c41899315b2f3dad512ed1f58746e59fdb2f9717badcf7b2c861c1248d945991

Analysis

max time kernel
294s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cgi19-alptsevs-h555.exe_.exe
Size

569KB
MD5

e9b9c39dd91c7fac1ee0b92e018a21bd
SHA1

1ddcf37b32f90f864b51adba3f4bd3a0f5ea935f
SHA256

388cc8da15d0fbee9bb9fb87715c8f2967b1584a12e30b4ea1ebbc27ff3b557b
SHA512

dee5a5da3fe70e5d15f48ba9e8d9204a2de641b91e22a8e3ddb7dfaa1aafd6d943bb21188985bb8d40836fc6e24ee2df9a9d988f5ea8048d30517cd6bf7e3add
SSDEEP

12288:j3nZMhJ+ubNmz0C4nkspjhPMy7NxkIXGUikyjk0y0xjYfYK4zjibVWidV3BtGN:j3nZqfbkz94h9P1+sbi3j2Bwjifv3BAN

Score

7^/10

bootkit discovery persistence spyware stealer

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral10/files/0x000500000001a4af-53.dat	acprotect

Deletes itself 1 IoCs

pid	Process
932	svchost.exe

Executes dropped EXE 64 IoCs

pid	Process
2676	svschost.exe
2144	nsf.exe
1596	svschost.exe
1360	nsf.exe
2468	svschost.exe
848	svschost.exe
2476	svchost.exe
1056	nsf.exe
2844	svschost.exe
1876	svschost.exe
1136	svchost.exe
2364	svchost.exe
2168	svschost.exe
668	svchost.exe
1288	svchost.exe
956	svchost.exe
3024	svchost.exe
1524	svchost.exe
2032	svchost.exe
2892	svchost.exe
2976	svchost.exe
2752	svchost.exe
2636	svchost.exe
2092	svchost.exe
2536	svchost.exe
584	svchost.exe
408	svchost.exe
2248	svchost.exe
804	svchost.exe
880	svchost.exe
2276	svchost.exe
2980	svchost.exe
2692	svchost.exe
2788	svchost.exe
2792	svchost.exe
2508	svchost.exe
1892	svchost.exe
1056	svchost.exe
2452	svchost.exe
2884	svchost.exe
1736	svchost.exe
700	svchost.exe
2428	svchost.exe
2136	svchost.exe
356	svchost.exe
2372	svchost.exe
1288	svchost.exe
804	svchost.exe
2696	svchost.exe
988	svchost.exe
2748	svchost.exe
2744	svchost.exe
2032	svchost.exe
2712	svchost.exe
644	svchost.exe
1008	svchost.exe
2256	svchost.exe
1668	svchost.exe
1504	svchost.exe
1712	svchost.exe
2248	svchost.exe
2956	svchost.exe
600	svchost.exe
1864	svchost.exe

Loads dropped DLL 43 IoCs

pid	Process
1668	cgi19-alptsevs-h555.exe_.exe
1668	cgi19-alptsevs-h555.exe_.exe
1668	cgi19-alptsevs-h555.exe_.exe
1668	cgi19-alptsevs-h555.exe_.exe
1668	cgi19-alptsevs-h555.exe_.exe
1668	cgi19-alptsevs-h555.exe_.exe
1668	cgi19-alptsevs-h555.exe_.exe
1668	cgi19-alptsevs-h555.exe_.exe
1668	cgi19-alptsevs-h555.exe_.exe
2144	nsf.exe
1668	cgi19-alptsevs-h555.exe_.exe
1668	cgi19-alptsevs-h555.exe_.exe
1668	cgi19-alptsevs-h555.exe_.exe
1668	cgi19-alptsevs-h555.exe_.exe
1668	cgi19-alptsevs-h555.exe_.exe
1668	cgi19-alptsevs-h555.exe_.exe
1668	cgi19-alptsevs-h555.exe_.exe
1668	cgi19-alptsevs-h555.exe_.exe
1668	cgi19-alptsevs-h555.exe_.exe
1360	nsf.exe
1668	cgi19-alptsevs-h555.exe_.exe
1668	cgi19-alptsevs-h555.exe_.exe
1668	cgi19-alptsevs-h555.exe_.exe
1668	cgi19-alptsevs-h555.exe_.exe
848	svschost.exe
1668	cgi19-alptsevs-h555.exe_.exe
1668	cgi19-alptsevs-h555.exe_.exe
1668	cgi19-alptsevs-h555.exe_.exe
1668	cgi19-alptsevs-h555.exe_.exe
1668	cgi19-alptsevs-h555.exe_.exe
1668	cgi19-alptsevs-h555.exe_.exe
1668	cgi19-alptsevs-h555.exe_.exe
1668	cgi19-alptsevs-h555.exe_.exe
1668	cgi19-alptsevs-h555.exe_.exe
1056	nsf.exe
1668	cgi19-alptsevs-h555.exe_.exe
1668	cgi19-alptsevs-h555.exe_.exe
1668	cgi19-alptsevs-h555.exe_.exe
1668	cgi19-alptsevs-h555.exe_.exe
1668	cgi19-alptsevs-h555.exe_.exe
1668	cgi19-alptsevs-h555.exe_.exe
1668	cgi19-alptsevs-h555.exe_.exe
1668	cgi19-alptsevs-h555.exe_.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\dvsdlk\\svchost.exe"	REG.exe

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B8BOMT1Q\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\INNMDE1C\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L1J27TKW\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WK3MU41S\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	svchost.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini	svchost.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	svschost.exe
File opened (read-only)	\??\M:	svschost.exe
File opened (read-only)	\??\P:	svschost.exe
File opened (read-only)	\??\R:	svschost.exe
File opened (read-only)	\??\T:	svschost.exe
File opened (read-only)	\??\Z:	svschost.exe
File opened (read-only)	\??\G:	svschost.exe
File opened (read-only)	\??\J:	svschost.exe
File opened (read-only)	\??\N:	svschost.exe
File opened (read-only)	\??\V:	svschost.exe
File opened (read-only)	\??\Y:	svschost.exe
File opened (read-only)	\??\B:	svschost.exe
File opened (read-only)	\??\H:	svschost.exe
File opened (read-only)	\??\K:	svschost.exe
File opened (read-only)	\??\W:	svschost.exe
File opened (read-only)	\??\X:	svschost.exe
File opened (read-only)	\??\E:	svschost.exe
File opened (read-only)	\??\I:	svschost.exe
File opened (read-only)	\??\L:	svschost.exe
File opened (read-only)	\??\O:	svschost.exe
File opened (read-only)	\??\Q:	svschost.exe
File opened (read-only)	\??\S:	svschost.exe
File opened (read-only)	\??\U:	svschost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	nsf.exe
File opened for modification	\??\PhysicalDrive0	nsf.exe
File opened for modification	\??\PhysicalDrive0	nsf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_259450286	cgi19-alptsevs-h555.exe_.exe
File opened for modification	C:\Windows\System32\catroot2\edb006CB.log	svchost.exe
File opened for modification	C:\Windows\System32\catroot2\edb006CF.log	svchost.exe
File opened for modification	C:\Windows\System32\de-DE\SystemPropertiesRemote.exe.mui	svchost.exe
File opened for modification	C:\Windows\System32\SystemPropertiesAdvanced.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\en-US\SystemPropertiesProtection.exe.mui	svchost.exe
File opened for modification	C:\Windows\SysWOW64\csrss64.dll	cgi19-alptsevs-h555.exe_.exe
File created	C:\Windows\SysWOW64\sdelete.dll	cgi19-alptsevs-h555.exe_.exe
File opened for modification	C:\Windows\System32\catroot2\edb.log	svchost.exe
File opened for modification	C:\Windows\System32\de-DE\SystemPropertiesComputerName.exe.mui	svchost.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\SystemPropertiesComputerName.exe.mui	svchost.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\SystemPropertiesComputerName.exe.mui	svchost.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\SystemPropertiesAdvanced.exe.mui	svchost.exe
File created	C:\Windows\SysWOW64\svschost.exe	cgi19-alptsevs-h555.exe_.exe
File opened for modification	C:\Windows\System32\catroot2\edb006D1.log	svchost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\brio14ai.bcm	svchost.exe
File opened for modification	C:\Windows\System32\es-ES\SystemPropertiesDataExecutionPrevention.exe.mui	svchost.exe
File opened for modification	C:\Windows\System32\es-ES\SystemPropertiesHardware.exe.mui	svchost.exe
File created	C:\Windows\SysWOW64\default2.sfx	cgi19-alptsevs-h555.exe_.exe
File opened for modification	C:\Windows\System32\de-DE\SystemPropertiesAdvanced.exe.mui	svchost.exe
File opened for modification	C:\Windows\System32\fr-FR\SystemPropertiesProtection.exe.mui	svchost.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\SystemPropertiesHardware.exe.mui	svchost.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\SystemPropertiesPerformance.exe.mui	svchost.exe
File opened for modification	C:\Windows\System32\de-DE\SystemPropertiesProtection.exe.mui	svchost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\brio08ab.bcm	svchost.exe
File opened for modification	C:\Windows\System32\SystemPropertiesProtection.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\SystemPropertiesRemote.exe.mui	svchost.exe
File created	C:\Windows\SysWOW64\csrss64.dll	cgi19-alptsevs-h555.exe_.exe
File opened for modification	C:\Windows\System32\catroot2\edb006D5.log	svchost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\brio14ag.bcm	svchost.exe
File opened for modification	C:\Windows\System32\en-US\SystemPropertiesRemote.exe.mui	svchost.exe
File opened for modification	C:\Windows\SysWOW64\en-US\SystemPropertiesHardware.exe.mui	svchost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\brio14ah.bcm	svchost.exe
File opened for modification	C:\Windows\System32\it-IT\SystemPropertiesComputerName.exe.mui	svchost.exe
File opened for modification	C:\Windows\System32\it-IT\SystemPropertiesDataExecutionPrevention.exe.mui	svchost.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\SystemPropertiesDataExecutionPrevention.exe.mui	svchost.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\SystemPropertiesComputerName.exe.mui	svchost.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesProtection.exe	svchost.exe
File created	C:\Windows\SysWOW64\nsf.exe	cgi19-alptsevs-h555.exe_.exe
File opened for modification	C:\Windows\System32\de-DE\SystemPropertiesDataExecutionPrevention.exe.mui	svchost.exe
File opened for modification	C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl	svchost.exe
File opened for modification	C:\Windows\System32\SystemPropertiesRemote.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\SystemPropertiesProtection.exe.mui	svchost.exe
File opened for modification	C:\Windows\SysWOW64\nsf.exe	cgi19-alptsevs-h555.exe_.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat	svchost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\brio08ak.bcm	svchost.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\SystemPropertiesHardware.exe.mui	svchost.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\SystemPropertiesRemote.exe.mui	svchost.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~en-US~6.1.7600.16385.cat	svchost.exe
File opened for modification	C:\Windows\System32\es-ES\SystemPropertiesProtection.exe.mui	svchost.exe
File opened for modification	C:\Windows\System32\it-IT\SystemPropertiesAdvanced.exe.mui	svchost.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat	svchost.exe
File opened for modification	C:\Windows\System32\catroot2\edb006BD.log	svchost.exe
File opened for modification	C:\Windows\System32\catroot2\edb006D2.log	svchost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr005.inf_amd64_neutral_9e4cc05e0d4bcb33\Amd64\brio08bf.bcm	svchost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\brio14af.bcm	svchost.exe
File opened for modification	C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl	svchost.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\SystemPropertiesRemote.exe.mui	svchost.exe
File opened for modification	C:\Windows\System32\de-DE\SystemPropertiesPerformance.exe.mui	svchost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\brio06ag.bcm	svchost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\brio08ag.bcm	svchost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\brio08af.bcm	svchost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\brio14aa.bcm	svchost.exe
File opened for modification	C:\Windows\System32\fr-FR\SystemPropertiesDataExecutionPrevention.exe.mui	svchost.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\uninstall.log	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_pitch_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.log	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupicons.jpg	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupiconsmask.bmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-install.log	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\install.log	svchost.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\WindowsBackup.adml	svchost.exe
File opened for modification	C:\Windows\PolicyDefinitions\WindowsBackup.admx	svchost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-b..ouppolicy.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f373b0f039fdf6c5\WindowsBackup.adml	svchost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-backup-cpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ccb6dfa30f7cb853\sdcpl.dll.mui	svchost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	svchost.exe
File opened for modification	C:\Windows\Panther\setuperr.log	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	svchost.exe
File opened for modification	C:\Windows\Performance\WinSAT\winsat.log	svchost.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\UserDataBackup.adml	svchost.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.mum	svchost.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.cat	svchost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.log	svchost.exe
File opened for modification	C:\Windows\Panther\cbs_unattend.log	svchost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-b..ouppolicy.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_3ee759cc1bd50a91\WindowsBackup.adml	svchost.exe
File opened for modification	C:\Windows\Fonts\TEMPSITC.TTF	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	svchost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	svchost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	svchost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	svchost.exe
File opened for modification	C:\Windows\PolicyDefinitions\fr-FR\UserDataBackup.adml	svchost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-backup-cpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b6ded5e9e6ae9dd1\sdcpl.dll.mui	svchost.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	svchost.exe
File opened for modification	C:\Windows\PFRO.log	svchost.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00001.log	svchost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-b..ouppolicy.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_cb34cf1fe62201ea\WindowsBackup.adml	svchost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-backup-cpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2a340cc01c83b04c\sdcpl.dll.mui	svchost.exe
File opened for modification	C:\Windows\Panther\cbs.log	svchost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-b..ouppolicy.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9c6486e928dc028a\WindowsBackup.adml	svchost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-iis-odbclogging_31bf3856ad364e35_6.1.7600.16385_none_304059e2ef7d19be\logtemp.sql	svchost.exe
File opened for modification	C:\Windows\PolicyDefinitions\es-ES\WindowsBackup.adml	svchost.exe
File opened for modification	C:\Windows\PolicyDefinitions\it-IT\UserDataBackup.adml	svchost.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.mum	svchost.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat	svchost.exe
File opened for modification	C:\Windows\setuperr.log	svchost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-b..ouppolicy.resources_31bf3856ad364e35_6.1.7600.16385_it-it_290f5012f306f00f\WindowsBackup.adml	svchost.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	svchost.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.mum	svchost.exe
File opened for modification	C:\Windows\setupact.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-backup-cpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_814336c72da5a487\sdcpl.dll.mui	svchost.exe
File opened for modification	C:\Windows\debug\sammui.log	svchost.exe
File opened for modification	C:\Windows\DtcInstall.log	svchost.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.mum	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\debug\PASSWD.LOG	svchost.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\UserDataBackup.adml	svchost.exe
File opened for modification	C:\Windows\PolicyDefinitions\es-ES\UserDataBackup.adml	svchost.exe
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\UserDataBackup.adml	svchost.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.cat	svchost.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.mum	svchost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-b..ouppolicy.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9c2fe3cd2902f42f\WindowsBackup.adml	svchost.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat	svchost.exe
File opened for modification	C:\Windows\inf\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	svchost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log	svchost.exe
File opened for modification	C:\Windows\security\logs\scesetup.log	svchost.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.mum	svchost.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.mum	svchost.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat	svchost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-backup-cpl_31bf3856ad364e35_6.1.7601.17514_none_0fa9f57005bdc2e1\sdcpl.dll	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 30 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2344	PING.EXE
2616	PING.EXE
2764	PING.EXE
2792	PING.EXE
112	PING.EXE
2768	PING.EXE
2892	PING.EXE
1560	PING.EXE
1788	PING.EXE
2976	PING.EXE
2256	PING.EXE
2232	PING.EXE
2568	PING.EXE
992	PING.EXE
1288	PING.EXE
1908	PING.EXE
2864	PING.EXE
2348	PING.EXE
2384	PING.EXE
696	PING.EXE
2296	PING.EXE
1100	PING.EXE
2996	PING.EXE
2652	PING.EXE
108	PING.EXE
2840	PING.EXE
772	PING.EXE
2124	PING.EXE
2464	PING.EXE
2440	PING.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Sysinternals\SDelete\EulaAccepted = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\SDelete	svchost.exe

Runs ping.exe 1 TTPs 30 IoCs

Remote System Discovery

T1018

pid	Process
992	PING.EXE
2768	PING.EXE
2256	PING.EXE
696	PING.EXE
2616	PING.EXE
2440	PING.EXE
108	PING.EXE
2840	PING.EXE
2344	PING.EXE
2864	PING.EXE
1788	PING.EXE
1100	PING.EXE
2384	PING.EXE
2124	PING.EXE
2232	PING.EXE
1560	PING.EXE
2976	PING.EXE
2792	PING.EXE
2296	PING.EXE
112	PING.EXE
2348	PING.EXE
2892	PING.EXE
2568	PING.EXE
2464	PING.EXE
2764	PING.EXE
772	PING.EXE
1288	PING.EXE
2652	PING.EXE
2996	PING.EXE
1908	PING.EXE

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
932	svchost.exe
932	svchost.exe
932	svchost.exe
932	svchost.exe
932	svchost.exe
932	svchost.exe
932	svchost.exe
932	svchost.exe
932	svchost.exe
932	svchost.exe
932	svchost.exe
932	svchost.exe
932	svchost.exe
932	svchost.exe
932	svchost.exe
932	svchost.exe
932	svchost.exe
932	svchost.exe
932	svchost.exe
932	svchost.exe
932	svchost.exe
932	svchost.exe
932	svchost.exe
932	svchost.exe
932	svchost.exe
932	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2144	nsf.exe
1360	nsf.exe
1056	nsf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 2676	1668	cgi19-alptsevs-h555.exe_.exe	31
PID 1668 wrote to memory of 2676	1668	cgi19-alptsevs-h555.exe_.exe	31
PID 1668 wrote to memory of 2676	1668	cgi19-alptsevs-h555.exe_.exe	31
PID 1668 wrote to memory of 2676	1668	cgi19-alptsevs-h555.exe_.exe	31
PID 1668 wrote to memory of 2676	1668	cgi19-alptsevs-h555.exe_.exe	31
PID 1668 wrote to memory of 2676	1668	cgi19-alptsevs-h555.exe_.exe	31
PID 1668 wrote to memory of 2676	1668	cgi19-alptsevs-h555.exe_.exe	31
PID 1668 wrote to memory of 2144	1668	cgi19-alptsevs-h555.exe_.exe	32
PID 1668 wrote to memory of 2144	1668	cgi19-alptsevs-h555.exe_.exe	32
PID 1668 wrote to memory of 2144	1668	cgi19-alptsevs-h555.exe_.exe	32
PID 1668 wrote to memory of 2144	1668	cgi19-alptsevs-h555.exe_.exe	32
PID 1668 wrote to memory of 2144	1668	cgi19-alptsevs-h555.exe_.exe	32
PID 1668 wrote to memory of 2144	1668	cgi19-alptsevs-h555.exe_.exe	32
PID 1668 wrote to memory of 2144	1668	cgi19-alptsevs-h555.exe_.exe	32
PID 1668 wrote to memory of 2568	1668	cgi19-alptsevs-h555.exe_.exe	33
PID 1668 wrote to memory of 2568	1668	cgi19-alptsevs-h555.exe_.exe	33
PID 1668 wrote to memory of 2568	1668	cgi19-alptsevs-h555.exe_.exe	33
PID 1668 wrote to memory of 2568	1668	cgi19-alptsevs-h555.exe_.exe	33
PID 1668 wrote to memory of 2568	1668	cgi19-alptsevs-h555.exe_.exe	33
PID 1668 wrote to memory of 2568	1668	cgi19-alptsevs-h555.exe_.exe	33
PID 1668 wrote to memory of 2568	1668	cgi19-alptsevs-h555.exe_.exe	33
PID 1668 wrote to memory of 2464	1668	cgi19-alptsevs-h555.exe_.exe	35
PID 1668 wrote to memory of 2464	1668	cgi19-alptsevs-h555.exe_.exe	35
PID 1668 wrote to memory of 2464	1668	cgi19-alptsevs-h555.exe_.exe	35
PID 1668 wrote to memory of 2464	1668	cgi19-alptsevs-h555.exe_.exe	35
PID 1668 wrote to memory of 2464	1668	cgi19-alptsevs-h555.exe_.exe	35
PID 1668 wrote to memory of 2464	1668	cgi19-alptsevs-h555.exe_.exe	35
PID 1668 wrote to memory of 2464	1668	cgi19-alptsevs-h555.exe_.exe	35
PID 1668 wrote to memory of 1788	1668	cgi19-alptsevs-h555.exe_.exe	37
PID 1668 wrote to memory of 1788	1668	cgi19-alptsevs-h555.exe_.exe	37
PID 1668 wrote to memory of 1788	1668	cgi19-alptsevs-h555.exe_.exe	37
PID 1668 wrote to memory of 1788	1668	cgi19-alptsevs-h555.exe_.exe	37
PID 1668 wrote to memory of 1788	1668	cgi19-alptsevs-h555.exe_.exe	37
PID 1668 wrote to memory of 1788	1668	cgi19-alptsevs-h555.exe_.exe	37
PID 1668 wrote to memory of 1788	1668	cgi19-alptsevs-h555.exe_.exe	37
PID 1668 wrote to memory of 2764	1668	cgi19-alptsevs-h555.exe_.exe	39
PID 1668 wrote to memory of 2764	1668	cgi19-alptsevs-h555.exe_.exe	39
PID 1668 wrote to memory of 2764	1668	cgi19-alptsevs-h555.exe_.exe	39
PID 1668 wrote to memory of 2764	1668	cgi19-alptsevs-h555.exe_.exe	39
PID 1668 wrote to memory of 2764	1668	cgi19-alptsevs-h555.exe_.exe	39
PID 1668 wrote to memory of 2764	1668	cgi19-alptsevs-h555.exe_.exe	39
PID 1668 wrote to memory of 2764	1668	cgi19-alptsevs-h555.exe_.exe	39
PID 1668 wrote to memory of 2864	1668	cgi19-alptsevs-h555.exe_.exe	41
PID 1668 wrote to memory of 2864	1668	cgi19-alptsevs-h555.exe_.exe	41
PID 1668 wrote to memory of 2864	1668	cgi19-alptsevs-h555.exe_.exe	41
PID 1668 wrote to memory of 2864	1668	cgi19-alptsevs-h555.exe_.exe	41
PID 1668 wrote to memory of 2864	1668	cgi19-alptsevs-h555.exe_.exe	41
PID 1668 wrote to memory of 2864	1668	cgi19-alptsevs-h555.exe_.exe	41
PID 1668 wrote to memory of 2864	1668	cgi19-alptsevs-h555.exe_.exe	41
PID 1668 wrote to memory of 2976	1668	cgi19-alptsevs-h555.exe_.exe	43
PID 1668 wrote to memory of 2976	1668	cgi19-alptsevs-h555.exe_.exe	43
PID 1668 wrote to memory of 2976	1668	cgi19-alptsevs-h555.exe_.exe	43
PID 1668 wrote to memory of 2976	1668	cgi19-alptsevs-h555.exe_.exe	43
PID 1668 wrote to memory of 2976	1668	cgi19-alptsevs-h555.exe_.exe	43
PID 1668 wrote to memory of 2976	1668	cgi19-alptsevs-h555.exe_.exe	43
PID 1668 wrote to memory of 2976	1668	cgi19-alptsevs-h555.exe_.exe	43
PID 1668 wrote to memory of 2440	1668	cgi19-alptsevs-h555.exe_.exe	45
PID 1668 wrote to memory of 2440	1668	cgi19-alptsevs-h555.exe_.exe	45
PID 1668 wrote to memory of 2440	1668	cgi19-alptsevs-h555.exe_.exe	45
PID 1668 wrote to memory of 2440	1668	cgi19-alptsevs-h555.exe_.exe	45
PID 1668 wrote to memory of 2440	1668	cgi19-alptsevs-h555.exe_.exe	45
PID 1668 wrote to memory of 2440	1668	cgi19-alptsevs-h555.exe_.exe	45
PID 1668 wrote to memory of 2440	1668	cgi19-alptsevs-h555.exe_.exe	45
PID 1668 wrote to memory of 992	1668	cgi19-alptsevs-h555.exe_.exe	47

C:\Users\Admin\AppData\Local\Temp\cgi19-alptsevs-h555.exe_.exe
"C:\Users\Admin\AppData\Local\Temp\cgi19-alptsevs-h555.exe_.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\SysWOW64\svschost.exe
  "C:\Windows\system32\svschost.exe" -i
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\SysWOW64\nsf.exe
  "C:\Windows\system32\nsf.exe" /nobootpass /lock Yrs5S2z1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:2144
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2568
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2464
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1788
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2764
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2864
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2976
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2440
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:992
- C:\Windows\SysWOW64\svschost.exe
  "C:\Windows\system32\svschost.exe" -i
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\SysWOW64\nsf.exe
  "C:\Windows\system32\nsf.exe" /nobootpass /lock Yrs5S2z1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:1360
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:772
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:112
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2348
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2124
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2768
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2256
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2232
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1100
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:696
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1288
- C:\Windows\SysWOW64\svschost.exe
  "C:\Windows\system32\svschost.exe" -s
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2792
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2652
- C:\Windows\SysWOW64\svschost.exe
  "C:\Windows\system32\svschost.exe" -i
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\SysWOW64\nsf.exe
  "C:\Windows\system32\nsf.exe" /nobootpass /lock Yrs5S2z1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:1056
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2996
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:108
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2840
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2344
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2892
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2296
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2384
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1560
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2616
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1908
- C:\Windows\SysWOW64\svschost.exe
  "C:\Windows\system32\svschost.exe" -s
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Windows\SysWOW64\svschost.exe
  "C:\Windows\system32\svschost.exe" -s
  2⤵
  - Executes dropped EXE
  PID:2168

C:\Windows\SysWOW64\svschost.exe
C:\Windows\SysWOW64\svschost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
PID:848
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchost" /t REG_SZ /d "C:\dvsdlk\svchost.exe" /f
  2⤵
  - Adds Run key to start application
  PID:1464
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "ClearPageFileAtShutdown" /t REG_DWORD /d 1 /f
  2⤵
  PID:2524
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  PID:2476
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Program Files\Mozilla Firefox\install.log" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  PID:1136
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Program Files\Mozilla Firefox\uninstall\uninstall.log" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2364
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_pitch_plugin.dll" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:668
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_plugin.dll" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1288
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Program Files\VideoLAN\VLC\uninstall.log" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:956
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupicons.jpg" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:3024
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupiconsmask.bmp" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  PID:1524
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-install.log" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2032
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.001" /accepteula
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:2976
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.001" /accepteula
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2752
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.001" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.001" /accepteula
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:2092
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.001" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.001" /accepteula
  2⤵
  - Executes dropped EXE
  PID:584
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Backup and Restore Center.lnk" /accepteula
  2⤵
  - Executes dropped EXE
  PID:408
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\ProgramData\Microsoft\Windows Defender\Support\MPLog-07132009-221054.log" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2248
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\System Volume Information\tracking.log" /accepteula
  2⤵
  - Executes dropped EXE
  PID:804
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old" /accepteula
  2⤵
  - Executes dropped EXE
  PID:880
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\000003.log" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000006.log" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG.old" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000005.log" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG.old" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000005.log" /accepteula
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old" /accepteula
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000006.log" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG.old" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000006.log" /accepteula
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old" /accepteula
  2⤵
  - Executes dropped EXE
  PID:700
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000006.log" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG.old" /accepteula
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:2136
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000006.log" /accepteula
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:356
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000006.log" /accepteula
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:1288
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old" /accepteula
  2⤵
  - Executes dropped EXE
  PID:804
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak" /accepteula
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:2696
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B8BOMT1Q\desktop.ini" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - System Location Discovery: System Language Discovery
  PID:988
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\container.dat" /accepteula
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:2748
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  PID:2744
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat" /accepteula
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:2032
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\INNMDE1C\desktop.ini" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  PID:2712
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KIYAG1MM\favicon[1].ico" /accepteula
  2⤵
  - Executes dropped EXE
  PID:644
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L1J27TKW\desktop.ini" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - System Location Discovery: System Language Discovery
  PID:1008
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WK3MU41S\desktop.ini" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  PID:2256
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat" /accepteula
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini" /accepteula
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Modifies data under HKEY_USERS
  PID:1504
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log" /accepteula
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V0100002.log" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2248
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V0100003.log" /accepteula
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\edb00001.log" /accepteula
  2⤵
  - Executes dropped EXE
  PID:600
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\WindowsMail.MSMessageStore" /accepteula
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\WindowsMail.pat" /accepteula
  2⤵
  PID:2332
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log" /accepteula
  2⤵
  PID:2456
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb00001.log" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2448
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\3070453596\payload.dat" /accepteula
  2⤵
  PID:2000
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\35cf1b00-0844-4d60-bbf5-aca4c72f72cf.tmp" /accepteula
  2⤵
  PID:2356
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\7084b9b2-0a8b-4e45-ad57-83689d090a2c.tmp" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1736
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\Admin.bmp" /accepteula
  2⤵
  PID:1136
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00000.log" /accepteula
  2⤵
  PID:1908
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001.log" /accepteula
  2⤵
  PID:2572
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\ca6ec46ee9435a4745fd3a03267f051dc64540dd348f127bb33e9675dadd3d52.exe" /accepteula
  2⤵
  PID:276
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\calc.exe" /accepteula
  2⤵
  PID:700
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\ccc71c83c8d9895ef0b375273f9f185dfac63ecd01775e2dc705afe4d48c95e2_Dumped_TDS=4F9911B3.exe" /accepteula
  2⤵
  PID:2940
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\ccc71c83c8d9895ef0b375273f9f185dfac63ecd01775e2dc705afe4d48c95e2_TDS=4FAD9768.exe" /accepteula
  2⤵
  PID:112
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\cd2d085998a289134ffaf27fbdcbc8cb_api-ms-win-system-dispex-l1-1-0.dll" /accepteula
  2⤵
  PID:1604
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\cdffb7e75b20eeae4db75c9962c17b3be980a719f7597e8b11a747d72c975a36_not_packed_maybe_useless.exe" /accepteula
  2⤵
  PID:1416
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe" /accepteula
  2⤵
  PID:2528
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\cgi19-alptsevs-h555.exe_.exe" /accepteula
  2⤵
  - Deletes itself
  - Suspicious behavior: RenamesItself
  PID:932
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\chrome_installer.log" /accepteula
  2⤵
  PID:920
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\chrst.exe" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2192
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\ci05l2a.exe" /accepteula
  2⤵
  PID:2700
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\cl.exe" /accepteula
  2⤵
  PID:2220
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\clean.exe" /accepteula
  2⤵
  PID:2480
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\coinvault.exe" /accepteula
  2⤵
  PID:1860
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\com_loader.exe" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2476
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\csrss.ex_.exe" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:1852
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\d.exe" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2964
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\D02D012970AA164CAD15C757D7E52994.exe" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:3016
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\d0a5cfec8e80622b3e194b5ee03e93d78c7ef3478bead6a039d213caaaa58523_Dumped_TDS=4F9911B3.exe" /accepteula
  2⤵
  PID:3012
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\d0a5cfec8e80622b3e194b5ee03e93d78c7ef3478bead6a039d213caaaa58523_TDS=4FA478A6.exe" /accepteula
  2⤵
  PID:2164
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\d2164cdbc9c78db0115f382a139ccd758f8a25ebfc5ab3e0034e7aef0fe0b6b4_Dumped_TDS=4FB252FB.exe" /accepteula
  2⤵
  PID:1528
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\d2164cdbc9c78db0115f382a139ccd758f8a25ebfc5ab3e0034e7aef0fe0b6b4_TDS=4FB30D08.exe" /accepteula
  2⤵
  PID:2772
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\d4439055d2d63e52ffc23c6d24d89194_86e510605f1ee068bdc1ae306312652a__1.dll" /accepteula
  2⤵
  PID:2096
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\d54d2a216e637bcd36e5217cfba98896.exe" /accepteula
  2⤵
  PID:2784
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\d5f29750a8cb158d9b89a1e02e8addc5e410d1ddc48e660589144ade47f794c5.exe" /accepteula
  2⤵
  PID:2968
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\d6c32b0146f219bdcb5cf524ea9e0047d9b9bd0fd7c395d5b11cbc4c3298824d.exe" /accepteula
  2⤵
  PID:2620
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\d889734783273b7158deeae6cf804a6be99c3a5353d94225a4dbe92caf3a3d48.exe" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2672
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\daaa72f48bea498c5ac7ce9bc315e585ff11dad04d1eeb0d1b0ce33a28bedf2d.exe" /accepteula
  2⤵
  PID:2984
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\DBm0yQwt.exe.ViR.exe" /accepteula
  2⤵
  PID:2612
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\ddbf1840bf626da19d8f3467fe9e20e2.exe" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:1664
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt" /accepteula
  2⤵
  PID:1032
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility.txt" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2764
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI1DEF.txt" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2588
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI1E26.txt" /accepteula
  2⤵
  PID:1912
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI1DEF.txt" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1352
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI1E26.txt" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1876
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20240903_051527_762.txt" /accepteula
  2⤵
  PID:2368
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20240903_051528_152.txt" /accepteula
  2⤵
  PID:2940
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\de882c049be133a950b6917562bb2313_583a76e23c1998307d702709dadbe103__3.dll" /accepteula
  2⤵
  PID:572
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\decrypt.exe" /accepteula
  2⤵
  PID:2532
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\decrypted.ex_.exe" /accepteula
  2⤵
  PID:2148
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\FXSAPIDebugLogFile.txt" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2116
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log" /accepteula
  2⤵
  PID:1596
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\java_install.log" /accepteula
  2⤵
  PID:3080
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\java_install_reg.log" /accepteula
  2⤵
  PID:3168
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\jawshtml.html" /accepteula
  2⤵
  PID:3180
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\jusched.log" /accepteula
  2⤵
  PID:3192
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\Kno5025.tmp" /accepteula
  2⤵
  PID:3204
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\KnoAC35.tmp" /accepteula
  2⤵
  PID:3228
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\lpksetup-20240903-052315-0.log" /accepteula
  2⤵
  PID:3340
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\lpksetup-20240903-052445-0.log" /accepteula
  2⤵
  PID:3384
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\lpksetup-20240903-052611-0.log" /accepteula
  2⤵
  PID:3456
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\lpksetup-20240903-052746-0.log" /accepteula
  2⤵
  PID:3488
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\lpksetup-20240903-052916-0.log" /accepteula
  2⤵
  PID:3508
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240903_051515516-MSI_netfx_Full_x64.msi.txt" /accepteula
  2⤵
  PID:3608
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240903_051515516.html" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:3636
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\ose00000.exe" /accepteula
  2⤵
  PID:2892
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\RD2D75.tmp" /accepteula
  2⤵
  PID:3484
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\RGI1575.tmp" /accepteula
  2⤵
  PID:3536
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\RGI1575.tmp-tmp" /accepteula
  2⤵
  PID:3520
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\scoped_dir1928_1837339039\35cf1b00-0844-4d60-bbf5-aca4c72f72cf.tmp" /accepteula
  2⤵
  PID:1480
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\scoped_dir1928_1837339039\CRX_INSTALL\manifest.json" /accepteula
  2⤵
  PID:3444
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\scoped_dir1928_2003137438\7084b9b2-0a8b-4e45-ad57-83689d090a2c.tmp" /accepteula
  2⤵
  PID:1572
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\scoped_dir1928_2003137438\CRX_INSTALL\manifest.json" /accepteula
  2⤵
  PID:3892
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\SetupExe(20240903051854134).log" /accepteula
  2⤵
  PID:3648
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Local\Temp\wmsetup.log" /accepteula
  2⤵
  PID:2272
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\sessionstore-backups\previous.jsonlz4" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:3936
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\sessionstore-backups\upgrade.jsonlz4-20221007134813" /accepteula
  2⤵
  PID:3924
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\AppData\Roaming\StartBackup.odt" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:2780
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\Documents\BackupConvert.vsx" /accepteula
  2⤵
  PID:4028
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\Downloads\BackupUpdate.vst" /accepteula
  2⤵
  PID:2616
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\Music\BackupSend.mpe" /accepteula
  2⤵
  PID:1668
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Admin\Music\SuspendLimit.temp" /accepteula
  2⤵
  PID:408
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Users\Default\NTUSER.DAT.LOG" /accepteula
  2⤵
  PID:1952
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2208
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:2840
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:3544
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:3164
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log" /accepteula
  2⤵
  PID:700
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log" /accepteula
  2⤵
  PID:3532
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log" /accepteula
  2⤵
  PID:3216
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:3352
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log" /accepteula
  2⤵
  PID:3360
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log" /accepteula
  2⤵
  PID:1188
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\vcredist2022_x86_001_vcRuntimeMinimum_x86.log" /accepteula
  2⤵
  PID:3464
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\vcredist2022_x86_002_vcRuntimeAdditional_x86.log" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3148
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\CSC\v2.0.6\temp\ea-{c4807fe8-69ed-11ef-bca2-d5622a119f82}" /accepteula
  2⤵
  PID:2912
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\debug\PASSWD.LOG" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2504
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\debug\sammui.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2124
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\debug\WIA\wiatrace.log" /accepteula
  2⤵
  PID:1596
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\DtcInstall.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:3580
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Fonts\TEMPSITC.TTF" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:3764
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\inf\setupapi.app.log" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1404
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\inf\setupapi.dev.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:3940
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\inf\setupapi.offline.log" /accepteula
  2⤵
  PID:2252
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Logs\CBS\CBS.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:1984
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Logs\DISM\dism.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:1916
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Logs\DPX\setupact.log" /accepteula
  2⤵
  PID:2500
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Logs\DPX\setuperr.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2132
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log" /accepteula
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2692
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2328
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:1008
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2280
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2964
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log" /accepteula
  2⤵
  PID:3312
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log" /accepteula
  2⤵
  PID:1732
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2608
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Panther\cbs.log" /accepteula
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1508
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Panther\cbs_unattend.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2240
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Panther\DDACLSys.log" /accepteula
  2⤵
  PID:1132
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Panther\setupact.log" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:3700
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Panther\setuperr.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:3676
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Panther\UnattendGC\setupact.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:3668
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Panther\UnattendGC\setuperr.log" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3656
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Performance\WinSAT\winsat.log" /accepteula
  2⤵
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1536
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PFRO.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:804
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\de-DE\UserDataBackup.adml" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:4052
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\de-DE\WindowsBackup.adml" /accepteula
  2⤵
  PID:1032
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\en-US\UserDataBackup.adml" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:4056
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\en-US\WindowsBackup.adml" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4068
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\es-ES\UserDataBackup.adml" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:4084
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\es-ES\WindowsBackup.adml" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:644
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\fr-FR\UserDataBackup.adml" /accepteula
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1604
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\fr-FR\WindowsBackup.adml" /accepteula
  2⤵
  PID:3016
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\it-IT\UserDataBackup.adml" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2268
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\it-IT\WindowsBackup.adml" /accepteula
  2⤵
  PID:3048
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\ja-JP\UserDataBackup.adml" /accepteula
  2⤵
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1740
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\ja-JP\WindowsBackup.adml" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2440
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\UserDataBackup.admx" /accepteula
  2⤵
  PID:1480
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\PolicyDefinitions\WindowsBackup.admx" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2356
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\security\logs\scecomp.old" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3388
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\security\logs\scesetup.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2532
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WindowsUpdate.log" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2716
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:3888
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2292
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.cat" /accepteula
  2⤵
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:3120
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.mum" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:3128
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:3364
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.mum" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:3380
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat" /accepteula
  2⤵
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:3528
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.mum" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2708
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat" /accepteula
  2⤵
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:3220
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.mum" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:3096
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat" /accepteula
  2⤵
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2108
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.mum" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2212
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.cat" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2472
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.mum" /accepteula
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2396
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:3648
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\servicing\Packages\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.mum" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:3136
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\setupact.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:1188
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\setuperr.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:1588
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:856
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SoftwareDistribution\DataStore\Logs\edb00001.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:1528
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SoftwareDistribution\ReportingEvents.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:3508
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.cat" /accepteula
  2⤵
  PID:3440
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~en-US~6.1.7600.16385.cat" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:1360
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2032
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat" /accepteula
  2⤵
  PID:2084
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2596
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat" /accepteula
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2760
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.cat" /accepteula
  2⤵
  PID:2580
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat" /accepteula
  2⤵
  PID:1228
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Backup-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat" /accepteula
  2⤵
  PID:3628
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb.log" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:3932
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006BD.log" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2556
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006BE.log" /accepteula
  2⤵
  PID:2448
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006BF.log" /accepteula
  2⤵
  PID:1000
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006C0.log" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:2992
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006C1.log" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:3004
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006C2.log" /accepteula
  2⤵
  PID:2980
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006C3.log" /accepteula
  2⤵
  PID:804
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006C4.log" /accepteula
  2⤵
  PID:3952
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006C5.log" /accepteula
  2⤵
  PID:2008
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006C6.log" /accepteula
  2⤵
  PID:2616
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006C7.log" /accepteula
  2⤵
  PID:2284
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006C8.log" /accepteula
  2⤵
  PID:2232
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006C9.log" /accepteula
  2⤵
  PID:2880
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006CA.log" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:316
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006CB.log" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:380
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006CC.log" /accepteula
  2⤵
  PID:2680
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006CD.log" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2544
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006CE.log" /accepteula
  2⤵
  PID:2952
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006CF.log" /accepteula
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:1260
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006D0.log" /accepteula
  2⤵
  PID:1768
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006D1.log" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:628
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006D2.log" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:1208
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006D3.log" /accepteula
  2⤵
  PID:3100
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006D4.log" /accepteula
  2⤵
  PID:3116
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006D5.log" /accepteula
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:3344
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\catroot2\edb006D6.log" /accepteula
  2⤵
  PID:2768
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\de-DE\SystemPropertiesAdvanced.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:3768
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\de-DE\SystemPropertiesComputerName.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:3772
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\de-DE\SystemPropertiesDataExecutionPrevention.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:3748
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\de-DE\SystemPropertiesHardware.exe.mui" /accepteula
  2⤵
  PID:3692
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\de-DE\SystemPropertiesPerformance.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:3688
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\de-DE\SystemPropertiesProtection.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:3740
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\de-DE\SystemPropertiesRemote.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:3712
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\brio06aa.bcm" /accepteula
  2⤵
  PID:3824
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\brio06ab.bcm" /accepteula
  2⤵
  PID:3652
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\brio06ac.bcm" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2652
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\brio06af.bcm" /accepteula
  2⤵
  PID:1596
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\brio06ag.bcm" /accepteula
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:3840
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\brio08aa.bcm" /accepteula
  2⤵
  PID:2792
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\brio08ab.bcm" /accepteula
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2816
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\brio08ac.bcm" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:2696
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\brio08ae.bcm" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:3696
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\brio08af.bcm" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:1904
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\brio08ag.bcm" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2636
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\brio08ah.bcm" /accepteula
  2⤵
  PID:2980
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\brio08ak.bcm" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2932
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr005.inf_amd64_neutral_9e4cc05e0d4bcb33\Amd64\brio08ba.bcm" /accepteula
  2⤵
  PID:4056
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr005.inf_amd64_neutral_9e4cc05e0d4bcb33\Amd64\brio08bb.bcm" /accepteula
  2⤵
  PID:2180
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr005.inf_amd64_neutral_9e4cc05e0d4bcb33\Amd64\brio08bc.bcm" /accepteula
  2⤵
  PID:900
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr005.inf_amd64_neutral_9e4cc05e0d4bcb33\Amd64\brio08be.bcm" /accepteula
  2⤵
  PID:2144
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr005.inf_amd64_neutral_9e4cc05e0d4bcb33\Amd64\brio08bf.bcm" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:992
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr005.inf_amd64_neutral_9e4cc05e0d4bcb33\Amd64\brio08bg.bcm" /accepteula
  2⤵
  PID:2952
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr005.inf_amd64_neutral_9e4cc05e0d4bcb33\Amd64\brio08bk.bcm" /accepteula
  2⤵
  PID:3888
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\brio14aa.bcm" /accepteula
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:3848
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\brio14ab.bcm" /accepteula
  2⤵
  PID:1520
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\brio14ac.bcm" /accepteula
  2⤵
  PID:3508
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\brio14ad.bcm" /accepteula
  2⤵
  PID:3828
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\brio14af.bcm" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:1748
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\brio14ag.bcm" /accepteula
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2296
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\brio14ah.bcm" /accepteula
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2456
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\brio14ai.bcm" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2832
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\brio14ak.bcm" /accepteula
  2⤵
  PID:2896
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\brio14al.bcm" /accepteula
  2⤵
  PID:2032
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\brio14am.bcm" /accepteula
  2⤵
  PID:2968
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\brio14an.bcm" /accepteula
  2⤵
  PID:2744
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\DriverStore\Temp\{522f6bf6-ae20-0f66-d982-a746d010852a}\prnms001.cat" /accepteula
  2⤵
  PID:2172
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\en-US\SystemPropertiesAdvanced.exe.mui" /accepteula
  2⤵
  PID:1136
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\en-US\SystemPropertiesComputerName.exe.mui" /accepteula
  2⤵
  PID:2868
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\en-US\SystemPropertiesDataExecutionPrevention.exe.mui" /accepteula
  2⤵
  PID:3976
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\en-US\SystemPropertiesHardware.exe.mui" /accepteula
  2⤵
  PID:3992
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\en-US\SystemPropertiesPerformance.exe.mui" /accepteula
  2⤵
  PID:1848
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\en-US\SystemPropertiesProtection.exe.mui" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3980
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\en-US\SystemPropertiesRemote.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2272
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\es-ES\SystemPropertiesAdvanced.exe.mui" /accepteula
  2⤵
  PID:4028
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\es-ES\SystemPropertiesComputerName.exe.mui" /accepteula
  2⤵
  PID:4020
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\es-ES\SystemPropertiesDataExecutionPrevention.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2276
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\es-ES\SystemPropertiesHardware.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2812
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\es-ES\SystemPropertiesPerformance.exe.mui" /accepteula
  2⤵
  PID:4076
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\es-ES\SystemPropertiesProtection.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2268
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\es-ES\SystemPropertiesRemote.exe.mui" /accepteula
  2⤵
  PID:4084
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\fr-FR\SystemPropertiesAdvanced.exe.mui" /accepteula
  2⤵
  PID:2252
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\fr-FR\SystemPropertiesComputerName.exe.mui" /accepteula
  2⤵
  PID:2720
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\fr-FR\SystemPropertiesDataExecutionPrevention.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1408
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\fr-FR\SystemPropertiesHardware.exe.mui" /accepteula
  2⤵
  PID:3924
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\fr-FR\SystemPropertiesPerformance.exe.mui" /accepteula
  2⤵
  PID:2792
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\fr-FR\SystemPropertiesProtection.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2948
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\fr-FR\SystemPropertiesRemote.exe.mui" /accepteula
  2⤵
  PID:3040
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\it-IT\SystemPropertiesAdvanced.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:3208
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\it-IT\SystemPropertiesComputerName.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:3384
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\it-IT\SystemPropertiesDataExecutionPrevention.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:696
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\it-IT\SystemPropertiesHardware.exe.mui" /accepteula
  2⤵
  PID:1704
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\it-IT\SystemPropertiesPerformance.exe.mui" /accepteula
  2⤵
  PID:1540
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\it-IT\SystemPropertiesProtection.exe.mui" /accepteula
  2⤵
  PID:1212
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\it-IT\SystemPropertiesRemote.exe.mui" /accepteula
  2⤵
  PID:2132
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\ja-JP\SystemPropertiesAdvanced.exe.mui" /accepteula
  2⤵
  PID:664
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\ja-JP\SystemPropertiesComputerName.exe.mui" /accepteula
  2⤵
  PID:1904
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\ja-JP\SystemPropertiesDataExecutionPrevention.exe.mui" /accepteula
  2⤵
  PID:1996
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\ja-JP\SystemPropertiesHardware.exe.mui" /accepteula
  2⤵
  PID:2880
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\ja-JP\SystemPropertiesPerformance.exe.mui" /accepteula
  2⤵
  PID:1044
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\ja-JP\SystemPropertiesProtection.exe.mui" /accepteula
  2⤵
  PID:3104
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\ja-JP\SystemPropertiesRemote.exe.mui" /accepteula
  2⤵
  PID:2244
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\LogFiles\AIT\AitEventLog.etl.001" /accepteula
  2⤵
  PID:4092
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\LogFiles\SQM\SQMLogger.etl.001" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2468
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2396
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl" /accepteula
  2⤵
  PID:1428
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:1840
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:1644
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM.etl" /accepteula
  2⤵
  PID:3124
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\migwiz\replacementmanifests\vsssystemprovider-replacement.man" /accepteula
  2⤵
  PID:1884
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\PerfStringBackup.INI" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2864
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\SystemPropertiesAdvanced.exe" /accepteula
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:348
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\SystemPropertiesComputerName.exe" /accepteula
  2⤵
  PID:3368
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3220
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\SystemPropertiesHardware.exe" /accepteula
  2⤵
  PID:112
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\SystemPropertiesPerformance.exe" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3096
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\SystemPropertiesProtection.exe" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:3088
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\System32\SystemPropertiesRemote.exe" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2776
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\de-DE\SystemPropertiesAdvanced.exe.mui" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3512
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\de-DE\SystemPropertiesComputerName.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:620
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\de-DE\SystemPropertiesDataExecutionPrevention.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:1876
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\de-DE\SystemPropertiesHardware.exe.mui" /accepteula
  2⤵
  PID:2280
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\de-DE\SystemPropertiesPerformance.exe.mui" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:1188
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\de-DE\SystemPropertiesProtection.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:484
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\de-DE\SystemPropertiesRemote.exe.mui" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1352
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\en-US\SystemPropertiesAdvanced.exe.mui" /accepteula
  2⤵
  PID:3392
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\en-US\SystemPropertiesComputerName.exe.mui" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2480
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\en-US\SystemPropertiesDataExecutionPrevention.exe.mui" /accepteula
  2⤵
  PID:3420
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\en-US\SystemPropertiesHardware.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:3424
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\en-US\SystemPropertiesPerformance.exe.mui" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3192
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\en-US\SystemPropertiesProtection.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:3460
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\en-US\SystemPropertiesRemote.exe.mui" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1768
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\es-ES\SystemPropertiesAdvanced.exe.mui" /accepteula
  2⤵
  PID:992
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\es-ES\SystemPropertiesComputerName.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:3332
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\es-ES\SystemPropertiesDataExecutionPrevention.exe.mui" /accepteula
  2⤵
  PID:3296
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\es-ES\SystemPropertiesHardware.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:3276
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\es-ES\SystemPropertiesPerformance.exe.mui" /accepteula
  2⤵
  PID:3260
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\es-ES\SystemPropertiesProtection.exe.mui" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:2840
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\es-ES\SystemPropertiesRemote.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:3280
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\fr-FR\SystemPropertiesAdvanced.exe.mui" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:2192
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\fr-FR\SystemPropertiesComputerName.exe.mui" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2320
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\fr-FR\SystemPropertiesDataExecutionPrevention.exe.mui" /accepteula
  2⤵
  PID:1912
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\fr-FR\SystemPropertiesHardware.exe.mui" /accepteula
  2⤵
  PID:856
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\fr-FR\SystemPropertiesPerformance.exe.mui" /accepteula
  2⤵
  PID:3876
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\fr-FR\SystemPropertiesProtection.exe.mui" /accepteula
  2⤵
  PID:2424
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\fr-FR\SystemPropertiesRemote.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2512
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\it-IT\SystemPropertiesAdvanced.exe.mui" /accepteula
  2⤵
  PID:2696
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\it-IT\SystemPropertiesComputerName.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:3464
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\it-IT\SystemPropertiesDataExecutionPrevention.exe.mui" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:3324
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\it-IT\SystemPropertiesHardware.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:3036
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\it-IT\SystemPropertiesPerformance.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2056
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\it-IT\SystemPropertiesProtection.exe.mui" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2892
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\it-IT\SystemPropertiesRemote.exe.mui" /accepteula
  2⤵
  PID:3868
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\ja-JP\SystemPropertiesAdvanced.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:3232
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\ja-JP\SystemPropertiesComputerName.exe.mui" /accepteula
  2⤵
  PID:1400
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\ja-JP\SystemPropertiesDataExecutionPrevention.exe.mui" /accepteula
  2⤵
  PID:2612
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\ja-JP\SystemPropertiesHardware.exe.mui" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:1128
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\ja-JP\SystemPropertiesPerformance.exe.mui" /accepteula
  2⤵
  PID:2068
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\ja-JP\SystemPropertiesProtection.exe.mui" /accepteula
  2⤵
  PID:2896
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\ja-JP\SystemPropertiesRemote.exe.mui" /accepteula
  2⤵
  - Drops file in System32 directory
  PID:2752
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\migwiz\replacementmanifests\vsssystemprovider-replacement.man" /accepteula
  2⤵
  PID:2204
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\PerfStringBackup.INI" /accepteula
  2⤵
  PID:2080
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe" /accepteula
  2⤵
  PID:3468
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\SystemPropertiesComputerName.exe" /accepteula
  2⤵
  PID:2464
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe" /accepteula
  2⤵
  PID:2760
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\SystemPropertiesHardware.exe" /accepteula
  2⤵
  PID:2060
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\SystemPropertiesPerformance.exe" /accepteula
  2⤵
  PID:3624
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\SystemPropertiesProtection.exe" /accepteula
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:3860
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\SysWOW64\SystemPropertiesRemote.exe" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:628
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Temp\Crashpad\metadata" /accepteula
  2⤵
  PID:2072
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Temp\Crashpad\settings.dat" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2156
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Temp\DMI3496.tmp" /accepteula
  2⤵
  PID:1176
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Temp\TS_1F52.tmp" /accepteula
  2⤵
  PID:3504
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Temp\TS_1FA1.tmp" /accepteula
  2⤵
  PID:3812
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Temp\TS_7197.tmp" /accepteula
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2596
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Temp\TS_7234.tmp" /accepteula
  2⤵
  PID:3820
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Temp\TS_7293.tmp" /accepteula
  2⤵
  PID:3800
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Temp\TS_734F.tmp" /accepteula
  2⤵
  PID:3752
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Temp\TS_73DC.tmp" /accepteula
  2⤵
  PID:3692
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Temp\TS_742B.tmp" /accepteula
  2⤵
  - Modifies data under HKEY_USERS
  PID:2032
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Temp\TS_747A.tmp" /accepteula
  2⤵
  PID:3680
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Temp\TS_7611.tmp" /accepteula
  2⤵
  PID:3704
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\Temp\TS_76BD.tmp" /accepteula
  2⤵
  PID:3772
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\TSSysprep.log" /accepteula
  2⤵
  PID:3808
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\WindowsUpdate.log" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:1632
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-b..ouppolicy.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f373b0f039fdf6c5\WindowsBackup.adml" /accepteula
  2⤵
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:348
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-b..ouppolicy.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9c6486e928dc028a\WindowsBackup.adml" /accepteula
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2376
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-b..ouppolicy.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9c2fe3cd2902f42f\WindowsBackup.adml" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2096
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-b..ouppolicy.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_3ee759cc1bd50a91\WindowsBackup.adml" /accepteula
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:3356
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-b..ouppolicy.resources_31bf3856ad364e35_6.1.7600.16385_it-it_290f5012f306f00f\WindowsBackup.adml" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:3088
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-b..ouppolicy.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_cb34cf1fe62201ea\WindowsBackup.adml" /accepteula
  2⤵
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2140
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-backup-cpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_814336c72da5a487\sdcpl.dll.mui" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:1684
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-backup-cpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2a340cc01c83b04c\sdcpl.dll.mui" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:3524
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-backup-cpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_29ff69a41caaa1f1\sdcpl.dll.mui" /accepteula
  2⤵
  PID:3352
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-backup-cpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ccb6dfa30f7cb853\sdcpl.dll.mui" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:3512
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-backup-cpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b6ded5e9e6ae9dd1\sdcpl.dll.mui" /accepteula
  2⤵
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:3532
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-backup-cpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_590454f6d9c9afac\sdcpl.dll.mui" /accepteula
  2⤵
  PID:3184
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-backup-cpl_31bf3856ad364e35_6.1.7601.17514_none_0fa9f57005bdc2e1\sdcpl.dll" /accepteula
  2⤵
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1188
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-blb-grouppolicy_31bf3856ad364e35_6.1.7600.16385_none_489a9cfa1badc4c5\WindowsBackup.admx" /accepteula
  2⤵
  PID:3400
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-com-dtc-runtime_31bf3856ad364e35_6.1.7600.16385_none_7547f48c79b40229\MSDTC.LOG" /accepteula
  2⤵
  PID:3328
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-iebrowsewebdiagnostic_31bf3856ad364e35_6.1.7601.17514_none_829f3aa88408cea0\TS_tempfilecachesize.ps1" /accepteula
  2⤵
  PID:3200
- C:\ProgramData\rbnedwdels\svchost.exe
  "C:\ProgramData\rbnedwdels\svchost.exe" -p 3 -q "C:\Windows\winsxs\amd64_microsoft-windows-iis-odbclogging_31bf3856ad364e35_6.1.7600.16385_none_304059e2ef7d19be\logtemp.sql" /accepteula
  2⤵
  - Drops file in Windows directory
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini

Filesize
129B

MD5
35d082826e412f0d838b3e523788096c

SHA1
3ea0b12b41ef1f5bf0546bde44aa3535e800137a

SHA256
c5aff57d62b4e637975f6c58b200d30bf696d5ae739a3eac8723a2bbd2dd5f76

SHA512
fc23daa8db6572c94ad85e15edc2ae50279167caa9924d9c74bcea1399fd2bb75bf980d51ad6fc2c9ce25bcff72b351e97f7fb01197f3d186e1bcb9c91afda2e

Download Submit
C:\Program FileDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
21KB

MD5
20cf12fd8b0fe78bda47538d84daafac

SHA1
f1b036fda38d34967668528619e3bf070949927b

SHA256
a18bdce7227a5f0fd30d65af15733f97102e75b1078eca1910cf7092ca0e8d5e

SHA512
4c48f773db8e8730f662d704b7e8eed1e285ccdcb6d42893eafbc745977434a35ec98ee4382e1f0e2b9da451af20e42c1f743338af85c492e0dbe840d749f09f

Download Submit
C:\Program Files (x86)\Microsoft DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
3KB

MD5
f7b668bd74b15c9bc0283ca20b3b533e

SHA1
624936183479b9151c4eb028281f76e1628f75c5

SHA256
c7c4653c56d407f21bfac14c37f75b8e7f22b63eb5edc970ae7c4e6633332a5f

SHA512
ebfeb2f611efb0e6c993ab47099f18984b3a131c42a4f73e79a4cf9bf170715abfe444b5ebf9ff8704b63a9e874b039c7d946fdf6841c59e061c7460f954ef9a

Download Submit
C:\Program Files (x86)\Microsoft DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
1KB

MD5
b7f287a23956362aedb5a66d99f553c7

SHA1
c2752571311ba959fbfa91ab9686930bec6907fc

SHA256
17ca1b1cc6e38d99bf8e5b20fc411e107841f32c1eafbac7d4eeac896819aeb2

SHA512
8a7bc44929dbb468d84c1cb6d66db3cf703e4c46d1ea15a3457f6769998d4b936043445b43e97055a20bba0417429488a1c003c6cebeb62eba25589136823062

Download Submit
C:\Program Files (x86)\MozilDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
164B

MD5
af318d5722352746253f42b62f8f8ca9

SHA1
3d989210ce76ea3e5f798d61941459a7664c81e0

SHA256
06c1ec3bfedaf49c273fa2f25156d86fdc2269c757c5887f36cae20d00d73180

SHA512
6f646a57a5598002eb3cd201236c5545650ded0ae836476ba6a23f51aea57c7f47f9392895749b515b492d4f74fca1051ffa1b25368d8c517497e7315a296f92

Download Submit
C:\Program Files\DDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
25KB

MD5
9af7d1dd3af64e2988d023fc28bf4eb3

SHA1
031155736d51e20a175d307a9eaf9894ba3e3531

SHA256
d382c6bb0c269b45c495e7bd7d8cb36ef2d3e9132c8123e1c0aea29b1d7bc7e4

SHA512
85a6ce5f23bd84878c0a8941251843e1a012bdea6be260279923e25490dbd8bde052ca7de1d89e128520c9fcf698668fcfb8561d4f55e52912a59095bb8311e5

Download Submit
C:\Program Files\MozilGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG.GGG

Filesize
2KB

MD5
e96bf9a420a6d0c4aeef4340abda4567

SHA1
334e28d897da8d33734497656cacba6a0988a72f

SHA256
f59d9891941fff0c35ce312793c8b26b6c24e65511fee5d8058dbe0820e0886c

SHA512
d543ec9f1a4cfaf305a06e887d0012c9ee658bab3cfa924d5c81605c2b76f22b9abac2751b9e9c11ba3ddc24ec61272dd6a39293050044c96bdaf199c081dd57

Download Submit
C:\Program Files\VideoLAN\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
48KB

MD5
831625c8a124d1e5cb88955bb453eb2b

SHA1
79b5bbcb54b21409eda4184579f940fda99c0044

SHA256
446d0a1a72d82ad45e5c269e27b6e827ad673aa285e7850758051b40c3688a24

SHA512
efd0a0865be6694a61560b4f1bfe1382873d71e5f732fb74a2a5212da07dcbda45b43d420de67aa4c4cda92a90d596ac1a26e0ff1d4f42519a2b6e47cbf54f83

Download Submit
C:\ProgramData\Microsoft\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
7KB

MD5
79fecfae0d254f4a49e431ecaeb4b794

SHA1
4719f2e91b59c3cfff8830530051f30ca0aa08a9

SHA256
d2c8c71755da520bdf7a947c72b0847952c33c8a2cc84b3378d44e29d4628a53

SHA512
75b91820fa369eeb5be839739889705ab59e104f199e92a5b60f447c81e777a31bdf65b25ef0bb7dbadd17de2887edc1d5e3639a0a595abfb1741871d704e98a

Download Submit
C:\ProgramData\Microsoft\SearDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
1024KB

MD5
9f1aa479b6d025c0da338d46a2dd31a5

SHA1
8cddc9cc0157b850f64d4f12115221ef3afda12b

SHA256
2194ebb3aa452efb82627c40a57c2a9cf133070badc41e95261f8e5ef82d9ca5

SHA512
603e984fad571ee362f4ae3239e114c825bbc75fcba29aeb23562cde62e17701194af1103798073d67ed0762b9e31f64e7048a7ceaea7bee31f8a652c9fff098

Download Submit
C:\ProgramData\Microsoft\Windows\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
1KB

MD5
92fe3e18a5fe36113042a5f467a4fe63

SHA1
33befbc3b4faf8b975f473c5f7ac9963756d3af7

SHA256
893aa7f6c2376553a3df9394d9ee5a5e457c2e195fa495e7ec33fce3f3e0c5ab

SHA512
2bb848d5a0757922eee77d27b2c4b8f9e3de833802bb8023f315d062008f7e9f100a3f0e2ef8281f5e9153d3663aaf47b7df3f16f7b3ea505fff1607b574c922

Download Submit
C:\System VolumDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
20KB

MD5
9407dc7ecc79993e00324d7a163fdf6f

SHA1
9a07ade41e044530bda8546e3d0cf0dbcad591e8

SHA256
0f6d8916e7bdee405bd4d60b57807995f18e9310b7f764f266836a8502d3194d

SHA512
8ec755cc9186d8542e582eb6c2e6b9b9261a60081325ae22371d55836c952d34406826258702122d59da0b527bd30c035efe5a98b6bc1ea3b501cdae0a941e62

Download Submit
C:\Users\AdmiDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
675KB

MD5
ee50cc380d212ee577d4a92004d1e351

SHA1
2db6dfd6627c9d289020937090ea6441a1591850

SHA256
59369027da21e62cac29fcc1d6f4d480fa97f8f961e001ebaf8ab8e51ac5e490

SHA512
e7e78c5986ec5e8f20151d202437a56ad1a11138dc59754701decee0825bfb73ba4fd146a6e99a174e2551e8b9d5d425f22f2928e0fbe62126853f2900c4175f

Download Submit
C:\Users\Admin\ADDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
287KB

MD5
23bf7b6b5943c53761822f0191d2f21b

SHA1
7b92bd70c0db82fbad4c8320345bf6e1847e3ea1

SHA256
8c9bdc19ded77e104e04932c932804bd5a1fcc7fb15d1c21908d3d0f839c6e90

SHA512
d071c3770f0d8f49e976cacf17ff10954c0976892f4cfc8070ccdcafad31ee82c4dc10d74a1e28c0835660c011768ed440c8f273429c0c0e85fb1ff8d9cf5490

Download Submit
C:\Users\Admin\ApDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
843B

MD5
d469603ce99556193db8e181c0b8a5c9

SHA1
1866d3509bb76cf0e16be1ed479c87a3ccbb494e

SHA256
6c534dd4547b860b74c24a6e375e595413a50179eaeb9c7407f12f648f9b301e

SHA512
abf17d970a548142a59edd46094de77f7b4ae01acc11af1489ffad69271a24e35408a5a1804d79115d7072d3eaca40fc2c6957e7b36fa5405f1d43e951449613

Download Submit
C:\Users\Admin\ApDDDDDDDDDDDDDDDDDDDDDDDDD.DDDD

Filesize
13B

MD5
7cd0f9b38bb5f4a6022794e29941629d

SHA1
555985f5d24ee7d81dbcda907662ca53d91c0bfd

SHA256
6f9e4b20e2ae2e1a42532937ca7caf352002ac20f10651a670948c0b08d4c315

SHA512
6f0ce3f17682acefc469e37525a5bde232d3c3a72a878c13794f6c5756bf79bca5f6f90e55940d8b2883430c35178356e56ec554a7f153f445b9a1cb9cf527cb

Download Submit
C:\Users\Admin\ApDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
2KB

MD5
a2432692863c04bb6f39688fa48c4f63

SHA1
901ab37bf750c26e4e51b01d9e64696e40e50517

SHA256
b64703c3d911b819c0cf6ad870edd1124c8ecf45f03d6fa3ca598f4a723adef6

SHA512
7dc6673c197abac9137334933d2d27e7282f210b7e4b897aa67fe5469d3a6689b1e2b3cdf6f10fc7b6d0f9050fb6ed4e3a8caddf5c171c77e48bd30ed0eecc62

Download Submit
C:\Users\Admin\ApDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
2KB

MD5
f477a28c3db83733dff78b01bbae9389

SHA1
4f75ad62d0404a5be0b824e6c23df4cf86bacc8f

SHA256
b9a00045c87feab61eb965a1db071a8e6f063ecd799ae2e8008a1454dac29030

SHA512
5fa336f6dadc3b40281cee4393aba1c6239394bdc721920642a56b421377cfe8b1f315818f09ebaa9644cc955e40ac453f9b2bc7f32ea4956f04041ed50bb3af

Download Submit
C:\Users\Admin\ApDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDDD.DDD

Filesize
569KB

MD5
a9cd0b3d26b64608653ae97e5a4a257c

SHA1
dcc27b1f48dbdc01026e1b5df5dd8d229ba6ef5d

SHA256
9a54a7f277e21af8c516fe0f4a7e351058fd9a47ce21d8be000ccbf5a51c781f

SHA512
d5297a975733455c73dae45ea3b51e7c6080aa65de6685c8caa04dd099dd5d015c72c4b00772d18ba7452bfe218605208d488a1ac645bfb52edbaa7d01d57abc

Download Submit
C:\Users\Admin\ApDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
2KB

MD5
7a98e916cffeb3c5f781b31ea5d6b353

SHA1
25efebc485a96dcd138d015ad379d059f7a4690a

SHA256
c381bfae423b9326f9e986aadefa25556725427773c133c6cd5daf959eceb3b4

SHA512
b106986542214464b662483d4964f06bce9cebde4f5a7c5a1506de27bd8cdee3d28abb605f21f5569b701495927f4c64ddde3c6d15820f4585b0b097b2d2ca9a

Download Submit
C:\Users\Admin\ApIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII.III

Filesize
1KB

MD5
f6da4396fc2d256bf0cbf1d05fdb0f6b

SHA1
838443a47a243f7f0fa619fd152a84878b1b535c

SHA256
e9c64b13841d62bc8b28cd94edb5db66e554d9e268ac04436980bd6a2346951e

SHA512
125b8b8445210f46efb030ea468f98b4a6209757d3f536bc65f8a6a849e8ade0cf6b442555346a3a028c6495f2de52f8ce9175a4a34742902be914a8357bbccb

Download Submit
C:\Users\Admin\AppData\Local\Google\ChrDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
184B

MD5
e73cb4b0327dd49b4c30d4210593f13b

SHA1
aa7b7b09c66ba307e07d44d0c4859847b50335fe

SHA256
30a3c9a68ad205f26cb591d374fdf5822968450942ac4f32807804a25bdd6a2f

SHA512
6507f7388cbd2bd7ed14a9eac388e1ab4eaae653b4771b7c0b561be063a139e36a632fdd6d94f561514838a2973df3a6e179f0254756469621c9ea8d272e15eb

Download Submit
C:\Users\Admin\AppData\Local\Google\ChrDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
656B

MD5
e0c6bdfd3d68479e62b480d2e4c7589c

SHA1
196362a4e4f5a542fd20946f2f801783b0d468e3

SHA256
b6dae82b238456f96a1240504660ca89a456fa8326b9912daf5c2ec196250c26

SHA512
c97df2f87b6f82197171de11a810978e9a937bc69054c1c8bd03b2adbbe290a82f43d3a15cd1566c3df4bf0e7af699be1f28eba92f6953e6969358b8988a4430

Download Submit
C:\Users\Admin\AppData\Local\Google\ChrDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
38B

MD5
713029e317669959c7d976e3c9452513

SHA1
f1922aeb6fb1b129d212ae17e57c0d7232e38ba5

SHA256
ccaf187c508506cee001f2f991c7e7f287061c8d26ba7bc5ca9892da66422d66

SHA512
6e0c06f3d968be1e3c2ccf3eccc937e9bf0b9b4698d3b784329dc44bc87ce046c155a8a269a980f755de879edc9782b4ff3d1ffbd0c1c8668a04c572fbc67602

Download Submit
C:\Users\Admin\AppData\Local\Google\ChroGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG.GGG

Filesize
186B

MD5
53450ce42a782f3b09325576c5f2e848

SHA1
30b08fa72c623d1112658d32f2b5ea73789d2997

SHA256
9f39dc87c88275e5718a4bc342fc2933ccfa6c6130ee8f887aecbd977a264db5

SHA512
c61ebbf60690dd76286f7dc2ad58cec4a8e13e2583a209fbabd698e31e2d69d3e1e065875ff27f4418bf3fec198748793632d243e8988b28274c25e44c2a5cb0

Download Submit
C:\Users\Admin\AppData\Local\Google\ChroNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN.NNN

Filesize
4KB

MD5
6629922cf27768a10f91aa002ac117d3

SHA1
cd8b07af4da8a10dae728c4b96327973b6127db8

SHA256
f6c676104f74efd34a6daba5740d2a6fdb8a30d17190cdd83991f12ac3372a31

SHA512
bf19d98404e78a421861deb12e3d18d1999bf3d68683dc083a5e161392db8d25225d35ac8b9aa1117484638bbcb1fcb93e251490965481d73f2d2e281edbf9d8

Download Submit
C:\Users\Admin\AppData\Local\Google\ChromDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
189B

MD5
b62c19c2de9fbeda559211eea92670c0

SHA1
2bab870eafb4beb490b1ded33f53fb44a352052c

SHA256
ee5eb937ae78b4ffda8adb7bdfebb085f3f0475d1a7f536b61b4cd7750ab4209

SHA512
1eb3c97dce641fbb315c8b979f23e049f16b7dd07163e4a485ef5a792bcd2d758804c8f298e323d5bd0bb309ce63fa4be93b1d450f44e52c3b01b3a4e11933d4

Download Submit
C:\Users\Admin\AppData\Local\Google\ChromeDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
190B

MD5
9ab0fe0e0cf3e4b10c54c3d5d2e74548

SHA1
b4080d06e137e7d57374fb2d4506bdd98cd0a111

SHA256
3ba5aa7e514e299ae98f4fc78282ade8f5e26c76fcf9fb4d2ea6bc9c02b1ad78

SHA512
4d7db505f6f69c46955bc541df9989381b115c39e6a5d68193f88098a7903d716d1d2fbcd1f84a7d022d855a17132f86831e32b499e664f7ea13ce05d72300e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
193B

MD5
239769bda6b24df17ea93c141fc8c726

SHA1
5c32b60b59895cbbd72869436a5d83836821d0d3

SHA256
b84ab6a91debd4ff4573ecccb5d7a2bdc6fa3f39dd3b691cf116f3aedc53cea8

SHA512
d63183c0341ab9ae4baac884c8360d975742a4fbe91522f5a31bd743f2597db23b1bce46d3a693b1c01e330f686dfe6fc87e39ed770dd7f882eb740ef6332939

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
637B

MD5
86dfb2d0b2436f22394a37357146eec2

SHA1
f919ac2a5b05087eb1c9695a2c4047913502af2b

SHA256
25e11d8ddd1622d8dffaa876304be429421993619f0c2762e469e8c73bb04ca7

SHA512
3d17defc7b9a1a6a050e28de5d920f1feb036b1711826cfe904cc9f7ef57c98b3c5f616ef5fbba60f041cee2fa40b0b5e25ce2869168f08929ecb4ec8d0eca17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\UseDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
198B

MD5
1465d3e5107468fb639e8a03c19a7ffe

SHA1
1889202f25e85297d41f586994a071c272a4f490

SHA256
ab3edcb49f76ae2c1dc60848244b9ab4649a4159c144153d5f9f6e69bf45810a

SHA512
1759d19c0ddac57ff7acb57355adf87db3b28590c5fe8ddb71701baa8eea0de4c063843c1f5e186fb5efef4fb8f3c0479dab1793be0db50bb2194ef7829e973e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\WinMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM.MMMMMMMMM.MMM

Filesize
32KB

MD5
bfb511ee724a15db5ab23cc70b17ebfd

SHA1
e4525e2d1abc447c16f772e944d528be5bc04a05

SHA256
0411c339030e229ae219003dfb790428d6228d47a58217b4512b0c2a82e491ad

SHA512
748d1b7c6aaaa2dad762a7b09b7d9571c9ba75e0d71723577512e505fe81149e0a0a2dda3e3f3c3dddef3b59d00b8f4fe347bd41e628b6a3f228838060c09073

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDDDDDDDDDDDDDDDDDDD.DDD

Filesize
67B

MD5
26dc22fd4ceb82daa74f6a35c1536071

SHA1
7d08583a899e395767ddb9a3a1c335ab39099f9a

SHA256
acc4fa1454b09c41603f8ae99f02b8846c857958f36653cf261ed043276373f8

SHA512
3bfcc232ec8e321527cfad8be65c8e745fe1ca8e5c6d28bcbe352627153c159bd925e5d71658f06e0b70aaf0c51c33d609541d52b1213ef4f5502fba862d5588

Download Submit
C:\Users\Admin\AppData\Local\Temp\scCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC.CCCC

Filesize
1KB

MD5
1699d405f54e4a819050b1008b089ed3

SHA1
f62169fd5edf3eb95daed49f402fd5df2b2b4bf8

SHA256
59202f945d866f6f4b42dde6310ab1565ed08f12e7ac3b54c46e4f7bea717595

SHA512
c76ecc909b48e8d1ec6de0044983d1b03e9e5473821ef12089502fcdf9405b09a33e47ad8a95db6be6f758077d190ced5d8a861725cf35bfdaa683cc2d4ce537

Download Submit
C:\Users\Admin\AppData\Local\Temp\scZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ.ZZZZ

Filesize
1KB

MD5
c2e6b366e241ced5fa9446475746230b

SHA1
33d73e8d2306da00bdbe640f2a3179f420b69cfb

SHA256
adfe7b1033da1de0ec60dbd0136d0a1042d57d66521c159982658f28e17def29

SHA512
21c9e0c8b41f813e894254f2307f3d8cd6db856f0d486e9368e11a7e4f28e863c5a3dbe48dbf031f48daaa58adb2b0d142a7f5e985510f1d6a19832211e34b04

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\ProfDDDDDDDDDDDDD.DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDDDDDD

Filesize
835B

MD5
121121e1946df595edafb810568d6e42

SHA1
a41c86d9c4f64e74145cfccc7d7a28d241c9cffd

SHA256
a26e34d3b0d2a0dbceda409baacfc76dd1fa1f71e2e87b6e74da51405443b70d

SHA512
0091f78157e47c47e5b2b7f65d40855d7bbe645f55630a2f458488caa89e3fbb71fc2488488ae827da0238551aa46beab7b584b8e4750a421af767c2db3d6224

Download Submit
C:\Users\DDDDDDDDDDDDDD.DDD.DDD

Filesize
1024B

MD5
b92223cdaccf2b1a59c7dc81ba88bb90

SHA1
dd86c85f5c16b78521d8a52dd8a04f9e6a0c3783

SHA256
07188787bbfbd1c807c402e1c08cf2586d22ad95b5a706eb018e3a617b03ae2a

SHA512
9c9e3e29d87f444e8ea65fe1032712f669a6824a7eb565e9b6b45a7ea3896d018c7e996f8ef3200ec4587f087d237ccfe5357c11783c281e858f178d06172b74

Download Submit
C:\WinDDDDDDDDDDDDD.DDD

Filesize
21KB

MD5
63ee7f3fb48c2d2d2cba660a2507ef69

SHA1
5ef224e1654ad0c7bf941a40aab6293794d97ebc

SHA256
0b56b17414c199e98b2e1e9c9fd64ae812f954b3137020a2e57f2118ced42695

SHA512
75fdcc1eb1b9776607df51f3c9c9a455bd23e7783282e064994addc15cca2df7cb715c3dc297bace70e5b13c9c0d6889dfa8910472b8a240dd567e6c5feb6f19

Download Submit
C:\WinDDDDDDDDDDDDDD.DDD

Filesize
1KB

MD5
4a65f728c3b5e06c2e34b038f9baf35e

SHA1
23ad5e310bd222bd3607c9522256945b5fec9673

SHA256
dbfd206d216907bedbeeed08a2bdebde7b25006bdd5850de502f4dc1928b92a3

SHA512
30647ed59ee4f30a5c70abbd0c7855ffd511edfeef4cc4e60c645944dc32c262e51208719993e6c5422797ef18c9e07b8893e8b1fb2837cddf5a4d4310913ee7

Download Submit
C:\WinDDDDDDDDDDDDDDD.DDD

Filesize
2KB

MD5
0c04c6ef99e733d07b9bcd6073a0f8d9

SHA1
1f139c11cf776b40e7d482e2cd926715b4f911bd

SHA256
5401d55254bfe694d0103b0238956ab5b142cecf6c7f758a9fe3dbd553b61052

SHA512
1da7fd7a86b0b9c32169be4bafd67ebcea8a685464ac91319bc12b0c2f8681097d6db7b84cf0faa0d5b00961663d8d42d89becd8c7ba070c74991f7dc191306e

Download Submit
C:\WindoDDDDDDDDDDDDDDD.DDD

Filesize
256KB

MD5
2754e440d2d948a7216acbe80c5bab4e

SHA1
0b23cf8e560699ae0f27d76b01d2db222a5d14d5

SHA256
6a84a6796ca11630ecb0ac58965bb3c3d7d07a3a8ced6c165d2a68606bad6c07

SHA512
7eee4cd945c999671d9f25a309143b240f3521789eda895ccb81da019d0ae3d491147683f939b19c88fdafe739c2ba8afdfb5d6abc9bf9992804caa197d64a8c

Download Submit
C:\WindoDDDDDDDDDDDDDDD.DDD.DDD

Filesize
40KB

MD5
aed187bf1b0606cb800a18cadb3f119f

SHA1
48f19166e5a1ee5bf08c2c87dfc95b248f4ffb03

SHA256
d0fc9299b2166ae3e0f6eebf0353f9e564fa06259ea84df6e054f08f5c757454

SHA512
da4beba78ddd713ca96226a66d76a605af8792d69fb2ac828d7657c525de5f8cbe9a3fefb1d5e6cc954a7aca2370d45a2bb68803e34c26dcdbbe95d54f1dfe8c

Download Submit
C:\WindowDDDDDDDDDDDDDD.DDD

Filesize
130B

MD5
ce4f3e5b6e504fd26917dcdbd41e4513

SHA1
a0b3a0d30cbe7ad05782288a08a6017e55e25ce6

SHA256
4ef80cd279dd765d6d2ae9b6a7feae89d0e4c0b1c060700a9fa454f6399ea038

SHA512
2516ea1a45d8d07586c37373876297aba633877bfe98168c9ead36bd90cc1fd673ee9e6411d9643938e43588e8be326b5b9166840b6049b4e8c456073c154763

Download Submit
C:\WindowDDDDDDDDDDDDDDDD.DDD

Filesize
74KB

MD5
6d6ae035cd39abc91aeec95594b3a13c

SHA1
775472cbd236eafb2965dbcf98131893161baa59

SHA256
682ee783e5148961611c78cd9e38219cd8c7e4d3c2389b96a4b24e1be1b66b3c

SHA512
f4f4990866d01ac95855d7142f1c812062f2fea28a857d6934f62f9a5ef4e466cbd3cfd4ad137a8ecedd75573d6aadf68a45ecf863241ebbbd5b77bdec8cffdd

Download Submit
C:\WindowsCCCCCCCCCCCCCCCCCC.CCC

Filesize
5KB

MD5
de20275aa9d24f85aa29481c0c264f44

SHA1
1f038ebe5ae36b76c30aeedf01e411ea97c004ac

SHA256
1ca39f52f4994de7e9b1a5d35f17ac528e7d7895ae1e372f430218d13808951f

SHA512
1a0d3dbb61eb063c6361963d29070b48d4e00e1190380c4a09375a3f513c7daed56d8c7792046a35ab12074773eb5fa326776a97254da047f5998efe2d2b7fae

Download Submit
C:\WindowsDDDDDDDDDDDD.DDD

Filesize
37KB

MD5
141eb00cb6e2310effacbb07f3c69682

SHA1
8bdf14ed55344f21838398b87cc182c33276edf1

SHA256
03225325ce274034b3d0e74e8eaf56d6a77731ac0ecab9e3fdf33d9fdcf8b572

SHA512
b190886a4472d90647f3b8083f864582f853c84a10ca2814365bd29c593c54c76f847d4a493848895ef21c2caa1e562b2fb1f3f326ef1b78d6c5f04ddbd95b16

Download Submit
C:\WindowsDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
4.6MB

MD5
82ebe230d6d73adbadd0c60e6bd4fd15

SHA1
b515227e209bd7ed46bbdb3ba7896a0589fc6748

SHA256
187a8c6de2a130170ab51df814813ec5f87e88b419acd8e809575772a5ba3113

SHA512
0db84e098751f7726b3076f01946584320c0705f7ecbad5deb0138239218a9bbfc7a8cc26dde7afd63148923e8f41dd534bae7986cfdb3c10c9bc54eaab3c334

Download Submit
C:\WindowsDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
739KB

MD5
902899a779de4abd7bf12736fa93c62d

SHA1
580c21806f5b9885f1e558b9eecf9ec633f04671

SHA256
9d01f611fe4351be3174b00d8cf75f05e0e4a96ea319545804438efca1488d0d

SHA512
36306df6b6ecd356f3cc4d2e527e78c59d1badbdf3a0a0cdeb630a3956b78a068ab551cbd72b631300843cd14261e82f58d4dfe20503babf893f15d47d360294

Download Submit
C:\WindowsHHHHHHHHHHHHHHHHH.HHH

Filesize
920B

MD5
1c00d732161588301af75c2ab98cf70d

SHA1
9ee926fc6194a3a5b495eb4fdc018875efa95519

SHA256
5d3710f6c44df5e54d7e89695fb5be20d2542b5d3186846f80a75070ee486b90

SHA512
9d8677bea83d0f199a975d9592530478ba3afade5c6f4a344937e24238cbe73e9e481f813be6f0b6d867c0221eb3d59a528af65b6f99368e4bd6029ba8bbda67

Download Submit
C:\Windows\CCCCCCCCCCCCCCCCCC.CCC

Filesize
230B

MD5
551a51a5844ec4f646d6c0c5a5b31b70

SHA1
5341216953806d1fc09554add00e71fcd7a55970

SHA256
066a57a34034e97915226508ce5a90af9fe3c0c3658a1774502992f0e17684bf

SHA512
fb98d9ade17d08e3da51c31c77f50fa887aeb1e185f407119a61d3786b9112a3deb69efcfb3c6af57a2467eed0f9c7dd9cd769cc215e3b5b02bba4f83f1afa7a

Download Submit
C:\Windows\Microsoft.NEDDDDDDDDDDDDDD.D.DDDDDDDDDD.DDD

Filesize
256KB

MD5
a5357c1ef2c947fd7a16d1f0a0cb1009

SHA1
62d50dd4f8727b292a0a823fa01f3ffc829fdd7c

SHA256
26c62d78e90b0058124ed813f4699948ab8dac147b37a02c6fac47ec61715d12

SHA512
a96e7501b6e15d07b297808bc1d9082dcb474f5bc3d6f180727d4fbf9aa44fe9031cb2dc722eb2d41b32633a4fa0c05b2e56d78fa5a556e837051a07f9140ddb

Download Submit
C:\Windows\Microsoft.NEDDDDDDDDDDDDDD.D.DDDDDDDDDD.DDD

Filesize
117KB

MD5
0751818d662d6710b0e71de0363aaedc

SHA1
d05bc7253e1f3c857ae1d6ce415f3dc12467c549

SHA256
7e424fb7071023082a31eed9ec37a9ae7141c4cd1764594b6e30819d58d3f576

SHA512
626053be53c091f7a5958c43f92c766d19a35dc78186139d213c91de7d62d62e930fa3cfa317755037e256c5a5edacca02b9d6cdd34a3c010184b36790d4ece3

Download Submit
C:\Windows\Microsoft.NEDDDDDDDDDDDDDD.D.DDDDDDDDDDDDDDDDDD.DDD

Filesize
304B

MD5
c06257ade0386f71b1313100a0102b46

SHA1
d084ac8101b2c60b32ab646f1f96055312e5d431

SHA256
bd6410c923f325feae935b567a789c6ec8b8e7c24e05c04eb5e6583516d672be

SHA512
2ab300f1980e543a3fcd81c3021bc68c0cae8d6f4e3a00ecf4dece30ac1a2f31673db196c926e26fc9e0670f3582490286a9966f79f45708d68d19b50983dbdf

Download Submit
C:\Windows\Microsoft.NETDDDDDDDDDDDDDDD.D.DDDDDDDDDD.DDD

Filesize
107KB

MD5
42035db7783e2b39b9f55afe438c8f39

SHA1
06e559075a878913b88dd5cc9dbc85c9b45c38a7

SHA256
57d18a18735607a3088c130f13f956ec9fff7576e9061c8e6978883b5fbe1f27

SHA512
c72d355a03b6becc48aeda0eaba2fdad8e51178ec637bdd90a8129fc223e75c04f9aa49814d4c671bcfe7a13293e421110b2d19c8a6e4de08ad556c858ca791d

Download Submit
C:\Windows\Microsoft.NETDDDDDDDDDDDDDDD.D.DDDDDDDDDDDDDDDDDD.DDD

Filesize
871KB

MD5
e4667a7305f373be4969970c91d52807

SHA1
2df366de19e80d1c03b938e859572c2a6c547bae

SHA256
e72d64fa8aede7c02dc7d7ed8dff9c02c0578d849593ea02648eacbfd126602a

SHA512
fb55014b61c03ab093ec269c54ffbe1546c9855269530d9e587fbef2093f2d23efc27dc8b48b663724b13a1c79aaf74a8290a01e1f8626ae20b2318c6ac12842

Download Submit
C:\Windows\Microsoft.NETDDDDDDDDDDDDDDD.D.DDDDDDDDDDDDDDDDDD.DDD

Filesize
304B

MD5
133ef810f6d49a3cd0f1ee3ece09c4bd

SHA1
ddf37790f9096e149db33f9042ec7f374056112d

SHA256
ba110686402350a23db1b57f1d01f40b2f7f75063d773a41ecc8c45dbd76a8ed

SHA512
664f2fa78afc61692b25644f443ab88085d477fb0ae83d91c182155ef555f845239099aca2219d1ad4c5ad47b6c00c788a35e1ae76b6bb931e4d9be08ac00ac9

Download Submit
C:\Windows\ServicePrDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD.DDD

Filesize
1024B

MD5
d0e4da8b17c56f8c8ed3ecfbc6da2702

SHA1
2f23f51bfe4a0c279d83da4591497fa46e8b63a9

SHA256
efe1d2f565c5bbedab8af7f6f70c15bb53aacf06713fbfc52a55d16d85e0dbab

SHA512
0ac510bc39e8e2408ad1e4d1b3af36e11f3c1c177e1e37f53428b7e3f4515268bce02f2d192f7b6645424c94b246a1a250049eb94328ef0de42282340913ce46

Download Submit
C:\Windows\SoftwDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
526B

MD5
b4aa8b7f06958b4ebfe2c16a9d90a08e

SHA1
25e6ffbcf69122858d09b3ea3d5cbdd697d3d4b5

SHA256
c2fe010ccf1da0cd41ea470b5fbff02aa78a59b39e34826b9a4fb882e29e288f

SHA512
01d3d3221ae8c7a3e4be6b8c9a82eebb36d89db172da1897b3aa213eaaf06dc58dec32cb0481c67c3d847519ef96939bebd4fad9dea4d5424683ab81a698bd1c

Download Submit
C:\Windows\SysWOW64\NoSafeMode.dll

Filesize
12KB

MD5
6bb3bca23fdff5b013863d8423267251

SHA1
2e6b80241d1a9269cc30e13663e6f910a0893450

SHA256
bdb1a0b687ced575e71702b7b4554063e697791bc2b2a286a0e4dfd528739670

SHA512
de6230dfe87df4840314983573c94ce332f5bfe9996de852c6e47844e785a4e7a8e4084a6d9ed1fd4aac78b896d2158a201ff202635c205bf50e2507c1165478

Download Submit
C:\Windows\SysWOW64\cfwin32.dll

Filesize
394KB

MD5
53894890dc01bbcace449f6590a1597b

SHA1
b27c93ef650d79a49150e61cd668b01bee543a30

SHA256
2f3f037b07737101076f50664ea3af10f76970febdcba4bd0e38d5a0eca4f6dd

SHA512
2ab1d894688ba8ee4129c575a116e7d01840d553a3956c3c158921e0794207ae9d0396c4c848c9e6592f40466e893ed19165e5eb34c53e02fe19fb65265c3a5a

Download Submit
C:\Windows\SysWOW64\csrss32.dll

Filesize
172KB

MD5
492e8e81ef6ecd3998c2215d9db3a6da

SHA1
55a457f585172196c2ccc530cd834d421a83276f

SHA256
769371d3a4195187b9fa8b3ee56aa8ff6eb52c6c0d819420ed2ce5d732faae25

SHA512
21b62e018f889cc12e643cd6e1da922e1920f10219cf36e07e439acee62706d1589b337207a6a0566e2dbbd6e266aaa4cf8b95d1f88f60b15349bb20e7901bf5

Download Submit
C:\Windows\SysWOW64\csrss64.dll

Filesize
180KB

MD5
ac281938245639d5298a6c5c395cb7d0

SHA1
7b5db71ea5913cc8056eecb336fdb9f9ad23309c

SHA256
a80e55673477e4bfae1ad75fc00e8ce28fa1af8f78fe51778fb78acf965a3283

SHA512
5f1893a661d323f4932c96467f86621be4a3a3b58a41d00758a300b2075187fd4e31f0d903cbb9418d3dda9809f3143774e7b46bdb34ae63460b24d4c8b55452

Download Submit
C:\Windows\SysWOW64\sdelete.dll

Filesize
152KB

MD5
bc60849f0105976d8afc33731ae50c68

SHA1
90010c2da0343756ce9a37671e69436f478c83b6

SHA256
6e7ca1cc6fd03a1487d876ccd05c411c57ef1687a5c7e6ca007f00e2cb973fe8

SHA512
6555aafa9854c0c42161ec5b938e386d9e6a5fee8d9d63f5134cdf9db59b8630b17a8260ab2b0f921ec343fbbb918481f00c641553ebbf53fe983feaeb1bf380

Download Submit
C:\Windows\SystOOOOOOOOOOOOOOOOOOOOOO.OOO

Filesize
64KB

MD5
843cd182ffc944791e6b20f006978d22

SHA1
07cbf2dae7fdee02f21730725756d0d3da87d2c2

SHA256
e13322afdb8a053cd937c9d9dcc13181f778f887e03a755b9b1862d53767e94b

SHA512
5981a71ad79de79107b7f0bb377851cc3f280da181684bcf7788d6e9e0962331bed434a9bbd55d9b6c2ec57e3dc79dcc9844449c3b9109499741dff72b9a6498

Download Submit
C:\Windows\System32\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
167KB

MD5
46b63f5062f0daf3308e73c2572022a1

SHA1
f78cfca1d8d214cae4b5731b94051610c298f8cd

SHA256
74006e10c65de866af58b1bfa9c17954541a376ab528df47d8dc6cb5395dee41

SHA512
b3e53d0abc53481d86ac159380860924233537716cef9a0ebc829e52f848630f1380caa892b74938e9dfb14b14895fa6b59cff749e65da5e05517cb53844a291

Download Submit
C:\Windows\System32\DriverStore\FileRepository\prDDDDDD.DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
172KB

MD5
a7ee1a330b3032c02522cbbee75c3cff

SHA1
6c03b5f3feb5fa72508b0e256040232fe46d3b8b

SHA256
11e86a2c433352937b6fc060f76c4f67d42103eb482049ba51cd9b3ff4e640fb

SHA512
07ee4549932993fcdf5fe68330fd03b54b62e2e29a8dd03353f154f7c3dceb994a719f07037b35d802f05432a61b0c58991d38f10eacfda669f28fbf293d7739

Download Submit
C:\Windows\System32\DriverStore\FileRepository\prNNNNNN.NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN.NNN

Filesize
215KB

MD5
4d421932f0d23236fd1bac9619b38c76

SHA1
3923722b2906352d5765954a60813c12ac5f1b7e

SHA256
349a4e1689a7008d13c2ae1fbff442b78418a37f60368b7e6a03284b27f0e79c

SHA512
20403b0b653a7f5751abf52a87305bdfff158f4f83627c71ff041adc6e529577ff539cf83696384555f23f209818505ed35bda705fc5f5a99c6d032f5cdc1bea

Download Submit
C:\Windows\System32\DriverStore\Temp\{DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
8KB

MD5
047115b8406d9a10b992df4881a39ccd

SHA1
850498b61d261eb7baf7855500ea70ee3ea61fca

SHA256
55f58bd2a81f889eba145e6c44e035146ea97b3e0c61668718effa92cd1ab193

SHA512
1e56133776debf0e716f9e5c3ff5bd47eaa2c31a2dfe2cfb409ba1305372f19daf9b0b44473e532e5442ee9672d5d37825712c330872dd9c7746264bede0245e

Download Submit
C:\Windows\System32\catroot\{F750EAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.A.AAAA.AAAAA.AAA

Filesize
12KB

MD5
df04354b174254a1881d95b6159ea8f3

SHA1
622d59b5b19730359a6b2f8ae7eba404e9f0d82f

SHA256
e251fbadd7f47415cca782f2217f79ecc8026d1b5ad07125e578f42ff9a3591b

SHA512
bb7156aadb103186a7f5aff71439d3ef96f1467a8f84dbd57dd7a920ca4f1e9490b447639c5e73c8338d92b701e4035b536ff99690895939f7c195498ea29c31

Download Submit
C:\Windows\SystemDDDDDDDDDDDDDDDDDDDDDDDDD.DDD.DDD

Filesize
80KB

MD5
74c62367df70f9e580c7de61f76ff2e8

SHA1
6104a3dda0d13bbfbc548cf08468fc9fd8b42865

SHA256
22d86cffac98abffbbdaa3565537165343b51113213ac3e6952b70a9622417ac

SHA512
b1105dac4664a8e868d7e153dd2aa665323099c26b3800eda42b3183de24dd155ec088254ea2c1073e1586c8b75af3ec0cca5f753246197109318218563ab1d6

Download Submit
C:\Windows\SystemDDDDDDDDDDDDDDDDDDDDDDDDDDD.DDD.DDD

Filesize
1024B

MD5
c666770cf300a7c0d75a2beb9b0bb7f0

SHA1
820bd5a516a27b8e6e531aa405c4cd1912b2f92d

SHA256
596f9c93f19b54a9df207fabe37b267496eae826c3e410fdd68053909a76d3c4

SHA512
817ab2de63d17e0322752549662f7f3ac3ba4643a7691555982c16cf3f9d39221266800a083ba8d9eaf44b1a7f16c64a6a634c1041dfcc062bf7163b0546f105

Download Submit
C:\Windows\TeDDDDDDDDDDDDDDDDDDDD.DDD

Filesize
40B

MD5
9a08e0f40e790b954f8b338ac7ea7e86

SHA1
b26b10247bd8ef21a704971ca586512a4e8d7c9c

SHA256
af9b5acf7c73af3f9dc388a4e2f3a513b9a9df35d3441af17103731b8c0502ed

SHA512
b14d6256a7c5481375eb21e27529bdfab017dad6f2b81730b8c96c33aed5eb4df15247142aa95e8c629bc75c202443234ff7a00479267b03215e07d348e304f1

Download Submit
C:\Windows\seDDDDDDDDDDDDDDDDDDD.DDD

Filesize
9KB

MD5
39851de605bc07696468836fb28f80f1

SHA1
1663315ee98d4a0054aebc538777b2e140b26eef

SHA256
08d9e7aafee5309ee3cadb02364f8a9c8c602166301a2991e84a12eef12d0359

SHA512
87d93371890238317ef454f64d66b6a69bbbfccd974921e3e67986698ba5c80727512270e6bd3dea66259afa5ebaa74ca0012ac7db1d599154729eeeac885250

Download Submit
\Windows\SysWOW64\nsf.exe

Filesize
47KB

MD5
e6d58e0a4511695312f13d1b9f154187

SHA1
a23d75e1a3462e66db08f7664683e186c9e8e5fb

SHA256
ff16042183c0ed025c523ea1ae3edd679fd929dfbda0089756186f5bcba5b35b

SHA512
09b154123d8e21a7c93f8d99009e0e322a2ede7f4c8f12bcdebd0078787efb0f9d3b5e43a7b3936b933bd974777fccefbc3af24b834e8cd7137d2931cfeff833

Download Submit
\Windows\SysWOW64\svschost.exe

Filesize
38KB

MD5
4fc8de89c54224746fbdcb486ed92514

SHA1
1ca774ffbb0eead4b4e06a5f13059933af530754

SHA256
ea32a0b440e81208eb10a500ea90855eb413bd2f756a581a1644bdec4453d96b

SHA512
b7479e94ff2183c23df99407b54282d97d1b0aeb32b2c52fbb30ae5ac626ab0641521d03d1f4f2e0b6fcb0c98cc04b61d897f9b450a456e988157cd038823fc1

Download Submit
memory/1056-221-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1056-217-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1360-99-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1360-96-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1668-226-0x00000000035A0000-0x00000000035C0000-memory.dmp

Filesize
128KB

Download
memory/1668-213-0x00000000035A0000-0x00000000035C0000-memory.dmp

Filesize
128KB

Download
memory/1668-58-0x00000000035A0000-0x00000000035C0000-memory.dmp

Filesize
128KB

Download
memory/1668-47-0x00000000035A0000-0x00000000035C0000-memory.dmp

Filesize
128KB

Download
memory/1668-95-0x00000000035A0000-0x00000000035C0000-memory.dmp

Filesize
128KB

Download
memory/1668-94-0x00000000035A0000-0x00000000035C0000-memory.dmp

Filesize
128KB

Download
memory/1668-93-0x00000000035A0000-0x00000000035C0000-memory.dmp

Filesize
128KB

Download
memory/1668-92-0x00000000035A0000-0x00000000035C0000-memory.dmp

Filesize
128KB

Download
memory/1668-100-0x00000000035A0000-0x00000000035C0000-memory.dmp

Filesize
128KB

Download
memory/1668-101-0x00000000035A0000-0x00000000035C0000-memory.dmp

Filesize
128KB

Download
memory/1668-46-0x00000000035A0000-0x00000000035C0000-memory.dmp

Filesize
128KB

Download
memory/1668-102-0x00000000035A0000-0x00000000035C0000-memory.dmp

Filesize
128KB

Download
memory/1668-48-0x00000000035A0000-0x00000000035C0000-memory.dmp

Filesize
128KB

Download
memory/1668-45-0x00000000035A0000-0x00000000035C0000-memory.dmp

Filesize
128KB

Download
memory/1668-216-0x00000000035A0000-0x00000000035C0000-memory.dmp

Filesize
128KB

Download
memory/1668-215-0x00000000035A0000-0x00000000035C0000-memory.dmp

Filesize
128KB

Download
memory/1668-214-0x00000000035A0000-0x00000000035C0000-memory.dmp

Filesize
128KB

Download
memory/1668-225-0x00000000035A0000-0x00000000035C0000-memory.dmp

Filesize
128KB

Download
memory/1668-224-0x00000000035A0000-0x00000000035C0000-memory.dmp

Filesize
128KB

Download
memory/1668-62-0x00000000035A0000-0x00000000035C0000-memory.dmp

Filesize
128KB

Download
memory/1668-212-0x00000000035A0000-0x00000000035C0000-memory.dmp

Filesize
128KB

Download
memory/1668-223-0x00000000035A0000-0x00000000035C0000-memory.dmp

Filesize
128KB

Download
memory/1668-222-0x00000000035A0000-0x00000000035C0000-memory.dmp

Filesize
128KB

Download
memory/2144-55-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download
memory/2144-50-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2144-57-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2980-5566-0x0000000077070000-0x000000007718F000-memory.dmp

Filesize
1.1MB

Download
memory/2980-5567-0x0000000077190000-0x000000007728A000-memory.dmp

Filesize
1000KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads