PID:2440
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..vider-dll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_06dfc9a050d64566.manifest" /accepteula
  2⤵
  PID:2628
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..vider-dll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_06dfc9a050d64566_certcredprovider.dll.mui_b5ad161e" /accepteula
  2⤵
  PID:1944
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..vider-dll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_06ab268450fd370b.manifest" /accepteula
  2⤵
  PID:908
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..vider-dll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_06ab268450fd370b_certcredprovider.dll.mui_b5ad161e" /accepteula
  2⤵
  PID:2592
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..vider-dll.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a9629c8343cf4d6d.manifest" /accepteula
  2⤵
  PID:3016
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..vider-dll.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a9629c8343cf4d6d_certcredprovider.dll.mui_b5ad161e" /accepteula
  2⤵
  PID:2404
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..vider-dll.resources_31bf3856ad364e35_6.1.7600.16385_it-it_938a92ca1b0132eb.manifest" /accepteula
  2⤵
  PID:2984
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..vider-dll.resources_31bf3856ad364e35_6.1.7600.16385_it-it_938a92ca1b0132eb_certcredprovider.dll.mui_b5ad161e" /accepteula
  2⤵
  PID:2792
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..vider-dll.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_35b011d70e1c44c6.manifest" /accepteula
  2⤵
  PID:1576
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..vider-dll.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_35b011d70e1c44c6_certcredprovider.dll.mui_b5ad161e" /accepteula
  2⤵
  PID:2460
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-cabinet_31bf3856ad364e35_6.1.7601.17514_none_9565568bf88b3e87.manifest" /accepteula
  2⤵
  PID:2884
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-cabinet_31bf3856ad364e35_6.1.7601.17514_none_9565568bf88b3e87_cabinet.dll_7ab07912" /accepteula
  2⤵
  PID:2388
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-capi2_31bf3856ad364e35_6.1.7600.16385_none_b4226da0fe405812.manifest" /accepteula
  2⤵
  PID:704
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-cdfs_31bf3856ad364e35_6.1.7600.16385_none_025c84b636a4ef6d.manifest" /accepteula
  2⤵
  PID:1572
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-cdfs_31bf3856ad364e35_6.1.7600.16385_none_025c84b636a4ef6d_cdfs.sys_02574081" /accepteula
  2⤵
  PID:2920
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-cmi_31bf3856ad364e35_6.1.7601.17514_none_07f44fb7712a68da.manifest" /accepteula
  2⤵
  PID:1104
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-cmi_31bf3856ad364e35_6.1.7601.17514_none_07f44fb7712a68da_cmisetup.dll_91548db0" /accepteula
  2⤵
  PID:2836
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-cmi_31bf3856ad364e35_6.1.7601.17514_none_07f44fb7712a68da_cmiv2.dll_be06aa9f" /accepteula
  2⤵
  PID:1672
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_4458dccc49458461.manifest" /accepteula
  2⤵
  PID:2164
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_4458dccc49458461_cngaudit.dll_86fb1bb1" /accepteula
  2⤵
  PID:2500
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-codeintegrity_31bf3856ad364e35_6.1.7601.17514_none_fe9df6ad1b5f6e87.manifest" /accepteula
  2⤵
  PID:2508
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-codeintegrity_31bf3856ad364e35_6.1.7601.17514_none_fe9df6ad1b5f6e87_ci.dll_070fb998" /accepteula
  2⤵
  PID:336
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-codeintegrity_31bf3856ad364e35_6.1.7601.17514_none_fe9df6ad1b5f6e87_driver.stl_8a4e6441" /accepteula
  2⤵
  PID:2040
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_6.1.7601.17514_none_0a43accb08f0eac5.manifest" /accepteula
  2⤵
  PID:1080
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_6.1.7601.17514_none_0a43accb08f0eac5_ole32.dll_e9dcc2e3" /accepteula
  2⤵
  PID:932
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\Backup\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d.manifest" /accepteula
  2⤵
  PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-116352YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY.YYY

Filesize
129B

MD5
9ea667a3f77752a0ac08470847be940c

SHA1
9ea63f4376c5acd49d1843feae3b2ccfee15104f

SHA256
15b70bcf752d7178709f4ecd3d05c6e2e9c89e9e4e40d236ff9d5c9c75837bc8

SHA512
28702bbbc69f8035ac698acd16cae2eba4c711761e2babb06ef8709dc6b5b2ef2ab6d27068f14a5bb357c5aa1edcb931ac06c330b33943b3dfa05df0e931e20b

Download Submit
C:\PrograDDDDDDDDDDDDDDDDDDDDDD.DDDD

Filesize
2.9MB

MD5
43d7000fa92f69fcfe45836ad77274b6

SHA1
0fef42c611d2e0a8b5a927204de5d397bf4a5120

SHA256
a6eed4e391e172adb8d84fc8d44d95992d8204b3639c14b99e862f8fe01f14ee

SHA512
d935e9c3e3fcb62a978f4bf9919c43bce2889d3053287c2753f66e58dcb4b725ce65335f451235dde08347afc5d77ea23ffbd8a5e3253d3817c39505374fad82

Download Submit
C:\Program Files (x86)\Microsoft DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
3KB

MD5
aca573cd4048cff552bbb8c96706c8b9

SHA1
260cc226b80bbf461ccf0edd0b4dcca4bd6522ce

SHA256
6f6667e80b84b3fff3a5c9682d9479936e07231a6734f91e3b8b4cc9d6f96038

SHA512
c514b24affea6cccc0dad0e86ec0c5ddde20a47b4d74974f80b271a59b4bda50d65eb246fa51e9e69690fbd5fa5d1901f75983aabfa03fdbf0e02085898d0471

Download Submit
C:\Program Files (x86)\Microsoft DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
1KB

MD5
d7ee14f88c391e1c44d7f0e5a39dc712

SHA1
7c99bfd4972133fcbad03f1e9f243096fe7809e5

SHA256
63b03b41d99bfed1e4ebe6ed5d99b1468ed48e2a5e267e6fe487aab65d146bc0

SHA512
50fb6834ab674ecf7b3194acd4c57a4a7896d20e0d4058ab78fdfa54f88a711d30f9c2640461c414ac9202201be7fad8cadd74a923d437a8d8cf28a5b95e084e

Download Submit
C:\Program Files (x86)\MozilDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
164B

MD5
bd239d402957bf75e0e534b1bfe641cc

SHA1
896576c4adf0dc5c3972127abb1b17b3695ada29

SHA256
59e67ce777fe7bfaabed361fec02b3880f338af90d1291cc6e37a7884508a0bd

SHA512
c46ad3aec3e89ba26367113b31d0684dc792a5f1f38c073a874dfcdc8d8769f6e685180b873fb8d9f810b1dab1318e40579dd17512805b3c0569748991b24482

Download Submit
C:\Program Files\DDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
25KB

MD5
ed0d0106f4ff5b8f98e5649125f22ad1

SHA1
8ca3123e4fd12e1800a6484b76ef7a5a9895fe14

SHA256
a2d9cb2cc86c7a5387d3cd947e6ea5c9091798240d6b7852265135c9828d6eb3

SHA512
aa4a2e7c47bbd4fc14fb6debd16e09f7784c187709e6cd673c7de02cc254dd51a3591b3e0423d19d4df508fc29ecf9bfa30b9e016296d6a86aa065d4b500eabb

Download Submit
C:\Program Files\MozilDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
2KB

MD5
20ddaa05fbe2cc68458900ae919d3379

SHA1
ed3d26ca4e76150bdea2d2c6f40145a79f2c675d

SHA256
b27bcd743a421c54e28a112f474ee45136c0cad56045a6a3f87be2bb27949463

SHA512
645124fc73649b9f42ed24b866798150682e89a0ad6076c2f41a946352834b1befa0d57c39bebde9f3141fd100f61c116a2eaff88f599d7572db03610d7b6f7b

Download Submit
C:\Program Files\VideoLAN\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
48KB

MD5
91006c24c5a426344eace7c23623823a

SHA1
d335efa63572d06f14db5a7a3519c3c34d4fb2dc

SHA256
edcac79adb495dd7ae57e7575ab611a8d0f082052602ad8134003c35795a0356

SHA512
a5d1db4fb29cef52fdecfea9248f320c83306306eaac5ddaa46aed1e9876d775dd0b0245dadf3e64118835f2fcf421e75c9d646301711fd5bd23359d5e38f2e6

Download Submit
C:\ProgramData\Microsoft\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
7KB

MD5
6f101a66d06ca7db0a20f026dbe89ecb

SHA1
cbeffca09813b56e1ad005de9ffa95b856f1c28a

SHA256
75998ecaedbe422e960eb3e59e668a966e6670afc36c268fb06630f56c23213a

SHA512
53d37f77f0c1888855bf1d573c5ba1b33a9723d835bf632f65f10fb219db7506a8fe281776070734a550423d6c1767d607e069fe7c6b70f73f91bf2706268d84

Download Submit
C:\ProgramData\Microsoft\SearDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
1024KB

MD5
1b26022a8910157c10e00e5b907e39dd

SHA1
0ec7ce15879a4986335e6590eed538797d502d4e

SHA256
1620f6a5b5a47fdda0793a912daf72d667ec9e63605c8c0c203ec14c7bdaa0f3

SHA512
cfce9295e8701137a799079da0461a3e57f84e0a858d2afa66601bdc301d85e1c72a454033da96cb61a2332b104775d8bb81db1137d1be02af04cfb788f8e355

Download Submit
C:\ProgramData\Microsoft\Windows\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
1KB

MD5
9f7356352868fa41f2f472a8d7d76efe

SHA1
f9a6cd0a835f1fdd5a4295fbfca822c50edda1cc

SHA256
be65dcde0b24abcee195c2c03ebf1f72c4048528d5be024fd31a724e7759dad5

SHA512
bdc76f5200d236d0072bbdd634457e0ec10a987fcec0c96b86e226b326107a56724886031728530a7fb187c05fceb42099ff2b399c939e29a8a0dc41fd7be192

Download Submit
C:\System VolumDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
20KB

MD5
dbfa35d61db5f8e5d7a7ec7f3f42a697

SHA1
719ae84feb4dc02a6c0331bd993f6a225cfb6a08

SHA256
bdac69e51949d624eea7d0a57a2e7f60fd1e5a3a75dd89e7a8183dc1d6a76554

SHA512
7a1ff8f70b83452eda013014cbdb9ca2a3473728acac55c303b1cc86bc49aeb0b9d56d3e6de5d7f4a612f2fbf00626ad43e90383e4abdef91a92dbeacd240de8

Download Submit
C:\Users\AdmDDDDDDDDDDDDDDDDDDDDDDDD.DDDD

Filesize
688KB

MD5
15cfebb7cbece5c80c88a55d42405e37

SHA1
b8efeb44eea7f35bed386866857249ac97da6fca

SHA256
a0950622cc145fc1e65991e86814d32498d962001b8a80db3c1df951c54d82d9

SHA512
378bb33eb71aedbaaa6ed7a76545651b1497aa6e736f74129fb60243b04d99cbe1e13d8c5dc8830adcf0e3cebb000d784bf1cb97944e2e6a05502a50b8790822

Download Submit
C:\Users\Admin\ApDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
347B

MD5
29e62c9b55484ad727590a37aa06e0b1

SHA1
270f1514b01083eff60f126d4a25f41953bf1321

SHA256
7029448bb2ef60ad1e188da30c532a5e3d66f5a3d785300d235e3ee6e609ecc2

SHA512
dcdfab4a38381e26b773d002451540163c5dccde0dc38fe315de78931894cfdffe395e820c5fd0b9b532a5276a47e84d95d9e98257cf797a6e261aaaca5c1c6a

Download Submit
C:\Users\Admin\ApDDDDDDDDDDDDDDDDDDDDDDDDD.DDDD

Filesize
13B

MD5
ce9946d18d60a90d7d6e175a4e1eebcc

SHA1
fa441bc88e6eb12f30feead9b8ffbd8d8fa5c50b

SHA256
b15bc63873760386fbb846109f57d517c81279282e52e0d6a2be1dd94e05480e

SHA512
586da75bafb317e69756e3dd9ce85dab5b9e81d8cfa98d771f3ba97f7749b3f64c98a56a17abedc54d7ce9df2ee7785714dd274c92180e63fdb2d295208ba37e

Download Submit
C:\Users\Admin\ApDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
2KB

MD5
4ac2228e22b3da325df6a6b8e82f62ea

SHA1
1b915db31f2b7737e45592eb6c9cd437bf511d2c

SHA256
89f93e4fc71ee119129c096caf9fbb4ed5ac4c3fdcb1717aa352b9b237aae154

SHA512
2cc2ff672ceb8b011b65d3958073cb424d4ef0540deb13f0384707d3e6c227bb0ff9620cff483c07cddbe5888b2ec02861deb870dc83b2765c9c85dda27c4d7d

Download Submit
C:\Users\Admin\ApDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
2KB

MD5
fd32663482cd9737bd0dec08f2a83510

SHA1
95f3c0425ea1f2d6e706c20f8b1f027147c4dbe3

SHA256
b1139fd49b57a3a4bd9525b0522c47d91c6d1fe3d27875761355cfa71e21b7b5

SHA512
e8d7b74c874cb87161403bbb3e572f5cf3621a8fe8725e41801f8f5938a0c2a410f70a8df672813f559df674461362f9aad3d4ba557709dc58d637c38058de8f

Download Submit
C:\Users\Admin\ApDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
2KB

MD5
fe168a71f0c5b0bb22aee85eed2a3d14

SHA1
0d0a621e5db4851e6fd63ed3a71923e80b921e70

SHA256
162320af08f267919995b554b245801d1e20391529cb021b8cbbed68011006c2

SHA512
e7643523569730fbe1c91a6820c91acef790d87b0e90762fa9d4953cc466e207743fba2a77db5237265c92a11dc48c4141a20798257d1b84336b13b2edf22721

Download Submit
C:\Users\Admin\ApDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
1KB

MD5
36c8df4160ac0f5011cbe02fa93ef4ce

SHA1
8a9f111e96e99230929c7ea206256376e75050e6

SHA256
af959b03079d3db7b143b5d07931e5faf9097bb5d05697d7f479710f0f13d293

SHA512
eab9381bb3f663942ab1d7cb6c4651ea880e177ea7171b473e601d90d4e17108d7e344a0bfde2ff059f8a1860fd9ff5262a4968feffb544d0790a2b4b69fc99d

Download Submit
C:\Users\Admin\ApDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
112KB

MD5
541fcc9360359c8cf17a4e2693272c06

SHA1
5d768aae2627a9a52cc428c14d43b079ffda0b87

SHA256
a9bc6f86de3e5041f3d8ed84a7aeeaec2d4be1a15441307570a1573ce2f02263

SHA512
da6024104074c93c2e0bbec0b697006a2b8a1481e18fb87214e5369ec1fac59fbb00255181bc890a95eea30c60506e6cb0ab49180cb4f35e73843ec7a51502de

Download Submit
C:\Users\Admin\AppData\Local\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
11KB

MD5
861fe10318f7263548d772e8e9cae466

SHA1
4e802ea29ae896ab455b532a873c93713d7eed96

SHA256
1aad9f54f4532d1d9493d8d1522fecd8f447a0c4b32bb83fa764a41ac0d5f76b

SHA512
3d633f4ce54f895a3ec3deeb5c63f6d99a59659da6f82e7db1d623c2faae57f26c3ff48fb01e1d51881a990a903cef238230c7985fb3da8f3b425c57252ef683

Download Submit
C:\Users\Admin\AppData\Local\Google\ChrDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
184B

MD5
8fa167b01ad01ae29ae6d4d1e9741946

SHA1
902cefd779edc7dacad49f42c2e7c5dd2deecfd4

SHA256
574a7ddf8733517de2ae8b92a85691c2d1601209580c591e7b1e4e0702710776

SHA512
7a6eb2bc94a1400e07430205bc23357d74ebb6962836b9dec90a711053b3c672791c36c361969ff0e854da19f84b4ed018eb68b265952c1c3326e09a4e15f9da

Download Submit
C:\Users\Admin\AppData\Local\Google\ChrDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
184B

MD5
8e52135546980624f60df1540803d5ae

SHA1
19f49002e08e9585bfd1adb0a48c5f89a54b958e

SHA256
db10280e1ef89b4d5f42c15125616272a2b0c813d7f9b2bd83c648e7d0ea296d

SHA512
7484f0f9d583745607e7cdcae8879c57998a26a558e202fd4c8c514d3e7d06e104dc588ffda07abcb07b3edf11436a3a602841919c467795299b89e4976d6789

Download Submit
C:\Users\Admin\AppData\Local\Google\ChrDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
656B

MD5
d92dadba5ac2e224ac50cc759e34c362

SHA1
8d2f3c07dd53bbca540ca38c87caf2c917c77bb4

SHA256
76c555899b06b71015214d21152dc089eecc5dcff665df12e438295816eb78b2

SHA512
de20d2ff3bd8598db838a2197fbaee099bb06f4a15f4adc74fbd41869a493671bc61fdd59568c15f42dccd7f049b83cf2934e7349c9bab226fe6d43e073cf526

Download Submit
C:\Users\Admin\AppData\Local\Google\ChrDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
38B

MD5
71559e14b067fe1ce8bbddff3384159e

SHA1
b3f97ce09eba1a31639efa6187f2a5ceb5ba010a

SHA256
648d8616734a34497659475144ff1bf0eedf2a393663fc78dbfb93afae8b50d6

SHA512
17fe594464338c7924cc54d72723bfa7590cbaae7e0df932b749c1d9f2fea9bebee0eb0dbb16b8074665070cfa4bd73974b7f94843eb614abc609561a3f45bd9

Download Submit
C:\Users\Admin\AppData\Local\Google\ChroDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
186B

MD5
2bcb39864ec662439475352935380cec

SHA1
53cdb4d4faca77daf177f60a6a6355559c423537

SHA256
65fbb83c6ac20cfa6d9e9a8a29cc780f9d9932e8107e83527cb57826d6fca691

SHA512
633cdf1675d2819e6f151d677da9a9e9a03176710e6c41fa9ae10b1489069dd16171a2655e46e04bf432ce1aaba5eb293940d388c1fcffaef7d6fad7de972825

Download Submit
C:\Users\Admin\AppData\Local\Google\ChroDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
76B

MD5
a9a0c6227dbaf32cffdada84a9b6b4a7

SHA1
ddfd01c7840c8bd1239a73a33ab23541aeb0f692

SHA256
785cad916702e6507d712c9e6534a43c84bb8a2ad74b75bb03ad2373a8ecb3a9

SHA512
367ab1e8b0e8e0d3cb3616c11bc727a257aeb47096d5938b9fdd36418991914f0929da60d24538009ab10ca25cefd25350cd9854efdf8d0ac1986a545ec92585

Download Submit
C:\Users\Admin\AppData\Local\Google\ChroDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
4KB

MD5
c6affccf42c54b16a41f0aeb347a66d6

SHA1
8ba5dda7f645791ab4f28288756c0e5273d88210

SHA256
3ad1849cd745e9960fbee6241df1ac083efc8b9b051a9af67f7f6a7234580e37

SHA512
8215ae310d8efbd83d91dbcc1f13d53e4f0fa57791b0cae6bf9ceb788e2e1c7d2f7097eaa39cf26ed086a60ad57862d66edf1da9b2f709c2fcd8be13f3d154c7

Download Submit
C:\Users\Admin\AppData\Local\Google\ChromDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
189B

MD5
45388156441b05823710a7bfbbbc7253

SHA1
fa697e8b87378daca626ca6a6fe3286093736e33

SHA256
73ea1b84c5e6b289c15371a1127723d9c30c71d753264067faab07e0bb81186d

SHA512
3d7f9cbdf762816ed841470b05d8c024e295172b5ed9fdd3c640079f9b9a6b25a6fe345794bbf4d9034ec3a243bd36ad37789818c9e207a26a4ea6b12c0225c1

Download Submit
C:\Users\Admin\AppData\Local\Google\ChromeDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
190B

MD5
cee111a6a91abcfb0f7e3c9dad0c5d2d

SHA1
b8935ccdc937027e09aff043ff8f02e770a977b6

SHA256
29faa209b385c5fb713543e86d92ce2341c73dd3a2a616e3e0fffea0e2525eda

SHA512
b717044a7c2829986b9f3a888ea0e500ee0559f59552e1b1a0bcd1b9a54bea2944f4a765f646bfd7536129a28c4a659d11a8abdbaf015f142f7f99d73a468a65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.AAA

Filesize
637B

MD5
f8e6e4b80d5bacb4d6db612b8e3303c7

SHA1
f7ea00e25ed48f3e59f661f762ccf8537e51d2df

SHA256
7c00de1ba12f1b01f6b1341600619ad469e06fa7081d77bb780fa8919138f459

SHA512
225f113f6b3f8e0fe63482cd9d6204730db03ede5d162cf98d547ba922e115cc02000a374acdf79642d6229207b020368809f4f092c728b70696f0715e5125ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
193B

MD5
3d8dd489e5279a90a82de6e832770407

SHA1
6cbc6e4a195af0366c05ad2b7657a09aef5f3a8e

SHA256
ed3566116dc334c12fe5e61912cefe08e2a150469098429f6330324e9b40ef1a

SHA512
5e464b760761977076a6bf7a296cb43e522651ca6c74d3af547ed03ea57e1098d9154088139b34d16cc8b2ec020db8b53b9f1700ddf77718bf0af42ccaaa0bbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\UseDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
198B

MD5
833b618a225eeb758787bfd8bb5ebad8

SHA1
49d851341ac2c18f68879c0b046d7003375c91ed

SHA256
14cfc2041ed4bdabb0d6137e97280493e7ae3a8eb45794b1dc3ff846a44bff6a

SHA512
e5023ebb281df7bdf107f65b5e5a5fe7846e77b2f0ac01875079fc42ec653b89ddd71a1592743c76e687de6d79403f773d6185dc6bf683685e3403b526560fb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDDDDDDDDDDDDDDDDDDD.DDD

Filesize
67B

MD5
d90a93f5ffbc389fb3731f957c52ac44

SHA1
e0a9c796ad593116c75f3e73f89763c327fe371c

SHA256
99d24e1ba1a1f458d125d609b50c683022c2f31d999314a96192a3b1a45651f5

SHA512
3ff26608d3b702baced91bd487758b85ea6e9b706faa2da4870df23bc9b340da8380ea2026704d6cbdded16d281cb20271aed2abe455f22c75b3e81a4f73df6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup-20241023-171716-0.log

Filesize
36KB

MD5
21ac57427567b422d2b3c5b4d00e74c8

SHA1
97515b4cc4206b2779c15d6129f9d4a17502756e

SHA256
37963e0972ceae3e423883e64f78c19bf928856b0fab08321a7062c85f177bfe

SHA512
bd5457fe6df91d4f641d9bd0b35a93f7a1a9dfa61d54b8d7705d023784d2bc122d22138d0a3ffd6ee1111534ace639edb796bb980eeb362f0e4bdc9ed629b7ac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\ProfDDDDDDDDDDDDD.DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDDDDDDDDDDDDDDDDDDDDD

Filesize
832B

MD5
b6a06036776d370b809d71a8e596e49e

SHA1
2470912e5a4b209a844491594ea4c7d6d927f273

SHA256
ee0ee9af1364ccdf65a578498d4d1af6e0bf60687e432e3b06082c20c84bc92c

SHA512
0a7f31072ceedac60aaa799626f5cdee26d5a58629018b08024abbd1927eef8d629fa9afc3452e42c26a247402eac1633bb3cd7f1a812ae17753c76fdbfab631

Download Submit
C:\Users\DDDDDDDDDDDDDD.DDD.DDD

Filesize
1024B

MD5
304af2103e430219f052ec43e64422f6

SHA1
fab4257a9a08b910744c535c0535510052ec53b3

SHA256
9b95de1da2d522b692cb82e21d3d30c6ebbb2d45c37688ef5c0c70be38afae8d

SHA512
df3b0b0660068923e5fcd847d5c2ac963a064c93802e78c5e02001303d0f1add867842f21685f35320ff48b0e9d26bb9e136bd1be98b96152462824146e29d04

Download Submit
C:\WinDDDDDDDDDDDDD.DDD

Filesize
21KB

MD5
d615eca95b375d28df6d521fa225b82d

SHA1
d5c2cf4580ae0bf3e9fa57633f168392da943025

SHA256
94b7880e431621b22db992bd1a553d21a9e4e00897ddefc52e5fd22eba60f4d3

SHA512
956a995d259b407e69ae4fb3c7935df595079dac02e3119a24fd249937615985aad32d642f590fb017dd71afdaa12a1e399da36d3e57c2210e4ce4817f67e864

Download Submit
C:\WinDDDDDDDDDDDDDD.DDD

Filesize
1KB

MD5
28ac56bb7fd3f6a7898432c817c3b2f7

SHA1
35325a3da4056e130d0336c08546b8693f319abd

SHA256
d802fca75a5919dad08919af99bef3ed90566680d8a1148486312003b62a3a28

SHA512
fa7e3df02ba8e509885842eab9ed49fee5fa2c74c0faaffd110ba529e9c065ef26ad5e7c1c54d63029490fcd132a954bee7a1de41712d3d81b921b0cb49ff8f8

Download Submit
C:\WinDDDDDDDDDDDDDDD.DDD

Filesize
2KB

MD5
99c43e8c665caf2226caf06adfe9c00b

SHA1
9d395cb06d70f7ffea211072112d3904a4485cdf

SHA256
903236d9f160616e926396f70012dd6755c2e0029bdb9619c6f6c59a270adf38

SHA512
8a966fe5982ac8d0e6001e5dce3ff92b0ef74876a90b36a8052c8ff23fe9b9e63d3c516c59bfdbe7c6178f73eea6187d3924140aaf6cc0c93878e9e96baee6be

Download Submit
C:\WinDDDDDDDDDDDDDDDDDD.DDD

Filesize
16KB

MD5
2733f925409aab97a74b373bc9aad0ce

SHA1
97a184ed55646910ab694ff8b0c7e088b656b168

SHA256
7341162522cd24b22d34ff625f93e79e6e9e295c2c02b923295d70c1dc750fa5

SHA512
e59e2da9770ef2a148d036f645e32a4aad56a8285b946bedd3efb836389aeec176a45f5d7836199ef127a252edb1384c35729800ac9c5a99bfceaecfa06875c7

Download Submit
C:\WindoDDDDDDDDDDDDDDD.DDD

Filesize
192KB

MD5
f7bc5e547b022b6d3da676238ab5f818

SHA1
049125fe0d630e16be1451cdd5d0eb231a4a631b

SHA256
f392d0ef4ca54c2419b71e61309244e251400dca2474678b19071df7cd77d678

SHA512
e11906e1561331686d2fb2850a3beaffc32cbc441b67aa509955494195759b56e63c9382bf97ae9a03ec835a726ffb4551c30ba9ae5eff294a117fb8055c207b

Download Submit
C:\WindoDDDDDDDDDDDDDDD.DDD.DDD

Filesize
40KB

MD5
05ea1b07f084495cc374dcf006bfdb01

SHA1
d48dad0036f9b371f6269bcc80c8aff35e56fd35

SHA256
dbbce136f1651809675d856e64ce32aee8d8f7006749d03d45f71df9fb1ce9e0

SHA512
b9d2a72dc489843b73585901a3aa346bbda99066fe26ed80ba9367e6823e5172ebe33bc689051b8d073fce9d34968c51561714b4bd615ea947f66dec814e8834

Download Submit
C:\WindowDDDDDDDDDDDDDD.DDD

Filesize
131B

MD5
7d7fd6f8f972ccdc46bca2aa566cae37

SHA1
a4c5f604ad51308523644bb6a2347bdb950b22b7

SHA256
eff0abb27e2af13eb5a06a57f5a00beda56abe072d88cb62e8379f852e66d26c

SHA512
e9d3ca43ff05d55be93d09c9ec8e426b7b89b28e69c0b17068c88f0365e0fa739dcba46a61511561ae85d1fb33421e313dd5c0310e337ef6cd409ea5a70f69c9

Download Submit
C:\WindowDDDDDDDDDDDDDDDD.DDD

Filesize
74KB

MD5
def9927ad84b2fbed91792d8e7208a97

SHA1
25b694b989c8ac203912c5b7cb960bd186c56da8

SHA256
11c11e98fd136f34b73be1ef841534bfe7d2a8f51130aa3791eb2cd14c80f8fc

SHA512
8858ead246b5186faf772c7141c8682c6cb71c809326d5f3487dc94ccf5a23a4eb8099385fac6241c99a9007b790d9ee98f85dbb6b63b0d45ccb152c5294780b

Download Submit
C:\WindowsDDDDDDDDDDDDDDDDDD.DDD

Filesize
5KB

MD5
c45ffb8d8c79b7fb510df184f10bd11c

SHA1
b6703c8370502bd1ea448ef8aa83a70a1c5336e2

SHA256
cb9eeaadb04bc3daf30916db9848a6a074b8cad44903276438db1f0e678f5981

SHA512
1928b194d46c28089c66d4d6f562af56a9997704ce3d8fcec18e394261db888a578a5e1d25bde7afec64c9390980da1b8e72be654a9c5e87ad260bb2e9a1fd4e

Download Submit
C:\WindowsDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
41KB

MD5
88a4fb8e7473ad2c061a3bff12bf4e5f

SHA1
382d888a2ecd4f323274164dd8bf11dd0900c9ee

SHA256
e6219ee184ce0416174b74e39474b58727364444d14294436de9832fdf6702eb

SHA512
3bc0d0c2e6e0aebbd6bf1ae4386041504cffd38345dbd06c74f033ded76a951d2cc2a35a89bddb7cf46a99fe2485b6c89cc5205860361ab4b23dd5fa7091015e

Download Submit
C:\WindowsDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
4.6MB

MD5
764769143962caa75cc5d3631e1fc14d

SHA1
08f3ba9e43f031d6eba80318d1798ae176f55f15

SHA256
a69fa8709141e9d4dcf428e73c3d81c634901cce944758a7341a42f63bdd57db

SHA512
db15a3732273e699b0e7e3325e159a1b878050233436b9fd4ad1753fe160f4b11013fda6640f8aa8c6c25b7478cfa77ad127c13d02f2e8be1bd36eb48d3e2c3b

Download Submit
C:\WindowsDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
739KB

MD5
d99001d2576b813904121d12ca45ec96

SHA1
8b4546151c1f1521b58b55555356f036f60f0638

SHA256
6531c34e9bb1670dde0f9474655ccdb2ef098e4e5e91755df36b9d12d225aa89

SHA512
7bf3cda108054dcb86aaabdfee6c614e5291730a54f49848d48f1da090c0db40088768a88880f5496e514a72ae73a9fe535975ca974616089b4a09418dd0c66a

Download Submit
C:\WindowsIIIIIIIIIIIIIIIII.III

Filesize
920B

MD5
80f775ff2d60ee1a73ac698c0077cf4d

SHA1
016a4135ae155f9e4e6f59ac5e609c39cbc5e707

SHA256
0197ae4b207746681138c78de97d069b27c5f9d4ec54712cc9100e37554560c2

SHA512
56b79d2b089eb1633c461555d2cf2bef87a34b128ddb7a2280b960905dfd33f037896fe6007d8fa1bf86d8a96f37591fae0eef9695a1a5e6070996fe2da561c0

Download Submit
C:\WindowsNNNNNNNNNNNN.NNN

Filesize
37KB

MD5
1c668b468bbb17291c65707f0dad5014

SHA1
9c105e2b2daee98377ea42edc4b45aea03968a0b

SHA256
e3be326f7dd8343c230b1b74e466df675c7e973040f00c2d0427576c74f1998d

SHA512
1a9d227b94456db9862803594e8527b6aed0838666f6b9ae2268b78adfb8b33117da4dcf37790d97bfc90ecd8e3e1b8c9bd8c762e49003d8f09be16e80c17763

Download Submit
C:\Windows\DDDDDDDDDDDDDDDDDD.DDD

Filesize
230B

MD5
3995065dcd00be23c224719c2d890c8c

SHA1
584b24b95ccdd8dcbaa86bc953fc4aebae4ce703

SHA256
7cd3c52eaf76b3eb77036e5b151f6e5dd5d8b12cbb3a6256cf22745d44f024a1

SHA512
96ab10a5d413594ee22091944de22a230fe33d6fdad917bc5c38d069dbdf95c1b64c86920c50e56aa83c267a9576546da3eb78051788bfdccd7b85669e9e56ae

Download Submit
C:\Windows\Microsoft.NEDDDDDDDDDDDDDD.D.DDDDDDDDDD.DDD

Filesize
256KB

MD5
ab672437ece1b2c8019f505943ebd31f

SHA1
57dde1ac136f1dcace3eef50b06484d41f28377d

SHA256
8853a7db4c5c7e16bb0ce1741430ea19ff07a993bc65beba8157986d8ee078ec

SHA512
a5fd91e1e50939d0752d83847867adb8d05b729b6736e3d2b228de1f42410410dc4b40668204fa4691e3b9dd93e49b9bb2d75b66125a6c07c4302612e2023592

Download Submit
C:\Windows\Microsoft.NEDDDDDDDDDDDDDD.D.DDDDDDDDDD.DDD

Filesize
117KB

MD5
cc486a28ebe395e480f2fa93babfaf72

SHA1
97bae32251b05b5cb9501cc6500e16aed8661fc2

SHA256
e8debc7cf8a29919b6c082ba51a8d36b81b583a1b537c694a1507d2b2eadca7e

SHA512
6a6a101b1a4d9956fc4fc84fc5501b66ce29dad18b01569b33486f64de3580dd664a6964b83594dd31d3378d660bfc54ce2a0ee28db0513cd719b1fedfb4046b

Download Submit
C:\Windows\Microsoft.NEDDDDDDDDDDDDDD.D.DDDDDDDDDDDDDDDDDD.DDD

Filesize
304B

MD5
3b9fa193892e73b69ba29d7d45842c7a

SHA1
bbff91ce945ad72f3e50026eef0fc28cb70f0c71

SHA256
fd31e877e5273f9c587d704adb068eb3768cfecf08c886c0d94c143c4dcdf5fe

SHA512
2c82665b88e27043a37afc1cc1fa24f2360453e9bd5f135e4b42bf1536048e31490dedb64bb246b7d159b7726475173e41653771f7c85f686464a490aca08efb

Download Submit
C:\Windows\Microsoft.NETDDDDDDDDDDDDDDD.D.DDDDDDDDDD.DDD

Filesize
107KB

MD5
030e93ed6c001e0e4e053e2d153b164a

SHA1
586bd13583571555e3ea45bfb76f9f92b950ba32

SHA256
1764dc0cfcea942b9ecce8a67d0dd78903c11813a5a69c35aed00b08d96404bf

SHA512
132ba66a99787913152f5542fb7378a0add990b5c6bb39ea631991a7755dffb0a06d02d866cd63618832bcbff55ff520c8b58fcba2344988b9ef65e9a6168d4c

Download Submit
C:\Windows\Microsoft.NETDDDDDDDDDDDDDDD.D.DDDDDDDDDDDDDDDDDD.DDD

Filesize
871KB

MD5
049dd6ff6b00dc58766000469baf1583

SHA1
2ed3935ea267aae25396ef8dddf0bd6ee2b957d7

SHA256
0f3963f1eea2b7f21604d36aeeed3ea866267c241ab236958ea5b35e5fa933ee

SHA512
76b508680a2ddee1ef3639598003ed650a3e4f0b467be300b1accbf1c495d936a4ccd64d4d894d293b7a8b88f4a12d47a45e141a6468bae9ab0c744895c098d6

Download Submit
C:\Windows\Microsoft.NETDDDDDDDDDDDDDDD.D.DDDDDDDDDDDDDDDDDD.DDD

Filesize
428B

MD5
c184ea42724c17104cfc3f977d5e0709

SHA1
cc45539b5a782672d8ce3dfc961a37fe178a1573

SHA256
7b21465bbadac8e9d8468f248f4336aeb9c0e4d90f7f50e3d9b7de499bb6c1c6

SHA512
d3725425e85fcb0c680030e74b1037662403da0553a2167892e2c01c8d1eb66b5b9b6437ea8bb88907c9f3d049eb9515caf4e93d647f88b6b092fbefd8fb3c8a

Download Submit
C:\Windows\ServicePrDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD.DDD

Filesize
1024B

MD5
6ca790e14b4531e5423b9ff0951e03a9

SHA1
25eda12fe8841633f07d158b4e26dd36495e8c2d

SHA256
d82efa786a8a0c243fd46e46ac0d8edab04870c17d33fa9469ad0fa1aff4bc06

SHA512
9aad3808d4da81b64d6ea861cc6f9e69fc3a1cf792b258f2abf805cbed0f193fdff5af591227e36cb43db843c23a090c38a754a4e72afd756c9b1ed9bab3b813

Download Submit
C:\Windows\ServiceProDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD.DDD

Filesize
1024B

MD5
3dc62fc0afc6124f50d7358c6bec5af7

SHA1
75f78577d9fa5da18c28ec01743568e098e00521

SHA256
2df32bf875902cac92f90d4ba15c41143ea37ceb439359bd58f5e4337b1cb952

SHA512
b825abdb31152b08d47a8d86e42bbefa39c4da218432b7e9b6cf912412d84077d4da1d038d29b399e6f9d53341fa705ebbc4a8836c2cf29e4b8e507eced07862

Download Submit
C:\Windows\SoftwCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC.CCC

Filesize
526B

MD5
57a13a22ec41304bac1b3f187584e788

SHA1
dfdb34ebe9fe31de9e8de97eec9ba34581b69179

SHA256
ef80fc723c942fef22582badf3b49622d705f7f4d62d243d6f3e7188e6a24c1f

SHA512
a640143a76fff22b77c277762bd63be7bde60a340e9efd040721acbe16adf2796e254739d724aea9219181e8d2118a7b87c32b6f071cb0a285066a7f1f447f25

Download Submit
C:\Windows\SysWOW64\cfwin32.dll

Filesize
394KB

MD5
53894890dc01bbcace449f6590a1597b

SHA1
b27c93ef650d79a49150e61cd668b01bee543a30

SHA256
2f3f037b07737101076f50664ea3af10f76970febdcba4bd0e38d5a0eca4f6dd

SHA512
2ab1d894688ba8ee4129c575a116e7d01840d553a3956c3c158921e0794207ae9d0396c4c848c9e6592f40466e893ed19165e5eb34c53e02fe19fb65265c3a5a

Download Submit
C:\Windows\SysWOW64\csrss32.dll

Filesize
172KB

MD5
492e8e81ef6ecd3998c2215d9db3a6da

SHA1
55a457f585172196c2ccc530cd834d421a83276f

SHA256
769371d3a4195187b9fa8b3ee56aa8ff6eb52c6c0d819420ed2ce5d732faae25

SHA512
21b62e018f889cc12e643cd6e1da922e1920f10219cf36e07e439acee62706d1589b337207a6a0566e2dbbd6e266aaa4cf8b95d1f88f60b15349bb20e7901bf5

Download Submit
C:\Windows\SysWOW64\csrss64.dll

Filesize
180KB

MD5
ac281938245639d5298a6c5c395cb7d0

SHA1
7b5db71ea5913cc8056eecb336fdb9f9ad23309c

SHA256
a80e55673477e4bfae1ad75fc00e8ce28fa1af8f78fe51778fb78acf965a3283

SHA512
5f1893a661d323f4932c96467f86621be4a3a3b58a41d00758a300b2075187fd4e31f0d903cbb9418d3dda9809f3143774e7b46bdb34ae63460b24d4c8b55452

Download Submit
C:\Windows\SysWOW64\sdelete.dll

Filesize
152KB

MD5
bc60849f0105976d8afc33731ae50c68

SHA1
90010c2da0343756ce9a37671e69436f478c83b6

SHA256
6e7ca1cc6fd03a1487d876ccd05c411c57ef1687a5c7e6ca007f00e2cb973fe8

SHA512
6555aafa9854c0c42161ec5b938e386d9e6a5fee8d9d63f5134cdf9db59b8630b17a8260ab2b0f921ec343fbbb918481f00c641553ebbf53fe983feaeb1bf380

Download Submit
C:\Windows\SysWOW64\svschost.exe

Filesize
38KB

MD5
4fc8de89c54224746fbdcb486ed92514

SHA1
1ca774ffbb0eead4b4e06a5f13059933af530754

SHA256
ea32a0b440e81208eb10a500ea90855eb413bd2f756a581a1644bdec4453d96b

SHA512
b7479e94ff2183c23df99407b54282d97d1b0aeb32b2c52fbb30ae5ac626ab0641521d03d1f4f2e0b6fcb0c98cc04b61d897f9b450a456e988157cd038823fc1

Download Submit
C:\Windows\SystDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
64KB

MD5
7381cffc6d417e90bf5d097e35e0bcaa

SHA1
0b13bf3289cfed0698f242f848212cf9839fcd84

SHA256
77c3148bf9c7dd72b6ff9c65b126702d4c7e19498631e79f820c30d09aee174c

SHA512
615aafee9004cc7c5c5ae69e397c7b5cbfc2a14eaad0435d37ad74a94e0347f315c7075edb218d4449d66321aef7605245c2e27c75652c61f5998dd28c5d6f21

Download Submit
C:\Windows\System32\DDDDDDDDDDDDDDDDD.DDD

Filesize
8KB

MD5
7455e25fcb5d29f6c2120e11cfac70cd

SHA1
b8bed1b0f91d632beb0c2cb068a36908a1af144c

SHA256
4fc31e8be18f1fe6bcaac04c97be78c1383fe57614b67b8e36cd793898eabe2f

SHA512
cde4186d6c95dcc7d9ca7d7aab6d9fce34f31d6162e94a0a200079de727fe7984d7e4675bb1b68bdf159ec75ab93f5870dcf0e5ac279e455367aafdb1c864e35

Download Submit
C:\Windows\System32\DriverStore\FileRepository\prDDDDDD.DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
124KB

MD5
82bd6b301b939350dba1da7ad695b0c8

SHA1
094cfde8d4349cb6f6cdebf3b2108479ac437ffc

SHA256
ee68ab10ff08247a9418627f451b678534de5690b0d529a9a950b74f8978f7b6

SHA512
c514e85a34f764bf20a57902d928f0c7f848b07e3f59e5e454763fe00cafcd063fba9441e46454fa50ca3b6d571ca3fb543b68dbaed71fd200c4b11963306bd9

Download Submit
C:\Windows\System32\DriverStore\FileRepository\prEEEEEE.EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE.EEE

Filesize
239KB

MD5
1b2fa588ca2167c8c1e5c0c6bd754f7a

SHA1
cf93a53c575b83eb4888d2c7f08af8bbf930bcab

SHA256
3c02801371fbb9ed0a0fad93f6f0168304dbd9f5d74545a501f8412e40dc3815

SHA512
f216c6ec12a304950aad768ca76080c08930f65dc00d8acc087117758ed8af66c2ae299d4653b4b83251f07a06dd13e5043ff71f47b1b4cdfc984e8adfe7516f

Download Submit
C:\Windows\System32\DriverStore\Temp\{DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
8KB

MD5
ce334ecbc6cf330239960a50c5deab6f

SHA1
f859954b08a6737685bd726827bed03fffca0b6c

SHA256
723ceb3e5e61643dc68044b50231601be4b03d40a042c3f8cc5724ec58de7c90

SHA512
661d88f99d9b944bba875236545d7a12058f422159478a5a55458cf342154b875023f6b2d6aa17c050d6d6c6198f06c9f631b81e9ed52d35b4d77ad30805e5f1

Download Submit
C:\Windows\System32\catroot\{F750EBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB.B.BBBB.BBBBB.BBB

Filesize
12KB

MD5
b7247b6fa2430e3eadc9422789145fe1

SHA1
8b9d087d22aaf575debc675aa1a271c48fd96125

SHA256
06dc17d060306c59ac2dec6f57c888e774fd42b2449796975fc8c3f8cc1db5b7

SHA512
e233aefbc47dbd40b1c85756fb06092c1d257bfb6d4c4852fff33c9d761efd0976d827c1321046d714e604ecf91e9e51aacb6ea74a8c4e7980c79965b7c755ab

Download Submit
C:\Windows\SystemDDDDDDDDDDDDDDDDDDDDDDDDD.DDD.DDD

Filesize
96KB

MD5
26914326f29caf26756c1d0921d879ce

SHA1
5012074c70a7a92665b716edcfd43f61ef9ba9e0

SHA256
6f494357c4a53509abe740f580eecb86cb902989b63a37dfd9f6a9e284dd5ce7

SHA512
815ad44fd9faf18ec67511fc6c32c1ef74533b578bc1afe39916fa0e7e6c768ae65f421d18c74d4b246ab37da9a3a7305bf18396b17484682eeb3ba09977a2e2

Download Submit
C:\Windows\SystemDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD.DDD

Filesize
1024B

MD5
f361de00e282989f452aa2f4949c4211

SHA1
5f0733d652f9995872bb606a5d0c8074706778a5

SHA256
34c5dfad022697c2f7c80d5ddd0514e8c71ec9f7e9351556028f9acdbdf09402

SHA512
156529fe6cd4817f8f330b2c4ee5395589e12b2a4c398f43f02051a9115064784d990b49ceb8ff094512508051211612c7b2b6f70bbed5822333c09ed0812cd8

Download Submit
C:\Windows\TeBBBBBBBBBBBBBBBBBBBB.BBB

Filesize
40B

MD5
8a0386b4cf5b1b80035d57f65e741701

SHA1
553be773059d00d78b148360dd8fec211e0eb886

SHA256
1f7fe380217a5444fbcd7a66783d19d2213e40b6b5d52ed593956c09677e47a8

SHA512
e932853503586d3ecc89fa7aa242591bf00ae6cc0f5e8cbeaef84ae13520e8c3909d7c4e9235c50b9dbdd9eeb1487092c14e0badd5a688c0fec1532fba03a8af

Download Submit
C:\Windows\seHHHHHHHHHHHHHHHHHHH.HHH

Filesize
9KB

MD5
e26c49aed0a859f0fabe7b972c8edc4d

SHA1
d02dbc67a29554e2d473ceb6db27e3c31672eb70

SHA256
c5bf5eb56d8feacd909751647cfc7b3b3a50991f81dc5e566215025090ce50e5

SHA512
dd6b595ea50fbacd94627545c9c95b0117ea5024debc30e2635a19836a534772624406cb91866b91d75dc9c48f5e7fdfa895969b46fecde26adb64690c246244

Download Submit
C:\Windows\winsxs\amd64_prnbr002.inf_31bf3856ad364e35_6.1.7600.16385_none_49c93aa2c4304e9e\Amd64\brio06ab.bcm

Filesize
359KB

MD5
9a1cd9968865d9f180244557f5b26207

SHA1
4e90bb40717559207feef911b4c80a2f235252f0

SHA256
d2a184097e0fbf4ff316c1b8a9ce2cd590f78cdc6dfa12585df86077ed29746c

SHA512
9ac34cfc12298e01c0f4590c1063b31ed7e19713e362c2818fd7ab86887d499df9e59c45cc73944d0fe8c8f8795f53861244606fcab1a32f98a2d61eebdecc40

Download Submit
C:\Windows\winsxs\amd64_prnbr009.inf_31bf3856ad364e35_6.1.7600.16385_none_4d88ba167403f57d\Amd64\brio14ad.bcm

Filesize
129KB

MD5
f7a68049bac4fb3b570c37f6b9a62980

SHA1
ced8b5ab26a82a9c1265ca69e4869727c3ad9cf2

SHA256
c9f8fc28a1a0148020a1bdc81d4c224a9999b8eb55c9cacda8efb36115d807d6

SHA512
f6ba8779c975f89ae67a78c15ebd56b991e2353f1ee5e2b607fcdca9fd6ef76c3af7a74e7d999733ae5aa10393a5ebbdbd9673bb6225a08d15a1587c277ad114

Download Submit
\Windows\SysWOW64\NoSafeMode.dll

Filesize
12KB

MD5
6bb3bca23fdff5b013863d8423267251

SHA1
2e6b80241d1a9269cc30e13663e6f910a0893450

SHA256
bdb1a0b687ced575e71702b7b4554063e697791bc2b2a286a0e4dfd528739670

SHA512
de6230dfe87df4840314983573c94ce332f5bfe9996de852c6e47844e785a4e7a8e4084a6d9ed1fd4aac78b896d2158a201ff202635c205bf50e2507c1165478

Download Submit
\Windows\SysWOW64\nsf.exe

Filesize
47KB

MD5
e6d58e0a4511695312f13d1b9f154187

SHA1
a23d75e1a3462e66db08f7664683e186c9e8e5fb

SHA256
ff16042183c0ed025c523ea1ae3edd679fd929dfbda0089756186f5bcba5b35b

SHA512
09b154123d8e21a7c93f8d99009e0e322a2ede7f4c8f12bcdebd0078787efb0f9d3b5e43a7b3936b933bd974777fccefbc3af24b834e8cd7137d2931cfeff833

Download Submit
memory/780-58-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/780-51-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/780-56-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download
memory/2224-102-0x00000000035B0000-0x00000000035D0000-memory.dmp

Filesize
128KB

Download
memory/2224-50-0x00000000035B0000-0x00000000035D0000-memory.dmp

Filesize
128KB

Download
memory/2224-60-0x0000000001EB0000-0x0000000001ED0000-memory.dmp

Filesize
128KB

Download
memory/2224-92-0x00000000035B0000-0x00000000035D0000-memory.dmp

Filesize
128KB

Download
memory/2224-223-0x00000000035B0000-0x00000000035D0000-memory.dmp

Filesize
128KB

Download
memory/2224-222-0x00000000035B0000-0x00000000035D0000-memory.dmp

Filesize
128KB

Download
memory/2224-38-0x0000000001EB0000-0x0000000001ED0000-memory.dmp

Filesize
128KB

Download
memory/2224-84-0x00000000035B0000-0x00000000035D0000-memory.dmp

Filesize
128KB

Download
memory/2224-39-0x0000000001EB0000-0x0000000001ED0000-memory.dmp

Filesize
128KB

Download
memory/2224-48-0x00000000035B0000-0x00000000035D0000-memory.dmp

Filesize
128KB

Download
memory/2224-45-0x00000000035B0000-0x00000000035D0000-memory.dmp

Filesize
128KB

Download
memory/2224-78-0x00000000035B0000-0x00000000035D0000-memory.dmp

Filesize
128KB

Download
memory/2224-100-0x00000000035B0000-0x00000000035D0000-memory.dmp

Filesize
128KB

Download
memory/2224-101-0x00000000035B0000-0x00000000035D0000-memory.dmp

Filesize
128KB

Download
memory/2224-224-0x00000000035B0000-0x00000000035D0000-memory.dmp

Filesize
128KB

Download
memory/2224-215-0x00000000035B0000-0x00000000035D0000-memory.dmp

Filesize
128KB

Download
memory/2224-214-0x00000000035B0000-0x00000000035D0000-memory.dmp

Filesize
128KB

Download
memory/2224-213-0x00000000035B0000-0x00000000035D0000-memory.dmp

Filesize
128KB

Download
memory/2224-207-0x00000000035B0000-0x00000000035D0000-memory.dmp

Filesize
128KB

Download
memory/2224-59-0x0000000001EB0000-0x0000000001ED0000-memory.dmp

Filesize
128KB

Download
memory/2224-221-0x00000000035B0000-0x00000000035D0000-memory.dmp

Filesize
128KB

Download
memory/2444-8000-0x0000000076E10000-0x0000000076F2F000-memory.dmp

Filesize
1.1MB

Download
memory/2444-8001-0x0000000076D10000-0x0000000076E0A000-memory.dmp

Filesize
1000KB

Download
memory/2444-7236-0x0000000076D10000-0x0000000076E0A000-memory.dmp

Filesize
1000KB

Download
memory/2444-7741-0x0000000076E10000-0x0000000076F2F000-memory.dmp

Filesize
1.1MB

Download
memory/2444-7235-0x0000000076E10000-0x0000000076F2F000-memory.dmp

Filesize
1.1MB

Download
memory/2444-8645-0x0000000076D10000-0x0000000076E0A000-memory.dmp

Filesize
1000KB

Download
memory/2444-7110-0x0000000076D10000-0x0000000076E0A000-memory.dmp

Filesize
1000KB

Download
memory/2444-7109-0x0000000076E10000-0x0000000076F2F000-memory.dmp

Filesize
1.1MB

Download
memory/2444-8644-0x0000000076E10000-0x0000000076F2F000-memory.dmp

Filesize
1.1MB

Download
memory/2444-4593-0x0000000076E10000-0x0000000076F2F000-memory.dmp

Filesize
1.1MB

Download
memory/2444-4594-0x0000000076D10000-0x0000000076E0A000-memory.dmp

Filesize
1000KB

Download
memory/2444-7742-0x0000000076D10000-0x0000000076E0A000-memory.dmp

Filesize
1000KB

Download
memory/2444-8391-0x0000000076D10000-0x0000000076E0A000-memory.dmp

Filesize
1000KB

Download
memory/2444-8390-0x0000000076E10000-0x0000000076F2F000-memory.dmp

Filesize
1.1MB

Download
memory/2960-220-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2960-218-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download
memory/3016-97-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download
memory/3016-99-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads