General Info

File name

pf.zip

Full analysis
https://app.any.run/tasks/48756484-1224-43e5-b094-537761ec1942
Verdict
Malicious activity
Analysis date
11/22/2020, 13:03:08
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Indicators:

MIME:
application/zip
File info:
Zip archive data, at least v2.0 to extract
MD5

90b901191fb837ecd03b591d2ceefd9a

SHA1

bf200150dd3f4f61898b44f53f6756c804821094

SHA256

f4c1d831719deff3f583396038b9181b316e509ac410132bfa4ee2334c3121f6

SSDEEP

49152:TmPNJDnvx4+Zf95vAH3W0l79GFmZS0bn3VLIPLS0Le:6Fr4+Zfh0t9RZS0bn3BSB6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
900 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
on
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 11.0.9600.18860 KB4052978
  • Adobe Acrobat Reader DC MUI (15.007.20033)
  • Adobe Flash Player 27 ActiveX (27.0.0.187)
  • Adobe Flash Player 27 NPAPI (27.0.0.187)
  • Adobe Flash Player 27 PPAPI (27.0.0.187)
  • CCleaner (5.35)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (64-bit) (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
  • Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Professional 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (English) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (French) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Single Image 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
  • Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
  • Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
  • Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
  • Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X64 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 67.0.4 (x64 en-US) (67.0.4)
  • Mozilla Maintenance Service (67.0.4)
  • Notepad++ (64-bit x64) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype™ 7.39 (7.39.102)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (64-bit) (5.60.0)
  • srvpost (2.12.72)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Hyphenation Parent Package English
  • IE Spelling Parent Package English
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • InternetExplorer Package TopLevel
  • KB2479943
  • KB2491683
  • KB2506014
  • KB2506212
  • KB2506928
  • KB2509553
  • KB2532531
  • KB2533552
  • KB2534111
  • KB2545698
  • KB2547666
  • KB2552343
  • KB2560656
  • KB2563227
  • KB2564958
  • KB2579686
  • KB2585542
  • KB2585542 SP1
  • KB2598845
  • KB2603229
  • KB2604115
  • KB2620704
  • KB2621440
  • KB2631813
  • KB2640148
  • KB2653956
  • KB2654428
  • KB2656356
  • KB2656356 SP1
  • KB2660075
  • KB2667402
  • KB2685811
  • KB2685813
  • KB2685939
  • KB2690533
  • KB2698365
  • KB2705219
  • KB2706045
  • KB2719857
  • KB2726535
  • KB2727528
  • KB2729094
  • KB2729452
  • KB2732059
  • KB2732487
  • KB2736422
  • KB2742599
  • KB2750841
  • KB2758857
  • KB2761217
  • KB2763523
  • KB2770660
  • KB2773072
  • KB2786081
  • KB2789645
  • KB2789645 SP1
  • KB2791765
  • KB2799926
  • KB2800095
  • KB2807986
  • KB2808679
  • KB2813430
  • KB2834140
  • KB2836942
  • KB2836943
  • KB2840631
  • KB2843630
  • KB2847927
  • KB2852386
  • KB2853952
  • KB2861698
  • KB2862152
  • KB2862330
  • KB2862335
  • KB2864202
  • KB2868038
  • KB2871997
  • KB2884256
  • KB2888049
  • KB2891804
  • KB2892074
  • KB2893294
  • KB2893519
  • KB2894844
  • KB2900986
  • KB2908783
  • KB2911501
  • KB2912390
  • KB2918077
  • KB2919469
  • KB2931356
  • KB2937610
  • KB2943357
  • KB2952664
  • KB2966583
  • KB2968294
  • KB2970228
  • KB2972100
  • KB2972211
  • KB2973112
  • KB2973201
  • KB2973351
  • KB2977292
  • KB2978120
  • KB2978742
  • KB2984972
  • KB2985461
  • KB2991963
  • KB2992611
  • KB3003743
  • KB3004361
  • KB3004375
  • KB3006121
  • KB3006137
  • KB3010788
  • KB3011780
  • KB3013531
  • KB3019978
  • KB3020370
  • KB3021674
  • KB3021917
  • KB3022777
  • KB3023215
  • KB3030377
  • KB3031432
  • KB3035126
  • KB3035132
  • KB3037574
  • KB3042058
  • KB3045685
  • KB3046017
  • KB3046269
  • KB3054476
  • KB3055642
  • KB3059317
  • KB3060716
  • KB3067903
  • KB3068708
  • KB3071756
  • KB3072305
  • KB3074543
  • KB3075220
  • KB3076895
  • KB3078601
  • KB3078667
  • KB3080149
  • KB3084135
  • KB3086255
  • KB3092601
  • KB3092627
  • KB3093513
  • KB3097989
  • KB3101722
  • KB3107998
  • KB3108371
  • KB3108381
  • KB3108664
  • KB3109103
  • KB3109560
  • KB3110329
  • KB3115858
  • KB3115858 SP1
  • KB3122648
  • KB3124275
  • KB3126587
  • KB3127220
  • KB3133977
  • KB3137061
  • KB3138378
  • KB3138612
  • KB3138910
  • KB3139398
  • KB3139914
  • KB3140245
  • KB3147071
  • KB3150220
  • KB3155178
  • KB3156016
  • KB3156019
  • KB3159398
  • KB3161102
  • KB3161949
  • KB3161958
  • KB3170735
  • KB3170735 SP1
  • KB3172605
  • KB3177467
  • KB3179573
  • KB3184143
  • KB4019990
  • KB4040980
  • KB976902
  • KB982018
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • Package 1 for KB2656356
  • Package 1 for KB2789645
  • Package 1 for KB3115858
  • Package 1 for KB3170735
  • Package 2 for KB2585542
  • Package 2 for KB2656356
  • Package 2 for KB2789645
  • Package 2 for KB3115858
  • Package 2 for KB3170735
  • Package 3 for KB2585542
  • Package 3 for KB2656356
  • Package 4 for KB2656356
  • Package 4 for KB2789645
  • Package 5 for KB2656356
  • Package 7 for KB2656356
  • PlatformUpdate Win7 SRV08R2 Package TopLevel
  • ProfessionalEdition
  • RollupFix
  • UltimateEdition
  • WUClient SelfUpdate ActiveX
  • WUClient SelfUpdate Aux TopLevel
  • WUClient SelfUpdate Core TopLevel

Behavior activities

MALICIOUS SUSPICIOUS INFO
Loads the Task Scheduler COM API
  • sppsvc.exe (PID: 1104)
Application was injected by another process
  • svchost.exe (PID: 1028)
  • winlogon.exe (PID: 372)
  • svchost.exe (PID: 456)
  • svchost.exe (PID: 424)
Loads dropped or rewritten executable
  • svchost.exe (PID: 456)
  • services.exe (PID: 644)
Uses SVCHOST.EXE for hidden code execution
  • svchost.exe (PID: 1028)
Runs injected code in another process
  • svchost.exe (PID: 456)
  • svchost.exe (PID: 460)
  • services.exe (PID: 644)
Disables Windows Defender
  • msiexec.exe (PID: 2964)
 Low-level read access rights to disk partition
  • svchost.exe (PID: 424)
Creates files in the Windows directory
  • mscorsvw.exe (PID: 2824)
  • svchost.exe (PID: 1028)
  • svchost.exe (PID: 456)
  • mscorsvw.exe (PID: 1944)
  • svchost.exe (PID: 424)
  • msiexec.exe (PID: 2964)
  • WMIADAP.EXE (PID: 2004)
Removes files from Windows directory
  • svchost.exe (PID: 424)
  • svchost.exe (PID: 456)
  • svchost.exe (PID: 1028)
  • WMIADAP.EXE (PID: 2004)
Creates or modifies windows services
  • svchost.exe (PID: 456)
  • netsh.exe (PID: 2056)
Creates files in the driver directory
  • svchost.exe (PID: 456)
Drops a file with too old compile date
  • svchost.exe (PID: 456)
Drops a file that was compiled in debug mode
  • svchost.exe (PID: 456)
  • msiexec.exe (PID: 2964)
Creates files in the user directory
  • powershell.exe (PID: 3000)
Executable content was dropped or overwritten
  • msiexec.exe (PID: 2964)
  • WinRAR.exe (PID: 2696)
Starts SC.EXE for service management
  • services.exe (PID: 644)
Reads Environment values
  • MsiExec.exe (PID: 1352)
Executes PowerShell scripts
  • MsiExec.exe (PID: 1736)
Uses NETSH.EXE for network configuration
  • MsiExec.exe (PID: 1736)
Creates a directory in Program Files
  • msiexec.exe (PID: 2964)
 Loads dropped or rewritten executable
  • MsiExec.exe (PID: 1352)
Manual execution by user
  • msiexec.exe (PID: 2176)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.zip
|   ZIP compressed archive (100%)
EXIF
ZIP
ZipRequiredVersion:
20
ZipBitFlag:
null
ZipCompression:
Deflated
ZipModifyDate:
2020:11:22 21:38:19
ZipCRC:
0xdc9b30a2
ZipCompressedSize:
1885603
ZipUncompressedSize:
1920389
ZipFileName:
M0021.cab

Video and screenshots

Screenshot of f4c1d831719deff3f583396038b9181b316e509ac410132bfa4ee2334c3121f6 taken from 27719 ms from task started Screenshot of f4c1d831719deff3f583396038b9181b316e509ac410132bfa4ee2334c3121f6 taken from 35825 ms from task started Screenshot of f4c1d831719deff3f583396038b9181b316e509ac410132bfa4ee2334c3121f6 taken from 41844 ms from task started Screenshot of f4c1d831719deff3f583396038b9181b316e509ac410132bfa4ee2334c3121f6 taken from 43847 ms from task started Screenshot of f4c1d831719deff3f583396038b9181b316e509ac410132bfa4ee2334c3121f6 taken from 46877 ms from task started Screenshot of f4c1d831719deff3f583396038b9181b316e509ac410132bfa4ee2334c3121f6 taken from 64988 ms from task started Screenshot of f4c1d831719deff3f583396038b9181b316e509ac410132bfa4ee2334c3121f6 taken from 80134 ms from task started Screenshot of f4c1d831719deff3f583396038b9181b316e509ac410132bfa4ee2334c3121f6 taken from 84161 ms from task started Screenshot of f4c1d831719deff3f583396038b9181b316e509ac410132bfa4ee2334c3121f6 taken from 87163 ms from task started Screenshot of f4c1d831719deff3f583396038b9181b316e509ac410132bfa4ee2334c3121f6 taken from 90166 ms from task started Screenshot of f4c1d831719deff3f583396038b9181b316e509ac410132bfa4ee2334c3121f6 taken from 99229 ms from task started Screenshot of f4c1d831719deff3f583396038b9181b316e509ac410132bfa4ee2334c3121f6 taken from 100231 ms from task started Screenshot of f4c1d831719deff3f583396038b9181b316e509ac410132bfa4ee2334c3121f6 taken from 101246 ms from task started Screenshot of f4c1d831719deff3f583396038b9181b316e509ac410132bfa4ee2334c3121f6 taken from 102249 ms from task started Screenshot of f4c1d831719deff3f583396038b9181b316e509ac410132bfa4ee2334c3121f6 taken from 103251 ms from task started Screenshot of f4c1d831719deff3f583396038b9181b316e509ac410132bfa4ee2334c3121f6 taken from 108255 ms from task started Screenshot of f4c1d831719deff3f583396038b9181b316e509ac410132bfa4ee2334c3121f6 taken from 115288 ms from task started Screenshot of f4c1d831719deff3f583396038b9181b316e509ac410132bfa4ee2334c3121f6 taken from 123352 ms from task started Screenshot of f4c1d831719deff3f583396038b9181b316e509ac410132bfa4ee2334c3121f6 taken from 131380 ms from task started Screenshot of f4c1d831719deff3f583396038b9181b316e509ac410132bfa4ee2334c3121f6 taken from 139390 ms from task started

Processes

Total processes
165
Monitored processes
53
Malicious processes
8
Suspicious processes
0

Behavior graph

+
start inject winrar.exe msiexec.exe no specs msiexec.exe msiexec.exe msiexec.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs takeown.exe no specs cacls.exe no specs takeown.exe no specs cacls.exe no specs takeown.exe no specs cacls.exe no specs takeown.exe no specs cacls.exe no specs powershell.exe no specs services.exe no specs svchost.exe no specs svchost.exe svchost.exe svchost.exe taskhost.exe no specs winlogon.exe mscorsvw.exe no specs mscorsvw.exe no specs sppsvc.exe no specs powercfg.exe no specs sc.exe no specs wmiadap.exe no specs svchost.exe svchost.exe svchost.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2696
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\pf.zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23894_none_145eb2808b8d6928\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\ime\imejp10\imjptip.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\imjp10k.dll
c:\windows\system32\ime\shared\imetip.dll
c:\windows\system32\ime\shared\imecfm.dll
c:\windows\system32\ime\imejp10\imjpapi.dll
c:\windows\system32\version.dll
c:\windows\system32\ime\shared\imjkapi.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\msimsg.dll
c:\windows\system32\msiexec.exe
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
2176
CMD
"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\Desktop\6.msi"
Path
C:\Windows\System32\msiexec.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\apppatch64\aclayers.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\apppatch64\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msimsg.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ime\imejp10\imjptip.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\imjp10k.dll
c:\windows\system32\ime\shared\imetip.dll
c:\windows\system32\ime\shared\imecfm.dll
c:\windows\system32\ime\imejp10\imjpapi.dll
c:\windows\system32\version.dll
c:\windows\system32\ime\shared\imjkapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework64\v4.0.30319\clr.dll
c:\windows\microsoft.net\framework64\v4.0.30319\fusion.dll

PID
2964
CMD
C:\Windows\system32\msiexec.exe /V
Path
C:\Windows\system32\msiexec.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\apppatch64\aclayers.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\apppatch64\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msimsg.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\version.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework64\v4.0.30319\clr.dll
c:\windows\microsoft.net\framework64\v4.0.30319\fusion.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\cabinet.dll

PID
1352
CMD
C:\Windows\syswow64\MsiExec.exe -Embedding DF0FF1F891B6A720E9C78151C2592EF3
Path
C:\Windows\syswow64\MsiExec.exe
Indicators
Parent process
msiexec.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\msi.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\winspool.drv
c:\windows\syswow64\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\syswow64\uxtheme.dll
c:\windows\syswow64\winmm.dll
c:\windows\syswow64\samcli.dll
c:\windows\syswow64\msacm32.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\sfc.dll
c:\windows\syswow64\sfc_os.dll
c:\windows\syswow64\dwmapi.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\urlmon.dll
c:\windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\installer\msi6934.tmp
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\netapi32.dll
c:\windows\syswow64\netutils.dll
c:\windows\syswow64\srvcli.dll
c:\windows\syswow64\wkscli.dll
c:\windows\syswow64\logoncli.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\comdlg32.dll
c:\windows\syswow64\api-ms-win-core-synch-l1-2-0.dll
c:\windows\installer\msi6cdf.tmp
c:\windows\installer\msi6d0f.tmp
c:\windows\installer\msi6d2f.tmp

PID
1736
CMD
C:\Windows\syswow64\MsiExec.exe -Embedding 38C4768EC0B229C089DC8CDB53D4BAF7 E Global\MSI0000
Path
C:\Windows\syswow64\MsiExec.exe
Indicators
No indicators
Parent process
msiexec.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\msi.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\winspool.drv
c:\windows\syswow64\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\syswow64\uxtheme.dll
c:\windows\syswow64\winmm.dll
c:\windows\syswow64\samcli.dll
c:\windows\syswow64\msacm32.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\sfc.dll
c:\windows\syswow64\sfc_os.dll
c:\windows\syswow64\dwmapi.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\urlmon.dll
c:\windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\vbscript.dll
c:\windows\syswow64\wshom.ocx
c:\windows\syswow64\scrrun.dll
c:\windows\syswow64\sxs.dll
c:\windows\syswow64\propsys.dll
c:\windows\syswow64\ieframe.dll
c:\windows\syswow64\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\syswow64\ntmarta.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\netsh.exe
c:\windows\syswow64\takeown.exe
c:\windows\syswow64\cacls.exe
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe

PID
2932
CMD
"C:\Windows\SysWOW64\netsh.exe" interface ipv6 install
Path
C:\Windows\SysWOW64\netsh.exe
Indicators
No indicators
Parent process
MsiExec.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Network Command Shell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\credui.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\mpr.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\rasmontr.dll
c:\windows\syswow64\mprapi.dll
c:\windows\syswow64\rasapi32.dll
c:\windows\syswow64\rasman.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\mfc42u.dll
c:\windows\syswow64\odbc32.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\odbcint.dll
c:\windows\syswow64\nshwfp.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\slc.dll
c:\windows\syswow64\dhcpcmonitor.dll
c:\windows\syswow64\dhcpcsvc.dll
c:\windows\syswow64\dhcpcsvc6.dll
c:\windows\syswow64\dhcpqec.dll
c:\windows\syswow64\qutil.dll
c:\windows\syswow64\wevtapi.dll
c:\windows\syswow64\wshelper.dll
c:\windows\syswow64\ws2help.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\nshhttp.dll
c:\windows\syswow64\httpapi.dll
c:\windows\syswow64\fwcfg.dll
c:\windows\syswow64\firewallapi.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\authfwcfg.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\winipsec.dll
c:\windows\syswow64\ifmon.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\nci.dll
c:\windows\syswow64\devrtl.dll
c:\windows\syswow64\netiohlp.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\whhelper.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\hnetmon.dll
c:\windows\syswow64\netshell.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\nlaapi.dll
c:\windows\syswow64\rpcnsh.dll
c:\windows\syswow64\dot3cfg.dll
c:\windows\syswow64\dot3api.dll
c:\windows\syswow64\atl.dll
c:\windows\syswow64\eappcfg.dll
c:\windows\syswow64\onex.dll
c:\windows\syswow64\eappprxy.dll
c:\windows\syswow64\napmontr.dll
c:\windows\syswow64\certcli.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\nshipsec.dll
c:\windows\syswow64\netapi32.dll
c:\windows\syswow64\netutils.dll
c:\windows\syswow64\srvcli.dll
c:\windows\syswow64\wkscli.dll
c:\windows\syswow64\logoncli.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\activeds.dll
c:\windows\syswow64\adsldpc.dll
c:\windows\syswow64\polstore.dll
c:\windows\syswow64\p2pnetsh.dll
c:\windows\syswow64\p2p.dll
c:\windows\syswow64\p2pcollab.dll
c:\windows\syswow64\wlancfg.dll
c:\windows\syswow64\wlanapi.dll
c:\windows\syswow64\wlanutil.dll
c:\windows\syswow64\wlanhlp.dll
c:\windows\syswow64\peerdistsh.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\qagent.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\gpapi.dll
c:\windows\syswow64\bcryptprimitives.dll

PID
1460
CMD
"C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye
Path
C:\Windows\SysWOW64\netsh.exe
Indicators
No indicators
Parent process
MsiExec.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Network Command Shell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\credui.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\mpr.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\rasmontr.dll
c:\windows\syswow64\mprapi.dll
c:\windows\syswow64\rasapi32.dll
c:\windows\syswow64\rasman.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\mfc42u.dll
c:\windows\syswow64\odbc32.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\odbcint.dll
c:\windows\syswow64\nshwfp.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\slc.dll
c:\windows\syswow64\dhcpcmonitor.dll
c:\windows\syswow64\dhcpcsvc.dll
c:\windows\syswow64\dhcpcsvc6.dll
c:\windows\syswow64\dhcpqec.dll
c:\windows\syswow64\qutil.dll
c:\windows\syswow64\wevtapi.dll
c:\windows\syswow64\wshelper.dll
c:\windows\syswow64\ws2help.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\nshhttp.dll
c:\windows\syswow64\httpapi.dll
c:\windows\syswow64\fwcfg.dll
c:\windows\syswow64\firewallapi.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\authfwcfg.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\winipsec.dll
c:\windows\syswow64\ifmon.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\nci.dll
c:\windows\syswow64\devrtl.dll
c:\windows\syswow64\netiohlp.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\whhelper.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\hnetmon.dll
c:\windows\syswow64\netshell.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\nlaapi.dll
c:\windows\syswow64\rpcnsh.dll
c:\windows\syswow64\dot3cfg.dll
c:\windows\syswow64\dot3api.dll
c:\windows\syswow64\atl.dll
c:\windows\syswow64\eappcfg.dll
c:\windows\syswow64\onex.dll
c:\windows\syswow64\eappprxy.dll
c:\windows\syswow64\napmontr.dll
c:\windows\syswow64\certcli.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\nshipsec.dll
c:\windows\syswow64\netapi32.dll
c:\windows\syswow64\netutils.dll
c:\windows\syswow64\srvcli.dll
c:\windows\syswow64\wkscli.dll
c:\windows\syswow64\logoncli.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\activeds.dll
c:\windows\syswow64\adsldpc.dll
c:\windows\syswow64\polstore.dll
c:\windows\syswow64\p2pnetsh.dll
c:\windows\syswow64\p2p.dll
c:\windows\syswow64\p2pcollab.dll
c:\windows\syswow64\wlancfg.dll
c:\windows\syswow64\wlanapi.dll
c:\windows\syswow64\wlanutil.dll
c:\windows\syswow64\wlanhlp.dll
c:\windows\syswow64\peerdistsh.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\qagent.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\gpapi.dll
c:\windows\syswow64\bcryptprimitives.dll

PID
2888
CMD
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter1
Path
C:\Windows\SysWOW64\netsh.exe
Indicators
No indicators
Parent process
MsiExec.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Network Command Shell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\credui.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\mpr.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\rasmontr.dll
c:\windows\syswow64\mprapi.dll
c:\windows\syswow64\rasapi32.dll
c:\windows\syswow64\rasman.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\mfc42u.dll
c:\windows\syswow64\odbc32.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\odbcint.dll
c:\windows\syswow64\nshwfp.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\slc.dll
c:\windows\syswow64\dhcpcmonitor.dll
c:\windows\syswow64\dhcpcsvc.dll
c:\windows\syswow64\dhcpcsvc6.dll
c:\windows\syswow64\dhcpqec.dll
c:\windows\syswow64\qutil.dll
c:\windows\syswow64\wevtapi.dll
c:\windows\syswow64\wshelper.dll
c:\windows\syswow64\ws2help.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\nshhttp.dll
c:\windows\syswow64\httpapi.dll
c:\windows\syswow64\fwcfg.dll
c:\windows\syswow64\firewallapi.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\authfwcfg.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\winipsec.dll
c:\windows\syswow64\ifmon.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\nci.dll
c:\windows\syswow64\devrtl.dll
c:\windows\syswow64\netiohlp.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\whhelper.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\hnetmon.dll
c:\windows\syswow64\netshell.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\nlaapi.dll
c:\windows\syswow64\rpcnsh.dll
c:\windows\syswow64\dot3cfg.dll
c:\windows\syswow64\dot3api.dll
c:\windows\syswow64\atl.dll
c:\windows\syswow64\eappcfg.dll
c:\windows\syswow64\onex.dll
c:\windows\syswow64\eappprxy.dll
c:\windows\syswow64\napmontr.dll
c:\windows\syswow64\certcli.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\nshipsec.dll
c:\windows\syswow64\netapi32.dll
c:\windows\syswow64\netutils.dll
c:\windows\syswow64\srvcli.dll
c:\windows\syswow64\wkscli.dll
c:\windows\syswow64\logoncli.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\activeds.dll
c:\windows\syswow64\adsldpc.dll
c:\windows\syswow64\polstore.dll
c:\windows\syswow64\p2pnetsh.dll
c:\windows\syswow64\p2p.dll
c:\windows\syswow64\p2pcollab.dll
c:\windows\syswow64\wlancfg.dll
c:\windows\syswow64\wlanapi.dll
c:\windows\syswow64\wlanutil.dll
c:\windows\syswow64\wlanhlp.dll
c:\windows\syswow64\peerdistsh.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\qagent.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\gpapi.dll
c:\windows\syswow64\bcryptprimitives.dll

PID
2780
CMD
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
Path
C:\Windows\SysWOW64\netsh.exe
Indicators
No indicators
Parent process
MsiExec.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Network Command Shell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\credui.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\mpr.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\rasmontr.dll
c:\windows\syswow64\mprapi.dll
c:\windows\syswow64\rasapi32.dll
c:\windows\syswow64\rasman.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\mfc42u.dll
c:\windows\syswow64\odbc32.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\odbcint.dll
c:\windows\syswow64\nshwfp.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\slc.dll
c:\windows\syswow64\dhcpcmonitor.dll
c:\windows\syswow64\dhcpcsvc.dll
c:\windows\syswow64\dhcpcsvc6.dll
c:\windows\syswow64\dhcpqec.dll
c:\windows\syswow64\qutil.dll
c:\windows\syswow64\wevtapi.dll
c:\windows\syswow64\wshelper.dll
c:\windows\syswow64\ws2help.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\nshhttp.dll
c:\windows\syswow64\httpapi.dll
c:\windows\syswow64\fwcfg.dll
c:\windows\syswow64\firewallapi.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\authfwcfg.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\winipsec.dll
c:\windows\syswow64\ifmon.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\nci.dll
c:\windows\syswow64\devrtl.dll
c:\windows\syswow64\netiohlp.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\whhelper.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\hnetmon.dll
c:\windows\syswow64\netshell.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\nlaapi.dll
c:\windows\syswow64\rpcnsh.dll
c:\windows\syswow64\dot3cfg.dll
c:\windows\syswow64\dot3api.dll
c:\windows\syswow64\atl.dll
c:\windows\syswow64\eappcfg.dll
c:\windows\syswow64\onex.dll
c:\windows\syswow64\eappprxy.dll
c:\windows\syswow64\napmontr.dll
c:\windows\syswow64\certcli.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\nshipsec.dll
c:\windows\syswow64\netapi32.dll
c:\windows\syswow64\netutils.dll
c:\windows\syswow64\srvcli.dll
c:\windows\syswow64\wkscli.dll
c:\windows\syswow64\logoncli.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\activeds.dll
c:\windows\syswow64\adsldpc.dll
c:\windows\syswow64\polstore.dll
c:\windows\syswow64\p2pnetsh.dll
c:\windows\syswow64\p2p.dll
c:\windows\syswow64\p2pcollab.dll
c:\windows\syswow64\wlancfg.dll
c:\windows\syswow64\wlanapi.dll
c:\windows\syswow64\wlanutil.dll
c:\windows\syswow64\wlanhlp.dll
c:\windows\syswow64\peerdistsh.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\qagent.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\gpapi.dll
c:\windows\syswow64\bcryptprimitives.dll

PID
2596
CMD
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
Path
C:\Windows\SysWOW64\netsh.exe
Indicators
No indicators
Parent process
MsiExec.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Network Command Shell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\credui.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\mpr.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\rasmontr.dll
c:\windows\syswow64\mprapi.dll
c:\windows\syswow64\rasapi32.dll
c:\windows\syswow64\rasman.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\mfc42u.dll
c:\windows\syswow64\odbc32.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\odbcint.dll
c:\windows\syswow64\nshwfp.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\slc.dll
c:\windows\syswow64\dhcpcmonitor.dll
c:\windows\syswow64\dhcpcsvc.dll
c:\windows\syswow64\dhcpcsvc6.dll
c:\windows\syswow64\dhcpqec.dll
c:\windows\syswow64\qutil.dll
c:\windows\syswow64\wevtapi.dll
c:\windows\syswow64\wshelper.dll
c:\windows\syswow64\ws2help.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\nshhttp.dll
c:\windows\syswow64\httpapi.dll
c:\windows\syswow64\fwcfg.dll
c:\windows\syswow64\firewallapi.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\authfwcfg.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\winipsec.dll
c:\windows\syswow64\ifmon.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\nci.dll
c:\windows\syswow64\devrtl.dll
c:\windows\syswow64\netiohlp.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\whhelper.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\hnetmon.dll
c:\windows\syswow64\netshell.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\nlaapi.dll
c:\windows\syswow64\rpcnsh.dll
c:\windows\syswow64\dot3cfg.dll
c:\windows\syswow64\dot3api.dll
c:\windows\syswow64\atl.dll
c:\windows\syswow64\eappcfg.dll
c:\windows\syswow64\onex.dll
c:\windows\syswow64\eappprxy.dll
c:\windows\syswow64\napmontr.dll
c:\windows\syswow64\certcli.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\nshipsec.dll
c:\windows\syswow64\netapi32.dll
c:\windows\syswow64\netutils.dll
c:\windows\syswow64\srvcli.dll
c:\windows\syswow64\wkscli.dll
c:\windows\syswow64\logoncli.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\activeds.dll
c:\windows\syswow64\adsldpc.dll
c:\windows\syswow64\polstore.dll
c:\windows\syswow64\p2pnetsh.dll
c:\windows\syswow64\p2p.dll
c:\windows\syswow64\p2pcollab.dll
c:\windows\syswow64\wlancfg.dll
c:\windows\syswow64\wlanapi.dll
c:\windows\syswow64\wlanutil.dll
c:\windows\syswow64\wlanhlp.dll
c:\windows\syswow64\peerdistsh.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\qagent.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\gpapi.dll
c:\windows\syswow64\bcryptprimitives.dll

PID
2800
CMD
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
Path
C:\Windows\SysWOW64\netsh.exe
Indicators
No indicators
Parent process
MsiExec.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Network Command Shell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\credui.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\mpr.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\rasmontr.dll
c:\windows\syswow64\mprapi.dll
c:\windows\syswow64\rasapi32.dll
c:\windows\syswow64\rasman.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\mfc42u.dll
c:\windows\syswow64\odbc32.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\odbcint.dll
c:\windows\syswow64\nshwfp.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\slc.dll
c:\windows\syswow64\dhcpcmonitor.dll
c:\windows\syswow64\dhcpcsvc.dll
c:\windows\syswow64\dhcpcsvc6.dll
c:\windows\syswow64\dhcpqec.dll
c:\windows\syswow64\qutil.dll
c:\windows\syswow64\wevtapi.dll
c:\windows\syswow64\wshelper.dll
c:\windows\syswow64\ws2help.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\nshhttp.dll
c:\windows\syswow64\httpapi.dll
c:\windows\syswow64\fwcfg.dll
c:\windows\syswow64\firewallapi.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\authfwcfg.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\winipsec.dll
c:\windows\syswow64\ifmon.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\nci.dll
c:\windows\syswow64\devrtl.dll
c:\windows\syswow64\netiohlp.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\whhelper.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\hnetmon.dll
c:\windows\syswow64\netshell.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\nlaapi.dll
c:\windows\syswow64\rpcnsh.dll
c:\windows\syswow64\dot3cfg.dll
c:\windows\syswow64\dot3api.dll
c:\windows\syswow64\atl.dll
c:\windows\syswow64\eappcfg.dll
c:\windows\syswow64\onex.dll
c:\windows\syswow64\eappprxy.dll
c:\windows\syswow64\napmontr.dll
c:\windows\syswow64\certcli.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\nshipsec.dll
c:\windows\syswow64\netapi32.dll
c:\windows\syswow64\netutils.dll
c:\windows\syswow64\srvcli.dll
c:\windows\syswow64\wkscli.dll
c:\windows\syswow64\logoncli.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\activeds.dll
c:\windows\syswow64\adsldpc.dll
c:\windows\syswow64\polstore.dll
c:\windows\syswow64\p2pnetsh.dll
c:\windows\syswow64\p2p.dll
c:\windows\syswow64\p2pcollab.dll
c:\windows\syswow64\wlancfg.dll
c:\windows\syswow64\wlanapi.dll
c:\windows\syswow64\wlanutil.dll
c:\windows\syswow64\wlanhlp.dll
c:\windows\syswow64\peerdistsh.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\qagent.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\gpapi.dll
c:\windows\syswow64\bcryptprimitives.dll

PID
2212
CMD
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
Path
C:\Windows\SysWOW64\netsh.exe
Indicators
No indicators
Parent process
MsiExec.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Network Command Shell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\credui.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\mpr.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\rasmontr.dll
c:\windows\syswow64\mprapi.dll
c:\windows\syswow64\rasapi32.dll
c:\windows\syswow64\rasman.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\mfc42u.dll
c:\windows\syswow64\odbc32.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\odbcint.dll
c:\windows\syswow64\nshwfp.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\slc.dll
c:\windows\syswow64\dhcpcmonitor.dll
c:\windows\syswow64\dhcpcsvc.dll
c:\windows\syswow64\dhcpcsvc6.dll
c:\windows\syswow64\dhcpqec.dll
c:\windows\syswow64\qutil.dll
c:\windows\syswow64\wevtapi.dll
c:\windows\syswow64\wshelper.dll
c:\windows\syswow64\ws2help.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\nshhttp.dll
c:\windows\syswow64\httpapi.dll
c:\windows\syswow64\fwcfg.dll
c:\windows\syswow64\firewallapi.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\authfwcfg.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\winipsec.dll
c:\windows\syswow64\ifmon.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\nci.dll
c:\windows\syswow64\devrtl.dll
c:\windows\syswow64\netiohlp.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\whhelper.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\hnetmon.dll
c:\windows\syswow64\netshell.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\nlaapi.dll
c:\windows\syswow64\rpcnsh.dll
c:\windows\syswow64\dot3cfg.dll
c:\windows\syswow64\dot3api.dll
c:\windows\syswow64\atl.dll
c:\windows\syswow64\eappcfg.dll
c:\windows\syswow64\onex.dll
c:\windows\syswow64\eappprxy.dll
c:\windows\syswow64\napmontr.dll
c:\windows\syswow64\certcli.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\nshipsec.dll
c:\windows\syswow64\netapi32.dll
c:\windows\syswow64\netutils.dll
c:\windows\syswow64\srvcli.dll
c:\windows\syswow64\wkscli.dll
c:\windows\syswow64\logoncli.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\activeds.dll
c:\windows\syswow64\adsldpc.dll
c:\windows\syswow64\polstore.dll
c:\windows\syswow64\p2pnetsh.dll
c:\windows\syswow64\p2p.dll
c:\windows\syswow64\p2pcollab.dll
c:\windows\syswow64\wlancfg.dll
c:\windows\syswow64\wlanapi.dll
c:\windows\syswow64\wlanutil.dll
c:\windows\syswow64\wlanhlp.dll
c:\windows\syswow64\peerdistsh.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\qagent.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\gpapi.dll
c:\windows\syswow64\bcryptprimitives.dll

PID
3048
CMD
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
Path
C:\Windows\SysWOW64\netsh.exe
Indicators
No indicators
Parent process
MsiExec.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Network Command Shell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\credui.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\mpr.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\rasmontr.dll
c:\windows\syswow64\mprapi.dll
c:\windows\syswow64\rasapi32.dll
c:\windows\syswow64\rasman.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\mfc42u.dll
c:\windows\syswow64\odbc32.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\odbcint.dll
c:\windows\syswow64\nshwfp.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\slc.dll
c:\windows\syswow64\dhcpcmonitor.dll
c:\windows\syswow64\dhcpcsvc.dll
c:\windows\syswow64\dhcpcsvc6.dll
c:\windows\syswow64\dhcpqec.dll
c:\windows\syswow64\qutil.dll
c:\windows\syswow64\wevtapi.dll
c:\windows\syswow64\wshelper.dll
c:\windows\syswow64\ws2help.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\nshhttp.dll
c:\windows\syswow64\httpapi.dll
c:\windows\syswow64\fwcfg.dll
c:\windows\syswow64\firewallapi.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\authfwcfg.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\winipsec.dll
c:\windows\syswow64\ifmon.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\nci.dll
c:\windows\syswow64\devrtl.dll
c:\windows\syswow64\netiohlp.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\whhelper.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\hnetmon.dll
c:\windows\syswow64\netshell.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\nlaapi.dll
c:\windows\syswow64\rpcnsh.dll
c:\windows\syswow64\dot3cfg.dll
c:\windows\syswow64\dot3api.dll
c:\windows\syswow64\atl.dll
c:\windows\syswow64\eappcfg.dll
c:\windows\syswow64\onex.dll
c:\windows\syswow64\eappprxy.dll
c:\windows\syswow64\napmontr.dll
c:\windows\syswow64\certcli.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\nshipsec.dll
c:\windows\syswow64\netapi32.dll
c:\windows\syswow64\netutils.dll
c:\windows\syswow64\srvcli.dll
c:\windows\syswow64\wkscli.dll
c:\windows\syswow64\logoncli.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\activeds.dll
c:\windows\syswow64\adsldpc.dll
c:\windows\syswow64\polstore.dll
c:\windows\syswow64\p2pnetsh.dll
c:\windows\syswow64\p2p.dll
c:\windows\syswow64\p2pcollab.dll
c:\windows\syswow64\wlancfg.dll
c:\windows\syswow64\wlanapi.dll
c:\windows\syswow64\wlanutil.dll
c:\windows\syswow64\wlanhlp.dll
c:\windows\syswow64\peerdistsh.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\qagent.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\gpapi.dll
c:\windows\syswow64\bcryptprimitives.dll

PID
2760
CMD
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
Path
C:\Windows\SysWOW64\netsh.exe
Indicators
No indicators
Parent process
MsiExec.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Network Command Shell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\credui.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\mpr.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\rasmontr.dll
c:\windows\syswow64\mprapi.dll
c:\windows\syswow64\rasapi32.dll
c:\windows\syswow64\rasman.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\mfc42u.dll
c:\windows\syswow64\odbc32.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\odbcint.dll
c:\windows\syswow64\nshwfp.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\slc.dll
c:\windows\syswow64\dhcpcmonitor.dll
c:\windows\syswow64\dhcpcsvc.dll
c:\windows\syswow64\dhcpcsvc6.dll
c:\windows\syswow64\dhcpqec.dll
c:\windows\syswow64\qutil.dll
c:\windows\syswow64\wevtapi.dll
c:\windows\syswow64\wshelper.dll
c:\windows\syswow64\ws2help.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\nshhttp.dll
c:\windows\syswow64\httpapi.dll
c:\windows\syswow64\fwcfg.dll
c:\windows\syswow64\firewallapi.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\authfwcfg.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\winipsec.dll
c:\windows\syswow64\ifmon.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\nci.dll
c:\windows\syswow64\devrtl.dll
c:\windows\syswow64\netiohlp.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\whhelper.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\hnetmon.dll
c:\windows\syswow64\netshell.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\nlaapi.dll
c:\windows\syswow64\rpcnsh.dll
c:\windows\syswow64\dot3cfg.dll
c:\windows\syswow64\dot3api.dll
c:\windows\syswow64\atl.dll
c:\windows\syswow64\eappcfg.dll
c:\windows\syswow64\onex.dll
c:\windows\syswow64\eappprxy.dll
c:\windows\syswow64\napmontr.dll
c:\windows\syswow64\certcli.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\nshipsec.dll
c:\windows\syswow64\netapi32.dll
c:\windows\syswow64\netutils.dll
c:\windows\syswow64\srvcli.dll
c:\windows\syswow64\wkscli.dll
c:\windows\syswow64\logoncli.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\activeds.dll
c:\windows\syswow64\adsldpc.dll
c:\windows\syswow64\polstore.dll
c:\windows\syswow64\p2pnetsh.dll
c:\windows\syswow64\p2p.dll
c:\windows\syswow64\p2pcollab.dll
c:\windows\syswow64\wlancfg.dll
c:\windows\syswow64\wlanapi.dll
c:\windows\syswow64\wlanutil.dll
c:\windows\syswow64\wlanhlp.dll
c:\windows\syswow64\peerdistsh.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\qagent.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\gpapi.dll
c:\windows\syswow64\bcryptprimitives.dll

PID
2796
CMD
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=2222 protocol=TCP
Path
C:\Windows\SysWOW64\netsh.exe
Indicators
No indicators
Parent process
MsiExec.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Network Command Shell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\credui.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\mpr.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\rasmontr.dll
c:\windows\syswow64\mprapi.dll
c:\windows\syswow64\rasapi32.dll
c:\windows\syswow64\rasman.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\mfc42u.dll
c:\windows\syswow64\odbc32.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\odbcint.dll
c:\windows\syswow64\nshwfp.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\slc.dll
c:\windows\syswow64\dhcpcmonitor.dll
c:\windows\syswow64\dhcpcsvc.dll
c:\windows\syswow64\dhcpcsvc6.dll
c:\windows\syswow64\dhcpqec.dll
c:\windows\syswow64\qutil.dll
c:\windows\syswow64\wevtapi.dll
c:\windows\syswow64\wshelper.dll
c:\windows\syswow64\ws2help.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\nshhttp.dll
c:\windows\syswow64\httpapi.dll
c:\windows\syswow64\fwcfg.dll
c:\windows\syswow64\firewallapi.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\authfwcfg.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\winipsec.dll
c:\windows\syswow64\ifmon.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\nci.dll
c:\windows\syswow64\devrtl.dll
c:\windows\syswow64\netiohlp.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\whhelper.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\hnetmon.dll
c:\windows\syswow64\netshell.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\nlaapi.dll
c:\windows\syswow64\rpcnsh.dll
c:\windows\syswow64\dot3cfg.dll
c:\windows\syswow64\dot3api.dll
c:\windows\syswow64\atl.dll
c:\windows\syswow64\eappcfg.dll
c:\windows\syswow64\onex.dll
c:\windows\syswow64\eappprxy.dll
c:\windows\syswow64\napmontr.dll
c:\windows\syswow64\certcli.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\nshipsec.dll
c:\windows\syswow64\netapi32.dll
c:\windows\syswow64\netutils.dll
c:\windows\syswow64\srvcli.dll
c:\windows\syswow64\wkscli.dll
c:\windows\syswow64\logoncli.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\activeds.dll
c:\windows\syswow64\adsldpc.dll
c:\windows\syswow64\polstore.dll
c:\windows\syswow64\p2pnetsh.dll
c:\windows\syswow64\p2p.dll
c:\windows\syswow64\p2pcollab.dll
c:\windows\syswow64\wlancfg.dll
c:\windows\syswow64\wlanapi.dll
c:\windows\syswow64\wlanutil.dll
c:\windows\syswow64\wlanhlp.dll
c:\windows\syswow64\peerdistsh.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\qagent.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\gpapi.dll
c:\windows\syswow64\bcryptprimitives.dll

PID
2844
CMD
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=3333 protocol=TCP
Path
C:\Windows\SysWOW64\netsh.exe
Indicators
No indicators
Parent process
MsiExec.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Network Command Shell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\credui.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\mpr.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\rasmontr.dll
c:\windows\syswow64\mprapi.dll
c:\windows\syswow64\rasapi32.dll
c:\windows\syswow64\rasman.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\mfc42u.dll
c:\windows\syswow64\odbc32.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\odbcint.dll
c:\windows\syswow64\nshwfp.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\slc.dll
c:\windows\syswow64\dhcpcmonitor.dll
c:\windows\syswow64\dhcpcsvc.dll
c:\windows\syswow64\dhcpcsvc6.dll
c:\windows\syswow64\dhcpqec.dll
c:\windows\syswow64\qutil.dll
c:\windows\syswow64\wevtapi.dll
c:\windows\syswow64\wshelper.dll
c:\windows\syswow64\ws2help.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\nshhttp.dll
c:\windows\syswow64\httpapi.dll
c:\windows\syswow64\fwcfg.dll
c:\windows\syswow64\firewallapi.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\authfwcfg.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\winipsec.dll
c:\windows\syswow64\ifmon.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\nci.dll
c:\windows\syswow64\devrtl.dll
c:\windows\syswow64\netiohlp.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\whhelper.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\hnetmon.dll
c:\windows\syswow64\netshell.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\nlaapi.dll
c:\windows\syswow64\rpcnsh.dll
c:\windows\syswow64\dot3cfg.dll
c:\windows\syswow64\dot3api.dll
c:\windows\syswow64\atl.dll
c:\windows\syswow64\eappcfg.dll
c:\windows\syswow64\onex.dll
c:\windows\syswow64\eappprxy.dll
c:\windows\syswow64\napmontr.dll
c:\windows\syswow64\certcli.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\nshipsec.dll
c:\windows\syswow64\netapi32.dll
c:\windows\syswow64\netutils.dll
c:\windows\syswow64\srvcli.dll
c:\windows\syswow64\wkscli.dll
c:\windows\syswow64\logoncli.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\activeds.dll
c:\windows\syswow64\adsldpc.dll
c:\windows\syswow64\polstore.dll
c:\windows\syswow64\p2pnetsh.dll
c:\windows\syswow64\p2p.dll
c:\windows\syswow64\p2pcollab.dll
c:\windows\syswow64\wlancfg.dll
c:\windows\syswow64\wlanapi.dll
c:\windows\syswow64\wlanutil.dll
c:\windows\syswow64\wlanhlp.dll
c:\windows\syswow64\peerdistsh.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\qagent.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\gpapi.dll
c:\windows\syswow64\bcryptprimitives.dll

PID
2896
CMD
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=4444 protocol=TCP
Path
C:\Windows\SysWOW64\netsh.exe
Indicators
No indicators
Parent process
MsiExec.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Network Command Shell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\credui.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\mpr.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\rasmontr.dll
c:\windows\syswow64\mprapi.dll
c:\windows\syswow64\rasapi32.dll
c:\windows\syswow64\rasman.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\mfc42u.dll
c:\windows\syswow64\odbc32.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\odbcint.dll
c:\windows\syswow64\nshwfp.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\slc.dll
c:\windows\syswow64\dhcpcmonitor.dll
c:\windows\syswow64\dhcpcsvc.dll
c:\windows\syswow64\dhcpcsvc6.dll
c:\windows\syswow64\dhcpqec.dll
c:\windows\syswow64\qutil.dll
c:\windows\syswow64\wevtapi.dll
c:\windows\syswow64\wshelper.dll
c:\windows\syswow64\ws2help.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\nshhttp.dll
c:\windows\syswow64\httpapi.dll
c:\windows\syswow64\fwcfg.dll
c:\windows\syswow64\firewallapi.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\authfwcfg.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\winipsec.dll
c:\windows\syswow64\ifmon.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\nci.dll
c:\windows\syswow64\devrtl.dll
c:\windows\syswow64\netiohlp.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\whhelper.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\hnetmon.dll
c:\windows\syswow64\netshell.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\nlaapi.dll
c:\windows\syswow64\rpcnsh.dll
c:\windows\syswow64\dot3cfg.dll
c:\windows\syswow64\dot3api.dll
c:\windows\syswow64\atl.dll
c:\windows\syswow64\eappcfg.dll
c:\windows\syswow64\onex.dll
c:\windows\syswow64\eappprxy.dll
c:\windows\syswow64\napmontr.dll
c:\windows\syswow64\certcli.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\nshipsec.dll
c:\windows\syswow64\netapi32.dll
c:\windows\syswow64\netutils.dll
c:\windows\syswow64\srvcli.dll
c:\windows\syswow64\wkscli.dll
c:\windows\syswow64\logoncli.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\activeds.dll
c:\windows\syswow64\adsldpc.dll
c:\windows\syswow64\polstore.dll
c:\windows\syswow64\p2pnetsh.dll
c:\windows\syswow64\p2p.dll
c:\windows\syswow64\p2pcollab.dll
c:\windows\syswow64\wlancfg.dll
c:\windows\syswow64\wlanapi.dll
c:\windows\syswow64\wlanutil.dll
c:\windows\syswow64\wlanhlp.dll
c:\windows\syswow64\peerdistsh.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\qagent.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\gpapi.dll
c:\windows\syswow64\bcryptprimitives.dll

PID
2976
CMD
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=5555 protocol=TCP
Path
C:\Windows\SysWOW64\netsh.exe
Indicators
No indicators
Parent process
MsiExec.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Network Command Shell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\credui.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\mpr.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\rasmontr.dll
c:\windows\syswow64\mprapi.dll
c:\windows\syswow64\rasapi32.dll
c:\windows\syswow64\rasman.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\mfc42u.dll
c:\windows\syswow64\odbc32.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\odbcint.dll
c:\windows\syswow64\nshwfp.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\slc.dll
c:\windows\syswow64\dhcpcmonitor.dll
c:\windows\syswow64\dhcpcsvc.dll
c:\windows\syswow64\dhcpcsvc6.dll
c:\windows\syswow64\dhcpqec.dll
c:\windows\syswow64\qutil.dll
c:\windows\syswow64\wevtapi.dll
c:\windows\syswow64\wshelper.dll
c:\windows\syswow64\ws2help.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\nshhttp.dll
c:\windows\syswow64\httpapi.dll
c:\windows\syswow64\fwcfg.dll
c:\windows\syswow64\firewallapi.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\authfwcfg.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\winipsec.dll
c:\windows\syswow64\ifmon.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\nci.dll
c:\windows\syswow64\devrtl.dll
c:\windows\syswow64\netiohlp.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\whhelper.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\hnetmon.dll
c:\windows\syswow64\netshell.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\nlaapi.dll
c:\windows\syswow64\rpcnsh.dll
c:\windows\syswow64\dot3cfg.dll
c:\windows\syswow64\dot3api.dll
c:\windows\syswow64\atl.dll
c:\windows\syswow64\eappcfg.dll
c:\windows\syswow64\onex.dll
c:\windows\syswow64\eappprxy.dll
c:\windows\syswow64\napmontr.dll
c:\windows\syswow64\certcli.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\nshipsec.dll
c:\windows\syswow64\netapi32.dll
c:\windows\syswow64\netutils.dll
c:\windows\syswow64\srvcli.dll
c:\windows\syswow64\wkscli.dll
c:\windows\syswow64\logoncli.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\activeds.dll
c:\windows\syswow64\adsldpc.dll
c:\windows\syswow64\polstore.dll
c:\windows\syswow64\p2pnetsh.dll
c:\windows\syswow64\p2p.dll
c:\windows\syswow64\p2pcollab.dll
c:\windows\syswow64\wlancfg.dll
c:\windows\syswow64\wlanapi.dll
c:\windows\syswow64\wlanutil.dll
c:\windows\syswow64\wlanhlp.dll
c:\windows\syswow64\peerdistsh.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\qagent.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\gpapi.dll
c:\windows\syswow64\bcryptprimitives.dll

PID
684
CMD
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=6666 protocol=TCP
Path
C:\Windows\SysWOW64\netsh.exe
Indicators
No indicators
Parent process
MsiExec.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Network Command Shell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\credui.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\mpr.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\rasmontr.dll
c:\windows\syswow64\mprapi.dll
c:\windows\syswow64\rasapi32.dll
c:\windows\syswow64\rasman.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\mfc42u.dll
c:\windows\syswow64\odbc32.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\odbcint.dll
c:\windows\syswow64\nshwfp.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\slc.dll
c:\windows\syswow64\dhcpcmonitor.dll
c:\windows\syswow64\dhcpcsvc.dll
c:\windows\syswow64\dhcpcsvc6.dll
c:\windows\syswow64\dhcpqec.dll
c:\windows\syswow64\qutil.dll
c:\windows\syswow64\wevtapi.dll
c:\windows\syswow64\wshelper.dll
c:\windows\syswow64\ws2help.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\nshhttp.dll
c:\windows\syswow64\httpapi.dll
c:\windows\syswow64\fwcfg.dll
c:\windows\syswow64\firewallapi.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\authfwcfg.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\winipsec.dll
c:\windows\syswow64\ifmon.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\nci.dll
c:\windows\syswow64\devrtl.dll
c:\windows\syswow64\netiohlp.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\whhelper.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\hnetmon.dll
c:\windows\syswow64\netshell.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\nlaapi.dll
c:\windows\syswow64\rpcnsh.dll
c:\windows\syswow64\dot3cfg.dll
c:\windows\syswow64\dot3api.dll
c:\windows\syswow64\atl.dll
c:\windows\syswow64\eappcfg.dll
c:\windows\syswow64\onex.dll
c:\windows\syswow64\eappprxy.dll
c:\windows\syswow64\napmontr.dll
c:\windows\syswow64\certcli.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\nshipsec.dll
c:\windows\syswow64\netapi32.dll
c:\windows\syswow64\netutils.dll
c:\windows\syswow64\srvcli.dll
c:\windows\syswow64\wkscli.dll
c:\windows\syswow64\logoncli.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\activeds.dll
c:\windows\syswow64\adsldpc.dll
c:\windows\syswow64\polstore.dll
c:\windows\syswow64\p2pnetsh.dll
c:\windows\syswow64\p2p.dll
c:\windows\syswow64\p2pcollab.dll
c:\windows\syswow64\wlancfg.dll
c:\windows\syswow64\wlanapi.dll
c:\windows\syswow64\wlanutil.dll
c:\windows\syswow64\wlanhlp.dll
c:\windows\syswow64\peerdistsh.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\qagent.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\gpapi.dll
c:\windows\syswow64\bcryptprimitives.dll

PID
2664
CMD
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=7777 protocol=TCP
Path
C:\Windows\SysWOW64\netsh.exe
Indicators
No indicators
Parent process
MsiExec.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Network Command Shell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\credui.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\mpr.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\rasmontr.dll
c:\windows\syswow64\mprapi.dll
c:\windows\syswow64\rasapi32.dll
c:\windows\syswow64\rasman.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\mfc42u.dll
c:\windows\syswow64\odbc32.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\odbcint.dll
c:\windows\syswow64\nshwfp.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\slc.dll
c:\windows\syswow64\dhcpcmonitor.dll
c:\windows\syswow64\dhcpcsvc.dll
c:\windows\syswow64\dhcpcsvc6.dll
c:\windows\syswow64\dhcpqec.dll
c:\windows\syswow64\qutil.dll
c:\windows\syswow64\wevtapi.dll
c:\windows\syswow64\wshelper.dll
c:\windows\syswow64\ws2help.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\nshhttp.dll
c:\windows\syswow64\httpapi.dll
c:\windows\syswow64\fwcfg.dll
c:\windows\syswow64\firewallapi.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\authfwcfg.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\winipsec.dll
c:\windows\syswow64\ifmon.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\nci.dll
c:\windows\syswow64\devrtl.dll
c:\windows\syswow64\netiohlp.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\whhelper.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\hnetmon.dll
c:\windows\syswow64\netshell.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\nlaapi.dll
c:\windows\syswow64\rpcnsh.dll
c:\windows\syswow64\dot3cfg.dll
c:\windows\syswow64\dot3api.dll
c:\windows\syswow64\atl.dll
c:\windows\syswow64\eappcfg.dll
c:\windows\syswow64\onex.dll
c:\windows\syswow64\eappprxy.dll
c:\windows\syswow64\napmontr.dll
c:\windows\syswow64\certcli.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\nshipsec.dll
c:\windows\syswow64\netapi32.dll
c:\windows\syswow64\netutils.dll
c:\windows\syswow64\srvcli.dll
c:\windows\syswow64\wkscli.dll
c:\windows\syswow64\logoncli.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\activeds.dll
c:\windows\syswow64\adsldpc.dll
c:\windows\syswow64\polstore.dll
c:\windows\syswow64\p2pnetsh.dll
c:\windows\syswow64\p2p.dll
c:\windows\syswow64\p2pcollab.dll
c:\windows\syswow64\wlancfg.dll
c:\windows\syswow64\wlanapi.dll
c:\windows\syswow64\wlanutil.dll
c:\windows\syswow64\wlanhlp.dll
c:\windows\syswow64\peerdistsh.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\qagent.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\gpapi.dll
c:\windows\syswow64\bcryptprimitives.dll

PID
3004
CMD
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8888 protocol=TCP
Path
C:\Windows\SysWOW64\netsh.exe
Indicators
No indicators
Parent process
MsiExec.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Network Command Shell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\credui.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\mpr.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\rasmontr.dll
c:\windows\syswow64\mprapi.dll
c:\windows\syswow64\rasapi32.dll
c:\windows\syswow64\rasman.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\mfc42u.dll
c:\windows\syswow64\odbc32.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\odbcint.dll
c:\windows\syswow64\nshwfp.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\slc.dll
c:\windows\syswow64\dhcpcmonitor.dll
c:\windows\syswow64\dhcpcsvc.dll
c:\windows\syswow64\dhcpcsvc6.dll
c:\windows\syswow64\dhcpqec.dll
c:\windows\syswow64\qutil.dll
c:\windows\syswow64\wevtapi.dll
c:\windows\syswow64\wshelper.dll
c:\windows\syswow64\ws2help.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\nshhttp.dll
c:\windows\syswow64\httpapi.dll
c:\windows\syswow64\fwcfg.dll
c:\windows\syswow64\firewallapi.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\authfwcfg.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\winipsec.dll
c:\windows\syswow64\ifmon.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\nci.dll
c:\windows\syswow64\devrtl.dll
c:\windows\syswow64\netiohlp.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\whhelper.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\hnetmon.dll
c:\windows\syswow64\netshell.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\nlaapi.dll
c:\windows\syswow64\rpcnsh.dll
c:\windows\syswow64\dot3cfg.dll
c:\windows\syswow64\dot3api.dll
c:\windows\syswow64\atl.dll
c:\windows\syswow64\eappcfg.dll
c:\windows\syswow64\onex.dll
c:\windows\syswow64\eappprxy.dll
c:\windows\syswow64\napmontr.dll
c:\windows\syswow64\certcli.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\nshipsec.dll
c:\windows\syswow64\netapi32.dll
c:\windows\syswow64\netutils.dll
c:\windows\syswow64\srvcli.dll
c:\windows\syswow64\wkscli.dll
c:\windows\syswow64\logoncli.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\activeds.dll
c:\windows\syswow64\adsldpc.dll
c:\windows\syswow64\polstore.dll
c:\windows\syswow64\p2pnetsh.dll
c:\windows\syswow64\p2p.dll
c:\windows\syswow64\p2pcollab.dll
c:\windows\syswow64\wlancfg.dll
c:\windows\syswow64\wlanapi.dll
c:\windows\syswow64\wlanutil.dll
c:\windows\syswow64\wlanhlp.dll
c:\windows\syswow64\peerdistsh.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\qagent.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\gpapi.dll
c:\windows\syswow64\bcryptprimitives.dll

PID
2936
CMD
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9000 protocol=TCP
Path
C:\Windows\SysWOW64\netsh.exe
Indicators
No indicators
Parent process
MsiExec.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Network Command Shell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\credui.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\mpr.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\rasmontr.dll
c:\windows\syswow64\mprapi.dll
c:\windows\syswow64\rasapi32.dll
c:\windows\syswow64\rasman.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\mfc42u.dll
c:\windows\syswow64\odbc32.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\odbcint.dll
c:\windows\syswow64\nshwfp.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\slc.dll
c:\windows\syswow64\dhcpcmonitor.dll
c:\windows\syswow64\dhcpcsvc.dll
c:\windows\syswow64\dhcpcsvc6.dll
c:\windows\syswow64\dhcpqec.dll
c:\windows\syswow64\qutil.dll
c:\windows\syswow64\wevtapi.dll
c:\windows\syswow64\wshelper.dll
c:\windows\syswow64\ws2help.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\nshhttp.dll
c:\windows\syswow64\httpapi.dll
c:\windows\syswow64\fwcfg.dll
c:\windows\syswow64\firewallapi.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\authfwcfg.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\winipsec.dll
c:\windows\syswow64\ifmon.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\nci.dll
c:\windows\syswow64\devrtl.dll
c:\windows\syswow64\netiohlp.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\whhelper.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\hnetmon.dll
c:\windows\syswow64\netshell.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\nlaapi.dll
c:\windows\syswow64\rpcnsh.dll
c:\windows\syswow64\dot3cfg.dll
c:\windows\syswow64\dot3api.dll
c:\windows\syswow64\atl.dll
c:\windows\syswow64\eappcfg.dll
c:\windows\syswow64\onex.dll
c:\windows\syswow64\eappprxy.dll
c:\windows\syswow64\napmontr.dll
c:\windows\syswow64\certcli.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\nshipsec.dll
c:\windows\syswow64\netapi32.dll
c:\windows\syswow64\netutils.dll
c:\windows\syswow64\srvcli.dll
c:\windows\syswow64\wkscli.dll
c:\windows\syswow64\logoncli.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\activeds.dll
c:\windows\syswow64\adsldpc.dll
c:\windows\syswow64\polstore.dll
c:\windows\syswow64\p2pnetsh.dll
c:\windows\syswow64\p2p.dll
c:\windows\syswow64\p2pcollab.dll
c:\windows\syswow64\wlancfg.dll
c:\windows\syswow64\wlanapi.dll
c:\windows\syswow64\wlanutil.dll
c:\windows\syswow64\wlanhlp.dll
c:\windows\syswow64\peerdistsh.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\qagent.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\gpapi.dll
c:\windows\syswow64\bcryptprimitives.dll

PID
2876
CMD
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9999 protocol=TCP
Path
C:\Windows\SysWOW64\netsh.exe
Indicators
No indicators
Parent process
MsiExec.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Network Command Shell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\credui.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\mpr.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\rasmontr.dll
c:\windows\syswow64\mprapi.dll
c:\windows\syswow64\rasapi32.dll
c:\windows\syswow64\rasman.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\mfc42u.dll
c:\windows\syswow64\odbc32.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\odbcint.dll
c:\windows\syswow64\nshwfp.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\slc.dll
c:\windows\syswow64\dhcpcmonitor.dll
c:\windows\syswow64\dhcpcsvc.dll
c:\windows\syswow64\dhcpcsvc6.dll
c:\windows\syswow64\dhcpqec.dll
c:\windows\syswow64\qutil.dll
c:\windows\syswow64\wevtapi.dll
c:\windows\syswow64\wshelper.dll
c:\windows\syswow64\ws2help.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\nshhttp.dll
c:\windows\syswow64\httpapi.dll
c:\windows\syswow64\fwcfg.dll
c:\windows\syswow64\firewallapi.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\authfwcfg.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\winipsec.dll
c:\windows\syswow64\ifmon.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\nci.dll
c:\windows\syswow64\devrtl.dll
c:\windows\syswow64\netiohlp.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\whhelper.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\hnetmon.dll
c:\windows\syswow64\netshell.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\nlaapi.dll
c:\windows\syswow64\rpcnsh.dll
c:\windows\syswow64\dot3cfg.dll
c:\windows\syswow64\dot3api.dll
c:\windows\syswow64\atl.dll
c:\windows\syswow64\eappcfg.dll
c:\windows\syswow64\onex.dll
c:\windows\syswow64\eappprxy.dll
c:\windows\syswow64\napmontr.dll
c:\windows\syswow64\certcli.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\nshipsec.dll
c:\windows\syswow64\netapi32.dll
c:\windows\syswow64\netutils.dll
c:\windows\syswow64\srvcli.dll
c:\windows\syswow64\wkscli.dll
c:\windows\syswow64\logoncli.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\activeds.dll
c:\windows\syswow64\adsldpc.dll
c:\windows\syswow64\polstore.dll
c:\windows\syswow64\p2pnetsh.dll
c:\windows\syswow64\p2p.dll
c:\windows\syswow64\p2pcollab.dll
c:\windows\syswow64\wlancfg.dll
c:\windows\syswow64\wlanapi.dll
c:\windows\syswow64\wlanutil.dll
c:\windows\syswow64\wlanhlp.dll
c:\windows\syswow64\peerdistsh.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\qagent.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\gpapi.dll
c:\windows\syswow64\bcryptprimitives.dll

PID
2976
CMD
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14443 protocol=TCP
Path
C:\Windows\SysWOW64\netsh.exe
Indicators
No indicators
Parent process
MsiExec.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Network Command Shell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\gpapi.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\peerdistsh.dll
c:\windows\syswow64\wlanutil.dll
c:\windows\syswow64\wlancfg.dll
c:\windows\syswow64\p2p.dll
c:\windows\syswow64\polstore.dll
c:\windows\syswow64\activeds.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\wkscli.dll
c:\windows\syswow64\netutils.dll
c:\windows\syswow64\nshipsec.dll
c:\windows\syswow64\certcli.dll
c:\windows\syswow64\eappprxy.dll
c:\windows\syswow64\eappcfg.dll
c:\windows\syswow64\dot3api.dll
c:\windows\syswow64\rpcnsh.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\hnetmon.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\devrtl.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\winipsec.dll
c:\windows\syswow64\authfwcfg.dll
c:\windows\syswow64\firewallapi.dll
c:\windows\syswow64\httpapi.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\wshelper.dll
c:\windows\syswow64\qutil.dll
c:\windows\syswow64\dhcpcsvc6.dll
c:\windows\syswow64\dhcpcmonitor.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\nshwfp.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\odbc32.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rasapi32.dll
c:\windows\syswow64\rasmontr.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\credui.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64win.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\syswow64\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\mpr.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\mprapi.dll
c:\windows\syswow64\rasman.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\mfc42u.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\odbcint.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\slc.dll
c:\windows\syswow64\dhcpcsvc.dll
c:\windows\syswow64\dhcpqec.dll
c:\windows\syswow64\wevtapi.dll
c:\windows\syswow64\ws2help.dll
c:\windows\syswow64\nshhttp.dll
c:\windows\syswow64\fwcfg.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\ifmon.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\nci.dll
c:\windows\syswow64\netiohlp.dll
c:\windows\syswow64\whhelper.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\netshell.dll
c:\windows\syswow64\nlaapi.dll
c:\windows\syswow64\dot3cfg.dll
c:\windows\syswow64\atl.dll
c:\windows\syswow64\onex.dll
c:\windows\syswow64\napmontr.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\netapi32.dll
c:\windows\syswow64\srvcli.dll
c:\windows\syswow64\logoncli.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\adsldpc.dll
c:\windows\syswow64\p2pnetsh.dll
c:\windows\syswow64\p2pcollab.dll
c:\windows\syswow64\wlanapi.dll
c:\windows\syswow64\wlanhlp.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\qagent.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\bcryptprimitives.dll

PID
2660
CMD
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14444 protocol=TCP
Path
C:\Windows\SysWOW64\netsh.exe
Indicators
No indicators
Parent process
MsiExec.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Network Command Shell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\credui.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\mpr.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\rasmontr.dll
c:\windows\syswow64\mprapi.dll
c:\windows\syswow64\rasapi32.dll
c:\windows\syswow64\rasman.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\mfc42u.dll
c:\windows\syswow64\odbc32.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\odbcint.dll
c:\windows\syswow64\nshwfp.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\slc.dll
c:\windows\syswow64\dhcpcmonitor.dll
c:\windows\syswow64\dhcpcsvc.dll
c:\windows\syswow64\dhcpcsvc6.dll
c:\windows\syswow64\dhcpqec.dll
c:\windows\syswow64\qutil.dll
c:\windows\syswow64\wevtapi.dll
c:\windows\syswow64\wshelper.dll
c:\windows\syswow64\ws2help.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\nshhttp.dll
c:\windows\syswow64\httpapi.dll
c:\windows\syswow64\fwcfg.dll
c:\windows\syswow64\firewallapi.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\authfwcfg.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\winipsec.dll
c:\windows\syswow64\ifmon.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\nci.dll
c:\windows\syswow64\devrtl.dll
c:\windows\syswow64\netiohlp.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\whhelper.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\hnetmon.dll
c:\windows\syswow64\netshell.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\nlaapi.dll
c:\windows\syswow64\rpcnsh.dll
c:\windows\syswow64\dot3cfg.dll
c:\windows\syswow64\dot3api.dll
c:\windows\syswow64\atl.dll
c:\windows\syswow64\eappcfg.dll
c:\windows\syswow64\onex.dll
c:\windows\syswow64\eappprxy.dll
c:\windows\syswow64\napmontr.dll
c:\windows\syswow64\certcli.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\nshipsec.dll
c:\windows\syswow64\netapi32.dll
c:\windows\syswow64\netutils.dll
c:\windows\syswow64\srvcli.dll
c:\windows\syswow64\wkscli.dll
c:\windows\syswow64\logoncli.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\activeds.dll
c:\windows\syswow64\adsldpc.dll
c:\windows\syswow64\polstore.dll
c:\windows\syswow64\p2pnetsh.dll
c:\windows\syswow64\p2p.dll
c:\windows\syswow64\p2pcollab.dll
c:\windows\syswow64\wlancfg.dll
c:\windows\syswow64\wlanapi.dll
c:\windows\syswow64\wlanutil.dll
c:\windows\syswow64\wlanhlp.dll
c:\windows\syswow64\peerdistsh.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\qagent.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\gpapi.dll
c:\windows\syswow64\bcryptprimitives.dll

PID
116
CMD
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block
Path
C:\Windows\SysWOW64\netsh.exe
Indicators
No indicators
Parent process
MsiExec.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Network Command Shell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernelbase.dll
c:\systemroot\system32\ntdll.dll
c:\windows\syswow64\netsh.exe
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\credui.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\mpr.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\rasmontr.dll
c:\windows\syswow64\mprapi.dll
c:\windows\syswow64\rasapi32.dll
c:\windows\syswow64\rasman.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\mfc42u.dll
c:\windows\syswow64\odbc32.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\odbcint.dll
c:\windows\syswow64\nshwfp.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\slc.dll
c:\windows\syswow64\dhcpcmonitor.dll
c:\windows\syswow64\dhcpcsvc.dll
c:\windows\syswow64\dhcpcsvc6.dll
c:\windows\syswow64\dhcpqec.dll
c:\windows\syswow64\qutil.dll
c:\windows\syswow64\wevtapi.dll
c:\windows\syswow64\wshelper.dll
c:\windows\syswow64\ws2help.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\nshhttp.dll
c:\windows\syswow64\httpapi.dll
c:\windows\syswow64\fwcfg.dll
c:\windows\syswow64\firewallapi.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\authfwcfg.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\winipsec.dll
c:\windows\syswow64\ifmon.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\nci.dll
c:\windows\syswow64\devrtl.dll
c:\windows\syswow64\netiohlp.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\whhelper.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\hnetmon.dll
c:\windows\syswow64\netshell.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\nlaapi.dll
c:\windows\syswow64\rpcnsh.dll
c:\windows\syswow64\dot3cfg.dll
c:\windows\syswow64\dot3api.dll
c:\windows\syswow64\atl.dll
c:\windows\syswow64\eappcfg.dll
c:\windows\syswow64\onex.dll
c:\windows\syswow64\eappprxy.dll
c:\windows\syswow64\napmontr.dll
c:\windows\syswow64\certcli.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\nshipsec.dll
c:\windows\syswow64\netapi32.dll
c:\windows\syswow64\netutils.dll
c:\windows\syswow64\srvcli.dll
c:\windows\syswow64\wkscli.dll
c:\windows\syswow64\logoncli.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\activeds.dll
c:\windows\syswow64\adsldpc.dll
c:\windows\syswow64\polstore.dll
c:\windows\syswow64\p2pnetsh.dll
c:\windows\syswow64\p2p.dll
c:\windows\syswow64\p2pcollab.dll
c:\windows\syswow64\wlancfg.dll
c:\windows\syswow64\wlanapi.dll
c:\windows\syswow64\wlanutil.dll
c:\windows\syswow64\wlanhlp.dll
c:\windows\syswow64\peerdistsh.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\qagent.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\gpapi.dll
c:\windows\syswow64\bcryptprimitives.dll

PID
2876
CMD
"C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1
Path
C:\Windows\SysWOW64\netsh.exe
Indicators
No indicators
Parent process
MsiExec.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Network Command Shell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\gpapi.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\peerdistsh.dll
c:\windows\syswow64\wlanutil.dll
c:\windows\syswow64\wlancfg.dll
c:\windows\syswow64\p2p.dll
c:\windows\syswow64\polstore.dll
c:\windows\syswow64\activeds.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\wkscli.dll
c:\windows\syswow64\netutils.dll
c:\windows\syswow64\nshipsec.dll
c:\windows\syswow64\certcli.dll
c:\windows\syswow64\eappprxy.dll
c:\windows\syswow64\eappcfg.dll
c:\windows\syswow64\dot3api.dll
c:\windows\syswow64\rpcnsh.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\hnetmon.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\devrtl.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\winipsec.dll
c:\windows\syswow64\authfwcfg.dll
c:\windows\syswow64\firewallapi.dll
c:\windows\syswow64\httpapi.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\wshelper.dll
c:\windows\syswow64\qutil.dll
c:\windows\syswow64\dhcpcsvc6.dll
c:\windows\syswow64\dhcpcmonitor.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\nshwfp.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\odbc32.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rasapi32.dll
c:\windows\syswow64\rasmontr.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\credui.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64win.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\syswow64\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\mpr.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\mprapi.dll
c:\windows\syswow64\rasman.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\mfc42u.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\odbcint.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\slc.dll
c:\windows\syswow64\dhcpcsvc.dll
c:\windows\syswow64\dhcpqec.dll
c:\windows\syswow64\wevtapi.dll
c:\windows\syswow64\ws2help.dll
c:\windows\syswow64\nshhttp.dll
c:\windows\syswow64\fwcfg.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\ifmon.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\nci.dll
c:\windows\syswow64\netiohlp.dll
c:\windows\syswow64\whhelper.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\netshell.dll
c:\windows\syswow64\nlaapi.dll
c:\windows\syswow64\dot3cfg.dll
c:\windows\syswow64\atl.dll
c:\windows\syswow64\onex.dll
c:\windows\syswow64\napmontr.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\netapi32.dll
c:\windows\syswow64\srvcli.dll
c:\windows\syswow64\logoncli.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\adsldpc.dll
c:\windows\syswow64\p2pnetsh.dll
c:\windows\syswow64\p2pcollab.dll
c:\windows\syswow64\wlanapi.dll
c:\windows\syswow64\wlanhlp.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\qagent.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\bcryptprimitives.dll

PID
2056
CMD
"C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y
Path
C:\Windows\SysWOW64\netsh.exe
Indicators
No indicators
Parent process
MsiExec.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Network Command Shell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\credui.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\mpr.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\rasmontr.dll
c:\windows\syswow64\mprapi.dll
c:\windows\syswow64\rasapi32.dll
c:\windows\syswow64\rasman.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\mfc42u.dll
c:\windows\syswow64\odbc32.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\odbcint.dll
c:\windows\syswow64\nshwfp.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\slc.dll
c:\windows\syswow64\dhcpcmonitor.dll
c:\windows\syswow64\dhcpcsvc.dll
c:\windows\syswow64\dhcpcsvc6.dll
c:\windows\syswow64\dhcpqec.dll
c:\windows\syswow64\qutil.dll
c:\windows\syswow64\wevtapi.dll
c:\windows\syswow64\wshelper.dll
c:\windows\syswow64\ws2help.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\nshhttp.dll
c:\windows\syswow64\httpapi.dll
c:\windows\syswow64\fwcfg.dll
c:\windows\syswow64\firewallapi.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\authfwcfg.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\winipsec.dll
c:\windows\syswow64\ifmon.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\nci.dll
c:\windows\syswow64\devrtl.dll
c:\windows\syswow64\netiohlp.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\whhelper.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\hnetmon.dll
c:\windows\syswow64\netshell.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\nlaapi.dll
c:\windows\syswow64\rpcnsh.dll
c:\windows\syswow64\dot3cfg.dll
c:\windows\syswow64\dot3api.dll
c:\windows\syswow64\atl.dll
c:\windows\syswow64\eappcfg.dll
c:\windows\syswow64\onex.dll
c:\windows\syswow64\eappprxy.dll
c:\windows\syswow64\napmontr.dll
c:\windows\syswow64\certcli.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\nshipsec.dll
c:\windows\syswow64\netapi32.dll
c:\windows\syswow64\netutils.dll
c:\windows\syswow64\srvcli.dll
c:\windows\syswow64\wkscli.dll
c:\windows\syswow64\logoncli.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\activeds.dll
c:\windows\syswow64\adsldpc.dll
c:\windows\syswow64\polstore.dll
c:\windows\syswow64\p2pnetsh.dll
c:\windows\syswow64\p2p.dll
c:\windows\syswow64\p2pcollab.dll
c:\windows\syswow64\wlancfg.dll
c:\windows\syswow64\wlanapi.dll
c:\windows\syswow64\wlanutil.dll
c:\windows\syswow64\wlanhlp.dll
c:\windows\syswow64\peerdistsh.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\qagent.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\gpapi.dll
c:\windows\syswow64\bcryptprimitives.dll

PID
2492
CMD
"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\jscript.dll
Path
C:\Windows\SysWOW64\takeown.exe
Indicators
No indicators
Parent process
MsiExec.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Takes ownership of a file
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\takeown.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\mpr.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\netapi32.dll
c:\windows\syswow64\netutils.dll
c:\windows\syswow64\srvcli.dll
c:\windows\syswow64\wkscli.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\ntmarta.dll
c:\windows\syswow64\wldap32.dll

PID
2852
CMD
"C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\jscript.dll /E /P everyone:N
Path
C:\Windows\SysWOW64\cacls.exe
Indicators
No indicators
Parent process
MsiExec.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Control ACLs Program
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\cacls.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll

PID
2704
CMD
"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\jscript.dll
Path
C:\Windows\SysWOW64\takeown.exe
Indicators
No indicators
Parent process
MsiExec.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Takes ownership of a file
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\takeown.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\mpr.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\netapi32.dll
c:\windows\syswow64\netutils.dll
c:\windows\syswow64\srvcli.dll
c:\windows\syswow64\wkscli.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll

PID
996
CMD
"C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\jscript.dll /E /P everyone:N
Path
C:\Windows\SysWOW64\cacls.exe
Indicators
No indicators
Parent process
MsiExec.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Control ACLs Program
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\cacls.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll

PID
2180
CMD
"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\cscript.exe
Path
C:\Windows\SysWOW64\takeown.exe
Indicators
No indicators
Parent process
MsiExec.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Takes ownership of a file
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernelbase.dll
c:\systemroot\system32\ntdll.dll
c:\windows\syswow64\takeown.exe
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\mpr.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\netapi32.dll
c:\windows\syswow64\netutils.dll
c:\windows\syswow64\srvcli.dll
c:\windows\syswow64\wkscli.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\ntmarta.dll
c:\windows\syswow64\wldap32.dll

PID
2412
CMD
"C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\cscript.exe /E /P everyone:N
Path
C:\Windows\SysWOW64\cacls.exe
Indicators
No indicators
Parent process
MsiExec.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Control ACLs Program
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\cacls.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll

PID
684
CMD
"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\cscript.exe
Path
C:\Windows\SysWOW64\takeown.exe
Indicators
No indicators
Parent process
MsiExec.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Takes ownership of a file
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\gpapi.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\peerdistsh.dll
c:\windows\syswow64\wlanutil.dll
c:\windows\syswow64\wlancfg.dll
c:\windows\syswow64\p2p.dll
c:\windows\syswow64\polstore.dll
c:\windows\syswow64\activeds.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\wkscli.dll
c:\windows\syswow64\netutils.dll
c:\windows\syswow64\nshipsec.dll
c:\windows\syswow64\certcli.dll
c:\windows\syswow64\eappprxy.dll
c:\windows\syswow64\eappcfg.dll
c:\windows\syswow64\dot3api.dll
c:\windows\syswow64\rpcnsh.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\hnetmon.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\devrtl.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\winipsec.dll
c:\windows\syswow64\authfwcfg.dll
c:\windows\syswow64\firewallapi.dll
c:\windows\syswow64\httpapi.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\wshelper.dll
c:\windows\syswow64\qutil.dll
c:\windows\syswow64\dhcpcsvc6.dll
c:\windows\syswow64\dhcpcmonitor.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\nshwfp.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\odbc32.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rasapi32.dll
c:\windows\syswow64\rasmontr.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\credui.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64win.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\syswow64\netsh.exe
c:\windows\syswow64\takeown.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\mpr.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\netapi32.dll
c:\windows\syswow64\srvcli.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\msctf.dll

PID
2952
CMD
"C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\cscript.exe /E /P everyone:N
Path
C:\Windows\SysWOW64\cacls.exe
Indicators
No indicators
Parent process
MsiExec.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Control ACLs Program
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\cacls.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll

PID
3000
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 900; Restart-Computer -Force
Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Indicators
No indicators
Parent process
MsiExec.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
1073807364
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\atl.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shdocvw.dll
c:\windows\syswow64\propsys.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\ntmarta.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\linkinfo.dll
c:\windows\syswow64\ntshrui.dll
c:\windows\syswow64\srvcli.dll
c:\windows\syswow64\cscapi.dll
c:\windows\syswow64\slc.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\syswow64\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\ad92dab7f418877d6a1e0358ce35658a\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\18bfcf1ce2ee2590fab9e652aa2fb0f0\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\038e2b6a0fca5134cc94bdba268aa678\system.management.automation.ni.dll
c:\windows\syswow64\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\bd9ff1a4363781a57e8f7392f230a203\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\5899ed26db2d3dcca2a333abb64e3fd5\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\d6acc39f6c1ea42d8b3150db6184a969\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\dfeba9654bbb5cb83fd6b223bce5aa1a\microsoft.wsman.management.ni.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\fec007ea17ac8956cc5d6d4074dada6a\system.transactions.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\50e48d6dfa9faf86ed7827f4ea0cc52a\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\5f426e1d87e7c57b1650b2cd31ed90c5\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\2e8571d116616c901756ee2259985925\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\77c1dc46ea139bf5e1eaa9b87ef03c7a\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\00c2b464e52d4e82c04d61592a12a89d\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\237ed1739105c1bebe48d41905fdb3ee\system.directoryservices.ni.dll
c:\windows\syswow64\shfolder.dll
c:\windows\syswow64\secur32.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\511c39d1efa06d262a6b2f47e2726c73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll

PID
372
CMD
winlogon.exe
Path
C:\Windows\System32\winlogon.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Windows Logon Application
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\winlogon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winsta.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\profapi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\uxinit.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ole32.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netjoin.dll
c:\windows\system32\netutils.dll
c:\windows\system32\sspicli.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kbdus.dll
c:\windows\system32\kbdjpn.dll
c:\windows\system32\kbd101.dll
c:\windows\system32\kbd106.dll
c:\windows\system32\kbdnec.dll
c:\windows\system32\version.dll
c:\windows\system32\imjp14.ime
c:\windows\system32\slc.dll
c:\windows\system32\mpr.dll

PID
644
CMD
C:\Windows\system32\services.exe
Path
C:\Windows\System32\services.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Services and Controller app
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\services.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\scext.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\secur32.dll
c:\windows\system32\scesrv.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\credssp.dll
c:\windows\system32\authz.dll
c:\windows\system32\ubpm.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\aelupsvc.dll
c:\windows\system32\drivers\afd.sys
c:\windows\system32\alg.exe
c:\windows\system32\appidsvc.dll
c:\windows\system32\appinfo.dll
c:\windows\system32\appmgmts.dll
c:\windows\system32\rascfg.dll
c:\windows\system32\audiosrv.dll
c:\windows\system32\axinstsv.dll
c:\windows\system32\bdesvc.dll
c:\windows\system32\bfe.dll
c:\windows\system32\qmgr.dll
c:\windows\system32\browser.dll
c:\windows\system32\bthserv.dll
c:\windows\system32\certprop.dll
c:\windows\system32\clfs.sys
c:\windows\system32\comres.dll
c:\windows\system32\cryptsvc.dll
c:\windows\system32\cscsvc.dll
c:\windows\system32\oleres.dll
c:\windows\system32\defragsvc.dll
c:\windows\system32\drivers\dfsc.sys
c:\windows\system32\dhcpcore.dll
c:\windows\system32\utcresources.dll
c:\windows\system32\drivers\discache.sys
c:\windows\system32\dnsapi.dll
c:\windows\system32\dot3svc.dll
c:\windows\system32\eapsvc.dll
c:\windows\system32\efssvc.dll
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehsched.exe
c:\windows\system32\wevtsvc.dll
c:\windows\system32\fxsresm.dll
c:\windows\system32\fdphost.dll
c:\windows\system32\fdrespub.dll
c:\windows\system32\drivers\fileinfo.sys
c:\windows\system32\drivers\filetrace.sys
c:\windows\system32\drivers\fltmgr.sys
c:\windows\system32\fntcache.dll
c:\windows\system32\presentationhost.exe
c:\windows\system32\drivers\fsdepends.sys
c:\windows\system32\drivers\fvevol.sys
c:\windows\system32\gpapi.dll
c:\windows\system32\hidserv.dll
c:\windows\system32\kmsvc.dll
c:\windows\system32\listsvc.dll
c:\windows\system32\provsvc.dll
c:\windows\system32\drivers\http.sys
c:\windows\system32\drivers\hwpolicy.sys
c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\servicemodelinstallrc.dll
c:\windows\system32\ieetwcollectorres.dll
c:\windows\system32\ikeext.dll
c:\windows\system32\ipbusenum.dll
c:\windows\system32\iphlpsvc.dll
c:\windows\system32\drivers\irenum.sys
c:\windows\system32\keyiso.dll
c:\windows\system32\srvsvc.dll
c:\windows\system32\wkssvc.dll
c:\windows\system32\lltdres.dll
c:\windows\system32\lmhsvc.dll
c:\windows\system32\drivers\luafv.sys
c:\windows\ehome\ehres.dll
c:\windows\system32\mmcss.dll
c:\windows\system32\drivers\mountmgr.sys
c:\windows\system32\firewallapi.dll
c:\windows\system32\webclnt.dll
c:\windows\system32\drivers\mshidkmdf.sys
c:\windows\system32\iscsidsc.dll
c:\windows\system32\msimsg.dll
c:\windows\system32\drivers\mup.sys
c:\windows\system32\qagentrt.dll
c:\windows\system32\drivers\ndis.sys
c:\windows\system32\drivers\netbt.sys
c:\windows\system32\netlogon.dll
c:\windows\system32\netman.dll
c:\windows\microsoft.net\framework64\v4.0.30319\servicemodelinstallrc.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\nlasvc.dll
c:\windows\system32\nsisvc.dll
c:\windows\system32\drivers\nsiproxy.sys
c:\windows\system32\pnrpsvc.dll
c:\windows\system32\p2psvc.dll
c:\windows\system32\drivers\partmgr.sys
c:\windows\system32\pcasvc.dll
c:\windows\system32\peerdistsvc.dll
c:\windows\system32\pla.dll
c:\windows\system32\umpnpmgr.dll
c:\windows\system32\pnrpauto.dll
c:\windows\system32\polstore.dll
c:\windows\system32\umpo.dll
c:\windows\system32\profsvc.dll
c:\windows\system32\psbase.dll
c:\windows\system32\drivers\pacer.sys
c:\windows\system32\qwave.dll
c:\windows\system32\drivers\qwavedrv.sys
c:\windows\system32\rasauto.dll
c:\windows\system32\rasmans.dll
c:\windows\system32\sstpsvc.dll
c:\windows\system32\drivers\rdpcdd.sys
c:\windows\system32\drivers\rdpencdd.sys
c:\windows\system32\drivers\rdprefmp.sys
c:\windows\system32\mprdim.dll
c:\windows\system32\regsvc.dll
c:\windows\system32\rpcepmap.dll
c:\windows\system32\locator.exe
c:\windows\system32\samsrv.dll
c:\windows\system32\scardsvr.dll
c:\windows\system32\drivers\scfilter.sys
c:\windows\system32\schedsvc.dll
c:\windows\system32\sdrsvc.dll
c:\windows\system32\seclogon.dll
c:\windows\system32\sens.dll
c:\windows\system32\sensrsvc.dll
c:\windows\system32\sessenv.dll
c:\windows\system32\ipnathlp.dll
c:\windows\system32\shsvcs.dll
c:\windows\system32\tcpipcfg.dll
c:\windows\system32\snmptrap.exe
c:\windows\system32\spoolsv.exe
c:\windows\system32\sppsvc.exe
c:\windows\system32\sppuinotify.dll
c:\windows\system32\ssdpsrv.dll
c:\windows\system32\wiaservc.dll
c:\windows\system32\vmstorfltres.dll
c:\windows\system32\storsvc.dll
c:\windows\system32\swprv.dll
c:\windows\system32\sysmain.dll
c:\windows\system32\tabsvc.dll
c:\windows\system32\tapisrv.dll
c:\windows\system32\termsrv.dll
c:\windows\system32\themeservice.dll
c:\windows\system32\trkwks.dll
c:\windows\servicing\trustedinstaller.exe
c:\windows\system32\drivers\tssecsrv.sys
c:\windows\system32\ui0detect.exe
c:\windows\system32\umrdp.dll
c:\windows\system32\upnphost.dll
c:\windows\system32\dwm.exe
c:\windows\system32\vaultsvc.dll
c:\windows\system32\vds.exe
c:\windows\system32\drivers\volmgrx.sys
c:\windows\system32\vssvc.exe
c:\windows\system32\drivers\vwifibus.sys
c:\windows\system32\wbengine.exe
c:\windows\system32\wbiosrvc.dll
c:\windows\system32\wcncsvc.dll
c:\windows\system32\wcspluginservice.dll
c:\windows\system32\drivers\wdf01000.sys
c:\windows\system32\wdi.dll
c:\windows\system32\wecsvc.dll
c:\windows\system32\wercplsupport.dll
c:\windows\system32\wersvc.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\wbem\wmisvc.dll
c:\windows\system32\wsmsvc.dll
c:\windows\system32\wlansvc.dll
c:\program files\windows media player\wmpnetwk.exe
c:\windows\system32\wpcsvc.dll
c:\windows\system32\wpdbusenum.dll
c:\windows\system32\drivers\ws2ifsl.sys
c:\windows\system32\wscsvc.dll
c:\windows\system32\drivers\wudfpf.sys
c:\windows\system32\wudfsvc.dll
c:\windows\system32\wwansvc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\taskhost.exe

PID
456
CMD
C:\Windows\system32\svchost.exe -k netsvcs
Path
C:\Windows\System32\svchost.exe
Indicators
Parent process
services.exe
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Services
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\mmcss.dll
c:\windows\system32\avrt.dll
c:\windows\system32\gpsvc.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\sysntfy.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\profsvc.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\atl.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\themeservice.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\winsta.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\slc.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\version.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\samlib.dll
c:\windows\system32\shsvcs.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\schedsvc.dll
c:\windows\system32\pcwum.dll
c:\windows\system32\shell32.dll
c:\windows\system32\authz.dll
c:\windows\system32\ubpm.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\credssp.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\fveapi.dll
c:\windows\system32\tbs.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\fvecerts.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\wiarpc.dll
c:\windows\system32\taskcomp.dll
c:\windows\system32\wship6.dll
c:\windows\system32\netjoin.dll
c:\windows\system32\wtsapi32.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\wbem\wmisvc.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpsvc.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\firewallapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sqmapi.dll
c:\windows\system32\wdscore.dll
c:\windows\system32\es.dll
c:\windows\system32\netcfgx.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wbemcore.dll
c:\windows\system32\wbem\esscli.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\nci.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\wbem\repdrvfs.dll
c:\windows\system32\wbem\wmiprvsd.dll
c:\windows\system32\ncobjapi.dll
c:\windows\system32\wbem\wbemess.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\sens.dll
c:\windows\apppatch\acpsens.dll
c:\windows\system32\srvsvc.dll
c:\windows\system32\browser.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\netmsg.dll
c:\windows\system32\sscore.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\resutils.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\aelupsvc.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\wbem\ncprov.dll

PID
460
CMD
"C:\Windows\SysWOW64\svchost.exe" -k NetworkService
Path
C:\Windows\SysWOW64\svchost.exe
Indicators
No indicators
Parent process
services.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Services
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\svchost.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\apphelp.dll

PID
424
CMD
"C:\Windows\SysWOW64\svchost.exe" -k LocalService
Path
C:\Windows\SysWOW64\svchost.exe
Indicators
Parent process
services.exe
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Services
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\ntdll.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\wsock32.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\netapi32.dll
c:\windows\syswow64\netutils.dll
c:\windows\syswow64\srvcli.dll
c:\windows\syswow64\wkscli.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\wshtcpip.dll
c:\windows\syswow64\ntmarta.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\wintrust.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\dhcpcsvc.dll
c:\windows\syswow64\netbios.dll
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\nlaapi.dll
c:\windows\syswow64\napinsp.dll
c:\windows\syswow64\pnrpnsp.dll
c:\windows\syswow64\winrnr.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\rasadhlp.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\wship6.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\dhcpcsvc6.dll
c:\windows\syswow64\netprofm.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\npmproxy.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\wshqos.dll
c:\windows\syswow64\urlmon.dll

PID
1028
CMD
"C:\Windows\SysWOW64\svchost.exe" -k NetworkService
Path
C:\Windows\SysWOW64\svchost.exe
Indicators
Parent process
services.exe
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Services
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\ntdll.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\wsock32.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\wshtcpip.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\powercfg.exe
c:\windows\syswow64\nlaapi.dll
c:\windows\syswow64\napinsp.dll
c:\windows\syswow64\pnrpnsp.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\winrnr.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\rasadhlp.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\wship6.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\netprofm.dll
c:\windows\syswow64\dhcpcsvc6.dll
c:\windows\syswow64\dhcpcsvc.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\npmproxy.dll
c:\windows\syswow64\wshqos.dll
c:\windows\syswow64\urlmon.dll

PID
912
CMD
"taskhost.exe"
Path
C:\Windows\system32\taskhost.exe
Indicators
No indicators
Parent process
services.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Tasks
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\taskhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\msctfmonitor.dll
c:\windows\system32\msutb.dll
c:\windows\system32\winsta.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\version.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\playsndsrv.dll
c:\windows\system32\hotstartuseragent.dll
c:\windows\system32\slc.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\esent.dll
c:\windows\system32\psapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winmm.dll

PID
2824
CMD
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Path
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Indicators
No indicators
Parent process
services.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
.NET Runtime Optimization Service
Version
4.7.3062.0 built by: NET472REL1
Modules
Image
c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\msvcr120_clr0400.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll

PID
1944
CMD
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Path
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Indicators
No indicators
Parent process
services.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
.NET Runtime Optimization Service
Version
4.7.3062.0 built by: NET472REL1
Modules
Image
c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
1104
CMD
C:\Windows\system32\sppsvc.exe
Path
C:\Windows\system32\sppsvc.exe
Indicators
No indicators
Parent process
services.exe
User
NETWORK SERVICE
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Software Protection Platform Service
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\sppsvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\sppwinob.dll
c:\windows\system32\sppobjs.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll

PID
2740
CMD
POWERCFG -H OFF
Path
C:\Windows\SysWOW64\POWERCFG.exe
Indicators
No indicators
Parent process
svchost.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Power Settings Command-Line Tool
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\powercfg.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\powrprof.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll

PID
1868
CMD
C:\Windows\system32\sc.exe start w32time task_started
Path
C:\Windows\system32\sc.exe
Indicators
No indicators
Parent process
services.exe
User
LOCAL SERVICE
Integrity Level
SYSTEM
Exit code
1058
Version:
Company
Microsoft Corporation
Description
A tool to aid in developing services for WindowsNT
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

PID
2004
CMD
wmiadap.exe /F /T /R
Path
C:\Windows\system32\wbem\WMIADAP.EXE
Indicators
No indicators
Parent process
svchost.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
WMI Reverse Performance Adapter Maintenance Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wbem\wmiadap.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\loadperf.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll

PID
2316
CMD
C:\Windows\System32\svchost.exe -k rpcss
Path
C:\Windows\System32\svchost.exe
Indicators
Parent process
svchost.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Services
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\svchost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\bcryptprimitives.dll

PID
2352
CMD
C:\Windows\SysWOW64\svchost.exe -k rpcss
Path
C:\Windows\SysWOW64\svchost.exe
Indicators
Parent process
services.exe
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Services
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\svchost.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\netapi32.dll
c:\windows\syswow64\netutils.dll
c:\windows\syswow64\srvcli.dll
c:\windows\syswow64\wkscli.dll
c:\windows\syswow64\wsock32.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\winmm.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\wshtcpip.dll
c:\windows\syswow64\ntmarta.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\nlaapi.dll
c:\windows\syswow64\napinsp.dll
c:\windows\syswow64\pnrpnsp.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\winrnr.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\rasadhlp.dll

PID
4036
CMD
C:\Windows\System32\svchost.exe -k rpcss
Path
C:\Windows\System32\svchost.exe
Indicators
Parent process
svchost.exe
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Services
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\systemroot\system32\ntdll.dll
c:\windows\system32\svchost.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\bcryptprimitives.dll

Registry activity

Total events
18306
Read events
16667
Write events
1631
Delete events
8

Modification events

PID
Process
Operation
Key
Name
Value
2696
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
2696
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
2696
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
LanguageList
en-US
2696
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\Desktop\pf.zip
2696
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
2696
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
2696
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
2696
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
2696
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
@C:\Windows\System32\msimsg.dll,-34
Windows Installer Package
2696
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF1600000016000000D60300000B020000
2696
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\IMEJP\10.0\MSIME\AutoCharWidth
LearnData
A2,040,050,060,070,080,090,160,170,
2696
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General
LastFolder
C:\Users\admin\Desktop
2696
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
name
120
2696
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
size
80
2696
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
psize
80
2696
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
type
120
2696
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
mtime
100
2696
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
crc
70
2696
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band76_0
4C000000730100000402000000000000D4D0C80000000000000000000000000000000000000000004E010400000000000000000039000000B402000000000000000000000000000001000000
2696
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band76_1
4C000000730100000500000000000000D4D0C80000000000000000000000000000000000000000005C0104000000000000000000160000002A00000000000000000000000000000002000000
2696
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band76_2
4C000000730100000400000000000000D4D0C8000000000000000000000000000000000000000000440107000000000000000000160000006400000000000000000000000000000003000000
2176
msiexec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\IMEJP\10.0\MSIME\AutoCharWidth
LearnData
A2,040,050,060,070,080,090,160,170,
2964
msiexec.exe
delete key
HKEY_USERS\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\13B\52C64B7E
(default)
2964
msiexec.exe
delete key
HKEY_USERS\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\13B
(default)
2964
msiexec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
(default)
2964
msiexec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback
(default)
2964
msiexec.exe
delete key
HKEY_USERS\S-1-5-21-3896776584-4254864009-862391680-1000\Software\Microsoft\RestartManager\Session0000
(default)
2964
msiexec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress
(default)
2964
msiexec.exe
write
HKEY_USERS\S-1-5-21-3896776584-4254864009-862391680-1000\Software\Microsoft\RestartManager\Session0000
Owner
940B00008844F9EECFC0D601
2964
msiexec.exe
write
HKEY_USERS\S-1-5-21-3896776584-4254864009-862391680-1000\Software\Microsoft\RestartManager\Session0000
SessionHash
CBCF4BFF4018671F6C2D071A9B0E0C1FA531F750FEBB65CBB93BD0730E1660E4
2964
msiexec.exe
write
HKEY_USERS\S-1-5-21-3896776584-4254864009-862391680-1000\Software\Microsoft\RestartManager\Session0000
Sequence
1
2964
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress
(default)
C:\Windows\Installer\18653f.ipi
2964
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Config.Msi\
2964
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
C:\Config.Msi\186540.rbs
30851355
2964
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
C:\Config.Msi\186540.rbsLow
1623513920
2964
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4B7B00AA4731E2647AAC15042EA5873C
230593080361B4C49A79A0C7BC277CB5
C:\Windows\AppPatch\Custom\
2964
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\70BF55C3EB8F6EA41939DB875DE7E060
230593080361B4C49A79A0C7BC277CB5
C:\Windows\.ini
2964
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Program Files (x86)\9LFHGFHUAXLNF5ATC8AWC1H6VEYA0VFUFFY5\9LFHGFHUAXLNF5ATC8AWC1H6VEYA0VFUFFY5\
1
2964
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Program Files (x86)\9LFHGFHUAXLNF5ATC8AWC1H6VEYA0VFUFFY5\
1
2964
msiexec.exe
write
HKEY_USERS\S-1-5-21-3896776584-4254864009-862391680-1000\Software\Policies\Microsoft\Windows Defender
DisableAntiSpyware
1
2964
msiexec.exe
write
HKEY_USERS\S-1-5-21-3896776584-4254864009-862391680-1000\Software\7-Zip
StayOnTop
1
2964
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
DisableAntiSpyware
1
2964
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER
AllowProtectedRenames
1
2964
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER
PendingFileRenameOperations
\??\C:\Windows\AppPatch\Acpsens.dll
2964
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\SoundResearch
UpdaterLastTimeChecked1
1
2964
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\SoundResearch
UpdaterLastTimeChecked2
2
2964
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\SoundResearch
UpdaterLastTimeChecked3
3
2964
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings
StringCacheGeneration
316
1736
MsiExec.exe
write
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows Script\Settings
JITDebug
0
1736
MsiExec.exe
write
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
1736
MsiExec.exe
write
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2932
netsh.exe
write
HKEY_USERS\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\13B\52C64B7E
LanguageList
en-US
1460
netsh.exe
write
HKEY_USERS\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\13B\52C64B7E
LanguageList
en-US
1460
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecISAKMPPolicy{03b677df-e230-4e22-817b-873a2e245c69}
className
ipsecISAKMPPolicy
1460
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecISAKMPPolicy{03b677df-e230-4e22-817b-873a2e245c69}
name
ipsecISAKMPPolicy{03b677df-e230-4e22-817b-873a2e245c69}
1460
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecISAKMPPolicy{03b677df-e230-4e22-817b-873a2e245c69}
ipsecID
{03b677df-e230-4e22-817b-873a2e245c69}
1460
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecISAKMPPolicy{03b677df-e230-4e22-817b-873a2e245c69}
ipsecDataType
256
1460
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecISAKMPPolicy{03b677df-e230-4e22-817b-873a2e245c69}
ipsecData
B820DC80C82ED111A89E00A0248D3021C0000000DF77B60330E2224E817B873A2E245C69000000000000000000000000000000000000000080700000000000000000000000000000000000000000000002000000000000000300000040000000080000000200000040000000000000000000000000000000000000000000000002000000000000000000000080700000000000000000000003000000400000000800000002000000400000000000000000000000000000000400000000000000020000000000000000000000807000000000000000
1460
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecISAKMPPolicy{03b677df-e230-4e22-817b-873a2e245c69}
whenChanged
1606050240
1460
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNegotiationPolicy{17512265-c29d-4ee6-82d7-727237198fea}
className
ipsecNegotiationPolicy
1460
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNegotiationPolicy{17512265-c29d-4ee6-82d7-727237198fea}
name
ipsecNegotiationPolicy{17512265-c29d-4ee6-82d7-727237198fea}
1460
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNegotiationPolicy{17512265-c29d-4ee6-82d7-727237198fea}
ipsecID
{17512265-c29d-4ee6-82d7-727237198fea}
1460
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNegotiationPolicy{17512265-c29d-4ee6-82d7-727237198fea}
ipsecNegotiationPolicyAction
{8a171dd3-77e3-11d1-8659-a04f00000000}
1460
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNegotiationPolicy{17512265-c29d-4ee6-82d7-727237198fea}
ipsecNegotiationPolicyType
{62f49e13-6c37-11d1-864c-14a300000000}
1460
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNegotiationPolicy{17512265-c29d-4ee6-82d7-727237198fea}
ipsecDataType
256
1460
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNegotiationPolicy{17512265-c29d-4ee6-82d7-727237198fea}
ipsecData
B920DC80C82ED111A89E00A0248D3021A4000000020000000000000000000000000000000000000001000000030000000200000002000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000002000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1460
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNegotiationPolicy{17512265-c29d-4ee6-82d7-727237198fea}
whenChanged
1606050241
1460
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{5e9db8e8-9fab-4d45-ad31-5289b6b52b51}
className
ipsecPolicy
1460
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{5e9db8e8-9fab-4d45-ad31-5289b6b52b51}
name
ipsecPolicy{5e9db8e8-9fab-4d45-ad31-5289b6b52b51}
1460
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{5e9db8e8-9fab-4d45-ad31-5289b6b52b51}
ipsecName
qianye
1460
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{5e9db8e8-9fab-4d45-ad31-5289b6b52b51}
ipsecID
{5e9db8e8-9fab-4d45-ad31-5289b6b52b51}
1460
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{5e9db8e8-9fab-4d45-ad31-5289b6b52b51}
ipsecDataType
256
1460
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{5e9db8e8-9fab-4d45-ad31-5289b6b52b51}
ipsecData
632120224C4FD111863B00A0248D302104000000302A000000
1460
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{5e9db8e8-9fab-4d45-ad31-5289b6b52b51}
ipsecISAKMPReference
SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecISAKMPPolicy{03b677df-e230-4e22-817b-873a2e245c69}
1460
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{5e9db8e8-9fab-4d45-ad31-5289b6b52b51}
whenChanged
1606050240
1460
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecISAKMPPolicy{03b677df-e230-4e22-817b-873a2e245c69}
ipsecOwnersReference
SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{5e9db8e8-9fab-4d45-ad31-5289b6b52b51}
1460
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNFA{5a7ce80b-f959-4249-b17e-9bed6ec47221}
className
ipsecNFA
1460
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNFA{5a7ce80b-f959-4249-b17e-9bed6ec47221}
name
ipsecNFA{5a7ce80b-f959-4249-b17e-9bed6ec47221}
1460
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNFA{5a7ce80b-f959-4249-b17e-9bed6ec47221}
ipsecID
{5a7ce80b-f959-4249-b17e-9bed6ec47221}
1460
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNFA{5a7ce80b-f959-4249-b17e-9bed6ec47221}
ipsecDataType
256
1460
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNFA{5a7ce80b-f959-4249-b17e-9bed6ec47221}
ipsecData
00ACBB118D49D111863900A0248D30212A0000000100000005000000020000000000FDFFFFFF0200000000000000000000000000000000000200000000000101010101010101010101010101010101000000050000000000000001010101010101010101010101010102010000000000000000
1460
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNFA{5a7ce80b-f959-4249-b17e-9bed6ec47221}
ipsecNegotiationPolicyReference
SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNegotiationPolicy{17512265-c29d-4ee6-82d7-727237198fea}
1460
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNFA{5a7ce80b-f959-4249-b17e-9bed6ec47221}
whenChanged
1606050241
1460
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{5e9db8e8-9fab-4d45-ad31-5289b6b52b51}
ipsecNFAReference
SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNFA{5a7ce80b-f959-4249-b17e-9bed6ec47221}
1460
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNFA{5a7ce80b-f959-4249-b17e-9bed6ec47221}
ipsecOwnersReference
SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{5e9db8e8-9fab-4d45-ad31-5289b6b52b51}
1460
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNegotiationPolicy{17512265-c29d-4ee6-82d7-727237198fea}
ipsecOwnersReference
SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNFA{5a7ce80b-f959-4249-b17e-9bed6ec47221}
2888
netsh.exe
write
HKEY_USERS\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\13B\52C64B7E
LanguageList
en-US
2888
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
className
ipsecFilter
2888
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
name
ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
2888
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
ipsecName
Filter1
2888
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
ipsecID
{9769c0ef-ec05-4236-8489-774fff32c934}
2888
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
ipsecDataType
256
2888
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
ipsecData
B520DC80C82ED111A89E00A0248D30210000000000000000
2888
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
whenChanged
1606050241
2780
netsh.exe
write
HKEY_USERS\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\13B\52C64B7E
LanguageList
en-US
2780
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
className
ipsecFilter
2780
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
name
ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
2780
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
ipsecName
Filter1
2780
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
ipsecID
{9769c0ef-ec05-4236-8489-774fff32c934}
2780
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
ipsecDataType
256
2780
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
ipsecData
B520DC80C82ED111A89E00A0248D30214600000001000000020000000000020000000000020000000000DBF4B75726E05D4BA12D9C8BC66B7D0001000000000000000000000000000000FFFFFFFF00000000060000000000BD0100000000
2780
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
whenChanged
1606050242
2596
netsh.exe
write
HKEY_USERS\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\13B\52C64B7E
LanguageList
en-US
2596
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
className
ipsecFilter
2596
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
name
ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
2596
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
ipsecName
Filter1
2596
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
ipsecID
{9769c0ef-ec05-4236-8489-774fff32c934}
2596
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
ipsecDataType
256
2596
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
ipsecData
B520DC80C82ED111A89E00A0248D30218C00000002000000020000000000020000000000020000000000DBF4B75726E05D4BA12D9C8BC66B7D0001000000000000000000000000000000FFFFFFFF00000000060000000000BD0100000000020000000000020000000000020000000000D5BFE22ABD9C214B89565EEE3CEA1F9D01000000000000000000000000000000FFFFFFFF00000000060000000000870000000000
2596
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
whenChanged
1606050243
2800
netsh.exe
write
HKEY_USERS\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\13B\52C64B7E
LanguageList
en-US
2800
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
className
ipsecFilter
2800
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
name
ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
2800
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
ipsecName
Filter1
2800
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
ipsecID
{9769c0ef-ec05-4236-8489-774fff32c934}
2800
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
ipsecDataType
256
2800
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
ipsecData
B520DC80C82ED111A89E00A0248D3021D200000003000000020000000000020000000000020000000000DBF4B75726E05D4BA12D9C8BC66B7D0001000000000000000000000000000000FFFFFFFF00000000060000000000BD0100000000020000000000020000000000020000000000D5BFE22ABD9C214B89565EEE3CEA1F9D01000000000000000000000000000000FFFFFFFF00000000060000000000870000000000020000000000020000000000020000000000D9BAF2D851F4544891581B505D8E8A0401000000000000000000000000000000FFFFFFFF000000000600000000008B0000000000
2800
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
whenChanged
1606050242
2212
netsh.exe
write
HKEY_USERS\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\13B\52C64B7E
LanguageList
en-US
2212
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
className
ipsecFilter
2212
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
name
ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
2212
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
ipsecName
Filter1
2212
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
ipsecID
{9769c0ef-ec05-4236-8489-774fff32c934}
2212
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
ipsecDataType
256
2212
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
ipsecData
B520DC80C82ED111A89E00A0248D30211801000004000000020000000000020000000000020000000000DBF4B75726E05D4BA12D9C8BC66B7D0001000000000000000000000000000000FFFFFFFF00000000060000000000BD0100000000020000000000020000000000020000000000D5BFE22ABD9C214B89565EEE3CEA1F9D01000000000000000000000000000000FFFFFFFF00000000060000000000870000000000020000000000020000000000020000000000D9BAF2D851F4544891581B505D8E8A0401000000000000000000000000000000FFFFFFFF000000000600000000008B0000000000020000000000020000000000020000000000C3CA079C0FBCBF4E9C6F83108F3B3AF401000000000000000000000000000000FFFFFFFF00000000110000000000BD0100000000
2212
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
whenChanged
1606050243
3048
netsh.exe
write
HKEY_USERS\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\13B\52C64B7E
LanguageList
en-US
3048
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
className
ipsecFilter
3048
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
name
ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
3048
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
ipsecName
Filter1
3048
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
ipsecID
{9769c0ef-ec05-4236-8489-774fff32c934}
3048
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
ipsecDataType
256
3048
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
ipsecData
B520DC80C82ED111A89E00A0248D30215E01000005000000020000000000020000000000020000000000DBF4B75726E05D4BA12D9C8BC66B7D0001000000000000000000000000000000FFFFFFFF00000000060000000000BD0100000000020000000000020000000000020000000000D5BFE22ABD9C214B89565EEE3CEA1F9D01000000000000000000000000000000FFFFFFFF00000000060000000000870000000000020000000000020000000000020000000000D9BAF2D851F4544891581B505D8E8A0401000000000000000000000000000000FFFFFFFF000000000600000000008B0000000000020000000000020000000000020000000000C3CA079C0FBCBF4E9C6F83108F3B3AF401000000000000000000000000000000FFFFFFFF00000000110000000000BD010000000002000000000002000000000002000000000091BE689CD16E9F418EAF172D3A55A4F801000000000000000000000000000000FFFFFFFF00000000110000000000870000000000
3048
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
whenChanged
1606050244
2760
netsh.exe
write
HKEY_USERS\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\13B\52C64B7E
LanguageList
en-US
2760
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
className
ipsecFilter
2760
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
name
ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
2760
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
ipsecName
Filter1
2760
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
ipsecID
{9769c0ef-ec05-4236-8489-774fff32c934}
2760
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
ipsecDataType
256
2760
netsh.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{9769c0ef-ec05-4236-8489-774fff32c934}
ipsecData
B520DC80C82ED111A89E00A0248D3021A401000006000000020000000000020000000000020000000000DBF4B75726E05D4BA12D9C8BC66B7D0001000000000000000000000000000000FFFFFFFF00000000060000000000BD0100000000020000000000020000000000020000000000D5BFE22ABD9C214B89565EEE3CEA1F9D01000000000000000000000000000000FFFFFFFF00000000060000000000870000000000020000000000020000000000020000000000D9BAF2D851F4544891581B505D8E8A0401000000000000000000000000000